Groups are primarily used in access
controls, because it is more efficient to assign permissions to groups
than to individual users. You can also use a group to populate a role
or to make a shared credential available to multiple users. The following
figure illustrates how the users in the previous topic might participate
in a group structure:
The
preceding figure introduces three important predefined groups.
PUBLIC, SASUSERS, SAS Administrators Groups
|
|
|
Automatically includes
everyone who can access the metadata server, either directly or through
a trust relationship. A user who does not have an individual identity
has only the PUBLIC group identity.
|
|
Automatically includes
those members of the PUBLIC group who have an individual identity.
All members of the SASUSERS group are also members of the PUBLIC group.
|
|
A standard group for
metadata administrators. In a standard configuration, membership in
this group provides broad access and most administrative capabilities,
but does not provide unrestricted status.
|
Here are some tips for
working with group definitions:
-
You can create a nested group structure
by making one group a member of another group.
-
Most groups don't have logins (stored
credentials). A group login makes a shared external account available
to all members of the group. Such outbound logins typically provide
access to a third-party database server and should include both a
user ID and a password (as well as an authentication domain).
-
Permission settings on a group
definition do not determine what that group can do. Those settings
can affect the ability of other identities to update or delete the
group definition itself. Special rules automatically protect user,
group, and role definitions.