SAS Institute. The Power to Know

SAS(R) 9.2 Intelligence Platform: Security Administration Guide

PDF | Purchase
Previous Page | Next Page

Users, Groups, and Roles

How to Assign Capabilities to Roles

To learn about customizing the distribution of capabilities across roles, complete this exercise in SAS Management Console.

  1. Log on as someone who has user administration capabilities and is a member of the SAS Administrators group (for example, sasadm@saspw).

  2. On the Plug-ins tab, select User Manager [icon] (make sure you are in the foundation repository). In the display area, clear the Show Users and Show Groups check boxes. The roles that exist in your deployment are displayed.

  3. Right-click User Manager and select New [arrow] Role. On the General tab, enter Test Role in the Name field.

    Note:   Creating a new role isolates this exercise from the rest of your deployment, ensuring that your current configuration is preserved.  [cautionend]

  4. To learn how to directly assign capabilities, select the Capabilities tab:

    1. Notice that a message at the top of the tab reminds you that a few capabilities (for example, those of the metadata server's roles) aren't listed on this tab (because those capabilities are implicit).

    2. Notice that the first node (Applications) has an empty branch icon [empty branch]. This indicates that no explicit capabilities are assigned to this role.

    3. Notice that there is a second-level node for each component that provides explicit capabilities. A role can provide capabilities from multiple applications.

    4. Click + to expand the SAS Management Console node. Click + to expand the Plug-ins node. Select the Authorization Manager check box. Notice that the branch icons are now partial [partial branch]. This indicates that some of the capabilities are selected.

      Note:   To see a description of any capability, click that capability's text and look at the Description field at the bottom of the tab.  [cautionend]

    5. Click the partial icon [partial branch] for the Plug-ins folder. This action causes all of the capabilities beneath that node to be selected. Click again to cycle back to the empty branch icon (no capabilities assigned). Click a third time to revert to the immediately preceding state (only the Authorization Manager check box selected).

    6. Click the Authorization Manager check box to clear it.

  5. To learn how to indirectly assign capabilities, select the Contributing Roles tab:

    1. In the Available Roles list, select Management Console: Content Management. Before you make this a contributing role, verify its capabilities.

      1. Click Properties, select the candidate role's Capabilities tab, and expand SAS Management Console [arrow] Plug-ins. Notice that four capabilities are selected. All check boxes are disabled because this dialog box is in read-only mode when it is accessed in this manner.

      2. Check the role's description on the General tab to determine whether the role provides any further capabilities (implicit capabilities).

      3. Check the role's Contributing Roles tab (just in case it has a contributing role that provides implicit capabilities).

      4. Click Cancel to return to the Contributing Roles tab of your test role.

    2. Move the Management Console: Content Management role to the Current Roles list. This role now contributes all of its capabilities to your new role. If capabilities of this contributing role change, the capabilities of your test role change also.

    It is necessary to use contributing roles in these circumstances:

    • You want to extend implicit capabilities (like the capabilities of the metadata server roles) to other roles.

    • You want to provide dynamic aggregation of roles so that changes to one role propagate to other roles that have the first role as a contributing role.

  6. To learn about interactions between contributed and directly assigned capabilities, select your test role's Capabilities tab again.

    1. Under SAS Management Console [arrow] Plug-ins, notice that capabilities from the Management Console: Content Management role are now selected. A visual indicator [icon] identifies these as contributed capabilities.

    2. Select the already-selected Authorization Manager check box. This adds a direct assignment on top of the contributed assignment, making the assignment independent from the underlying contributing role.

    3. Click the tree icon for the Plug-ins folder three times (stop when only the Authorization Manager check box is explicitly selected).

    4. Select the Authorization Manager check box again. It reverts back to the contributed state. You can't incrementally remove a contributed capability.

    5. If you want to make your role independent of the Management Console: Content Management role:

      1. Add explicit selections on top of all contributed capabilities.

      2. Select the Contributed Roles tab. Move the Management Console: Content Management role back to the Available roles list box.

      3. Select the Capabilities tab. Notice that you can now clear any capability.

      Note:   This technique (trace a contributing role and then remove it) is a good way to create a new role that is based on another role but offers fewer capabilities. Of course, anyone who has both roles has any capability that is offered by either role.  [cautionend]

  7. To close the dialog box (and not save the test role), click Cancel.

See Also

Roles Overview

Role Definitions

Who Can Manage Users, Groups, and Roles?

Previous Page | Next Page | Top of Page

Copyright © 2009 by SAS Institute Inc., Cary, NC, USA. All rights reserved.