SAS(R) 9.2 Intelligence Platform: Security Administration Guide
 |
|
| Users, Groups, and Roles |
Main Administrative Roles
| Role | Capabilities | Initial Membership | ||
|---|---|---|---|---|
![[icon]](images/role.gif) |
Metadata Server: Unrestricted | Members have all capabilities and can't be denied any permissions in the metadata environment.1 |
![[icon]](images/user.gif) |
SAS Administrator |
|
|
Metadata Server: User Administration | Members can create, update, and delete users, groups, roles (other than the unrestricted role), internal accounts, logins, and authentication domains.2 |
![[icon]](images/group.gif) |
SAS Administrators |
|
|
Metadata Server: Operation | Members can administer the metadata server (monitor, stop, pause, resume, quiesce) and its repositories (add, initialize, register, unregister, delete).3 |
|
SAS Administrators |
|
|
Management Console: Advanced | Members can see all plug-ins in SAS Management Console (in the initial configuration). |
|
SAS Administrators |
| 1
Unrestricted
users can use only those logins that are assigned to them (or to groups to
which they belong). They don't automatically have implicit capabilities that
are provided by components other than the metadata server.
2 Restricted user administrators can't update identities for which they have an explicit or ACT denial of WriteMetadata. 3 Only someone who has an external user ID that is listed in the adminUsers.txt file with a preceding asterisk can delete, unregister, add, or initialize a foundation repository. Only an unrestricted user can analyze and repair metadata or perform tasks when the metadata server is paused for administration. |
||||
Here are some details:
-
Many of the preceding tasks have permission requirements in addition to capability requirements. In a standard configuration, the SAS Administrators group has the necessary permissions.
-
To operate servers other than the metadata server, you need the Administer permission, not a particular role or capability.
-
The metadata server's roles have implicit capabilities. Implicit capabilities aren't listed on any Capabilities tab.
-
You can't deselect capabilities for the unrestricted role.
-
The metadata server's adminUsers.txt file provides many of the same privileges that it did in previous releases. However, we recommend that you use roles instead, except as specified in documentation for a particular task.
See Also
|
|
Copyright © 2009 by SAS Institute Inc., Cary, NC, USA. All rights reserved.
