Groups

Groups are primarily used in access controls, because it is more efficient to assign permissions to groups than to individual users. You can also use a group to populate a role or to make a shared credential available to multiple users. The following figure illustrates how the users in the previous topic might participate in a group structure:
Example: Users in a Group Structure
Example: Users in a Group Structure
The preceding figure introduces three important predefined groups.
PUBLIC, SASUSERS, SAS Administrators Groups
Group
Description
PUBLIC
Automatically includes everyone who can access the metadata server, either directly or through a trust relationship. A user who does not have an individual identity has only the PUBLIC group identity.
SASUSERS
Automatically includes those members of the PUBLIC group who have an individual identity. All members of the SASUSERS group are also members of the PUBLIC group.
SAS Administrators
A standard group for metadata administrators. In a standard configuration, membership in this group provides broad access and most administrative capabilities, but does not provide unrestricted status.
Here are some tips for working with group definitions:
  • You can create a nested group structure by making one group a member of another group.
  • Most groups don't have logins (stored credentials). A group login makes a shared external account available to all members of the group. Such outbound logins typically provide access to a third-party database server and should include both a user ID and a password (as well as an authentication domain).
  • Permission settings on a group definition do not determine what that group can do. Those settings can affect the ability of other identities to update or delete the group definition itself. Special rules automatically protect user, group, and role definitions.