Role-Based Access to Application Features

While permissions affect access to individual objects, roles control the availability of application features (such as certain buttons, plug-ins, and menu items). For example, role memberships determine who can see the Server Manager plug-in (in SAS Management Console), compare data (in SAS Enterprise Guide), or directly open an information map (in SAS Web Report Studio).
Here are some key points:
  • In general, roles do not protect data or metadata. Roles just control which features in a particular application are available to which users.
  • An application feature that is under role-based management is called a capability. Each role provides multiple capabilities. A user or group can be in multiple roles.
  • Not all applications have roles. Not all application features are under role management. Each application that supports roles provides a fixed set of capabilities. You can't convert a feature that isn't a capability into a capability.
    Tip
    If you add custom tasks or develop custom plug-ins, you can register those features as capabilities.
  • Capabilities are additive. There are no capabilities that limit what a user can do.
  • Capabilities can be categorized as follows:
    explicit capabilities
    can be incrementally added to or removed from any role (other than the unrestricted role, which always provides all explicit capabilities). Most roles have explicit capabilities.
    implicit capabilities
    are permanently bound to a certain role. The metadata server's roles provide implicit capabilities. For example, the user administration role provides the capability to add users, but there is no explicit Create Users capability.
    contributed capabilities
    are implicit or explicit capabilities that are assigned through role aggregation. If you designate one role as a contributing role for another role, all of the first role's capabilities become contributed capabilities for the second role.
  • You can't assign permissions to a role. You can’t assign capabilities to a group.
  • A user can't temporarily assume or relinquish a role. All of a user's roles are active at all times.
    Tip
    You can give an administrator two user definitions. This enables the administrator to function as a regular user some of the time.
  • For details about a particular application's capabilities and roles, see the administrative documentation for that application.
For more information, see Roles.
Copyright © SAS Institute Inc. All rights reserved.