Introduction to Selected Administrative Roles
Members have all explicit
capabilities, all metadata server capabilities, and cannot be denied
any permissions in the metadata layer. Unrestricted users can use
only those logins that are assigned to them (or to groups to which
Members can create,
update, and delete users, groups, roles (other than the unrestricted
role), internal accounts, logins, and authentication domains. Restricted
user administrators cannot update identities for which they have an
explicit or ACT denial of WriteMetadata.
Members can administer
the metadata server (monitor, stop, pause, resume, quiesce) and its
repositories (add, initialize, register, unregister, delete). Only
someone who has an external user ID that is listed in the adminUsers.txt
file with a preceding asterisk can delete, unregister, add, or initialize
a foundation repository. Only an unrestricted user can analyze and
repair metadata or perform tasks when the metadata server is paused
In SAS Management Console,
members can see all of the plug-ins that are under role-based management
(in the initial configuration).
The metadata server's adminUsers.txt
file provides many of the same privileges that it did in previous
releases. However, we recommend that you use roles instead, except
as specified in documentation for a particular task.
The method that most applications
use to retrieve credentials supports normal use of stored credentials,
regardless of role memberships. However, if someone who has user administration
capabilities makes a raw metadata request for logins, no usable passwords
identity that the object spawner uses to retrieve server launch credentials
from the metadata has the user administration role (or the unrestricted
role), the spawner will not operate properly.
Do not give user administration
capabilities to the identity that the object spawner uses to retrieve
server launch credentials from the metadata. In a typical configuration,
the spawner uses the SAS Trusted User to retrieve server launch credentials
(through a raw metadata request).