 |
|
| Users, Groups, and Roles |
Main Administrative Roles
| Role | Capabilities | Initial Membership | ||
|---|---|---|---|---|
![[icon]](images/role.gif) |
Metadata Server: Unrestricted | Members have all capabilities and can't be denied any permissions in the metadata environment.1 |
![[icon]](images/user.gif) |
SAS Administrator |
|
|
Metadata Server: User Administration | Members can create, update, and delete users, groups, roles (other than the unrestricted role), internal accounts, logins, and authentication domains.2 |
![[icon]](images/group.gif) |
SAS Administrators |
|
|
Metadata Server: Operation | Members can administer the metadata server (monitor, stop, pause, resume, quiesce) and its repositories (add, initialize, register, unregister, delete).3 |
|
SAS Administrators |
|
|
Management Console: Advanced | Members can see all plug-ins in SAS Management Console (in the initial configuration). |
|
SAS Administrators |
| 1
Unrestricted users can use only those logins that
are assigned to them (or to groups to which they belong). They don't automatically
have implicit capabilities that are provided by components other than the
metadata server.
2 Restricted user administrators can't update identities for which they have an explicit or ACT denial of WriteMetadata. 3 Only someone who has an external user ID that is listed in the adminUsers.txt file with a preceding asterisk can delete, unregister, add, or initialize a foundation repository. Only an unrestricted user can analyze and repair metadata or perform tasks when the metadata server is paused for administration. |
||||
Here are some details:
-
Many of the preceding tasks have permission requirements in addition to capability requirements. In a standard configuration, the SAS Administrators group has the necessary permissions.
-
To operate servers other than the metadata server, you need the Administer permission, not a particular role or capability.
-
The metadata server's roles have implicit capabilities. Implicit capabilities aren't listed on any Capabilities tab.
-
You can't deselect capabilities for the unrestricted role.
-
The metadata server's adminUsers.txt file provides many of the same privileges that it did in previous releases. However, we recommend that you use roles instead, except as specified in documentation for a particular task.
-
The method that most applications use to retrieve credentials supports normal use of stored credentials, regardless of role memberships. However, if someone who has user administration capabilities makes a raw metadata request for logins, no usable passwords are returned.
-
Do not give user administration capabilities to the identity that the object spawner uses to retrieve server launch credentials from the metadata. In a typical configuration, the spawner uses the SAS Trusted User to retrieve server launch credentials (through a raw metadata request). If the SAS Trusted User is a member of the user administration role (or the unrestricted role), the spawner will not operate properly.
See Also
|
|
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.