While permissions affect access to individual
objects, roles control the availability of application features (such
as certain buttons, plug-ins, and menu items). For example, role memberships
determine who can see the Server Manager plug-in (in SAS Management
Console), compare data (in SAS Enterprise Guide), or directly open
an information map (in SAS Web Report Studio).
Here are some key points:
-
In general, roles do not protect
data or metadata. Roles just control which features in a particular
application are available to which users.
-
An application feature that is
under role-based management is called a capability. Each role provides
multiple capabilities. A user or group can be in multiple roles.
-
Not all applications have roles.
Not all application features are under role management. Each application
that supports roles provides a fixed set of capabilities. You can't
convert a feature that isn't a capability into a capability.
Tip
If you add custom tasks or
develop custom plug-ins, you can register those features as capabilities.
-
Capabilities are additive. There
are no capabilities that limit what a user can do.
-
Capabilities can be categorized
as follows:
can be incrementally
added to or removed from any role (other than the unrestricted role,
which always provides all explicit capabilities). Most roles have
explicit capabilities.
are permanently bound
to a certain role. The metadata server's roles provide implicit capabilities.
For example, the user administration role provides the capability
to add users, but there is no explicit Create Users capability.
are implicit or explicit
capabilities that are assigned through role aggregation. If you designate
one role as a contributing role for another role, all of the first
role's capabilities become contributed capabilities for the second
role.
-
You can't assign permissions to
a role. You can’t assign capabilities to a group.
-
A user can't temporarily assume
or relinquish a role. All of a user's roles are active at all times.
Tip
You can give an administrator
two user definitions. This enables the administrator to function as
a regular user some of the time.
-
For details about a particular
application's capabilities and roles, see the administrative documentation
for that application.
For more information,
see Roles.