The
initial configuration in a new deployment provides sufficient access
to data and resources, with the following exceptions:
-
Only unrestricted users can access
data through information maps, reports that are based on information
maps, the metadata LIBNAME engine, or the OLAP server. In the initial
configuration, the only grants of the Read permission are in each
user's personal content area (
My Folder).
-
Only unrestricted users and members
of the SAS Administrators group can register cubes.
To ensure appropriate
access to resources and data:
-
Log on to SAS Management
Console as an administrator (for example, sasadm@saspw).
-
(Optional) Verify that
all registered users have at least the minimum required repository-level
access.
-
On the
Plug-ins tab,
under
Authorization Manager, expand the
Access
Control Templates node.
-
Right-click the repository
ACT
(
Default ACT) and select
Properties.
-
On the
Permission
Pattern tab, select
SASUSERS.
Verify that the ReadMetadata and WriteMetadata permissions are granted.
-
(Optional) Verify that
all registered users have basic access to the folder tree.
-
On the
Folders tab,
right-click the root folder (
SAS Folders) and select
Properties.
-
On the folder's
Authorization tab,
select
SASUSERS. Verify that the ReadMetadata
permission is granted.
-
Provide metadata layer
access to data (this is a broad approach).
-
On the
Authorization tab
for the root folder (
SAS Folders), select
SASUSERS.
Note: To access this tab, select
the
Folders tab, right-click the root folder,
and select
Properties.
-
Grant the Read permission.
This enables registered users to perform tasks such as querying cubes,
accessing data through information maps, and viewing the contents
of tables.
If you want to manage
access to data more narrowly, set grants of the Read permission on
specific folders for specific users. Users need the Read permission
as follows:
-
Users need Read permission on an
information map in order to access data through that information map.
For example, if Joe is denied Read permission on an information map,
he can't view reports that are based on that information map.
-
Users always need Read permission
on OLAP data in order to access that data.
-
Users sometimes need Read permission
on relational data in order to access that data. Read permission is
required when data is accessed using the metadata LIBNAME engine.
-
If users who aren't
in the SAS Administrators group will register cubes, grant those users
the WriteMetadata permission on the OLAP schema.
-
On the
Folders tab,
expand the
Shared Data
folder and select
the
SASApp - OLAP Schema folder.
-
In the right panel,
right-click the schema
and select
Properties.
-
On the
Authorization tab,
select or add an identity and grant WriteMetadata permission to that
identity. For example, to allow all registered users to add cubes,
assign the grant of WriteMetadata permission to SASUSERS.
-
Verify that physical-layer
access is available. Here are the general requirements:
-
A user who accesses SAS data sets
from a standard workspace server needs host layer (Read) access to
those files.
-
A user who performs tasks that
involve writing to a host directory needs host layer (Write) access
to that directory.
-
Server launch credentials need
host (Read) access to any SAS data that the server retrieves. Initially,
the SAS Spawned Servers account (sassrv) is the launch credential
for the stored process server and the pooled workspace server.
-
In the initial configuration,
the
Server Manager capability is available
to only the SAS Administrators group. This prevents other users from
accessing server definitions under that plug-in. For greater security,
use permissions to protect server definitions.
See Protect Server Definitions.
-
In a new deployment,
access to most resources and data is undifferentiated. All registered
nonadministrators have identical metadata-layer access to content,
data, and application features. Everyone who uses a stored process
server or pooled workspace server has identical host-layer access
to any SAS data that server retrieves. In a migrated deployment, access
to most resources and data mirrors access in the original environment.
To manage access to objects such as reports, stored processes, information
maps, and data definitions, create custom folders that reflect the
distinctions that you want to make.
See Permissions on Folders.
-