In general, each SAS user has identity information in
two distinct realms:
-
In an authentication provider, the user has an account
that can access the metadata server.
-
In the SAS metadata, the user has a definition that
includes a copy of the account ID with which the user accesses the
metadata server.
Coordination between
these two realms establishes a unique SAS identity for each user.
Each SAS identity is based on a match between the following two values:
-
the account ID with which the user
authenticates
-
the account ID that is listed in
the user's metadata definition
In the following figure,
account refers
to a user account in an authentication provider, and
definition refers
to a metadata object that represents the user. Bill cannot log on,
Susan has only the generic PUBLIC identity, and Tara has an individual
SAS identity.
Here are some tips for
working with user definitions:
-
If the metadata server runs on
Windows and uses SAS authentication, the SAS copy of each user's Windows
user ID must be stored in a fully qualified format (for example,
WindowsDomain\user-ID,
MachineName\user-ID,
or
user-ID@company.com).
-
If you find that a user has only
the PUBLIC identity even though the user has a user definition, the
user's stored account ID might be missing, not accurately entered,
or not in the correct format. Passwords and authentication domain
assignments are never the cause of this problem. The match is based
only on the account ID.
-
Regular users (non-administrators)
can maintain their own logins, but cannot make other changes to their
definitions.
-
Permission settings on a user definition
do not determine what that user can do. Those settings can affect
the ability of other identities to update or delete the user definition
itself. Special rules automatically protect user, group, and role
definitions.