Users

In general, each SAS user has identity information in two distinct realms:
  1. In an authentication provider, the user has an account that can access the metadata server.
  2. In the SAS metadata, the user has a definition that includes a copy of the account ID with which the user accesses the metadata server.
Coordination between these two realms establishes a unique SAS identity for each user. Each SAS identity is based on a match between the following two values:
  • the account ID with which the user authenticates
  • the account ID that is listed in the user's metadata definition
In the following figure, account refers to a user account in an authentication provider, and definition refers to a metadata object that represents the user. Bill cannot log on, Susan has only the generic PUBLIC identity, and Tara has an individual SAS identity.
Examples: User Accounts and User Definitions
Examples: User Accounts and User Definitions
Here are some tips for working with user definitions:
  • If the metadata server runs on Windows and uses SAS authentication, the SAS copy of each user's Windows user ID must be stored in a fully qualified format (for example, WindowsDomain\user-ID, MachineName\user-ID, or user-ID@company.com).
  • If you find that a user has only the PUBLIC identity even though the user has a user definition, the user's stored account ID might be missing, not accurately entered, or not in the correct format. Passwords and authentication domain assignments are never the cause of this problem. The match is based only on the account ID.
  • Regular users (non-administrators) can maintain their own logins, but cannot make other changes to their definitions.
  • Permission settings on a user definition do not determine what that user can do. Those settings can affect the ability of other identities to update or delete the user definition itself. Special rules automatically protect user, group, and role definitions.