Adjust Initial Access

The initial configuration in a new deployment provides sufficient access to data and resources, with the following exceptions:
  • Only unrestricted users can access data through information maps, reports that are based on information maps, the metadata LIBNAME engine, or the OLAP server. In the initial configuration, the only grants of the Read permission are in each user's personal content area (My Folder).
  • Only unrestricted users and members of the SAS Administrators group can register cubes.
To ensure appropriate access to resources and data:
  1. Log on to SAS Management Console as an administrator (for example, sasadm@saspw).
  2. (Optional) Verify that all registered users have at least the minimum required repository-level access.
    1. On the Plug-ins tab, under Authorization Manager, expand the Access Control Templates node.
    2. Right-click the repository ACT icon (Default ACT) and select Properties.
    3. On the Permission Pattern tab, select SASUSERS. Verify that the ReadMetadata and WriteMetadata permissions are granted.
  3. (Optional) Verify that all registered users have basic access to the folder tree.
    1. On the Folders tab, right-click the root folder ( icon SAS Folders) and select Properties.
    2. On the folder's Authorization tab, select SASUSERS. Verify that the ReadMetadata permission is granted.
  4. Provide metadata layer access to data (this is a broad approach).
    1. On the Authorization tab for the root folder ( icon SAS Folders), select SASUSERS.
      Note: To access this tab, select the Folders tab, right-click the root folder, and select Properties.
    2. Grant the Read permission. This enables registered users to perform tasks such as querying cubes, accessing data through information maps, and viewing the contents of tables.
    If you want to manage access to data more narrowly, set grants of the Read permission on specific folders for specific users. Users need the Read permission as follows:
    • Users need Read permission on an information map in order to access data through that information map. For example, if Joe is denied Read permission on an information map, he can't view reports that are based on that information map.
    • Users always need Read permission on OLAP data in order to access that data.
    • Users sometimes need Read permission on relational data in order to access that data. Read permission is required when data is accessed using the metadata LIBNAME engine.
  5. If users who aren't in the SAS Administrators group will register cubes, grant those users the WriteMetadata permission on the OLAP schema.
    1. On the Folders tab, expand the Shared Data folder and select the SASApp - OLAP Schema folder.
    2. In the right panel, right-click the schema icon and select Properties.
    3. On the Authorization tab, select or add an identity and grant WriteMetadata permission to that identity. For example, to allow all registered users to add cubes, assign the grant of WriteMetadata permission to SASUSERS.
  6. Verify that physical-layer access is available. Here are the general requirements:
    • A user who accesses SAS data sets from a standard workspace server needs host layer (Read) access to those files.
    • A user who performs tasks that involve writing to a host directory needs host layer (Write) access to that directory.
    • Server launch credentials need host (Read) access to any SAS data that the server retrieves. Initially, the SAS Spawned Servers account (sassrv) is the launch credential for the stored process server and the pooled workspace server.
  7. In the initial configuration, the Server Manager capability is available to only the SAS Administrators group. This prevents other users from accessing server definitions under that plug-in. For greater security, use permissions to protect server definitions. See Protect Server Definitions.
  8. In a new deployment, access to most resources and data is undifferentiated. All registered nonadministrators have identical metadata-layer access to content, data, and application features. Everyone who uses a stored process server or pooled workspace server has identical host-layer access to any SAS data that server retrieves. In a migrated deployment, access to most resources and data mirrors access in the original environment. To manage access to objects such as reports, stored processes, information maps, and data definitions, create custom folders that reflect the distinctions that you want to make. See Permissions on Folders.
  9. To fully protect SAS data sets, you must also address host access. See Host Access to SAS Tables.

See Also

Permissions by Object Type
Copyright © SAS Institute Inc. All rights reserved.