About User Administration

Introduction

In order to make access distinctions and track user activity, a security system must know who is making each request. In the platform, the primary user administration task is to store each user's external account ID in the SAS metadata. SAS uses its copy of these IDs to establish a unique SAS identity for each connecting user. All of a user's metadata-layer memberships, permissions, and capabilities are ultimately tied to the user's SAS identity.
Note: It is not necessary to store passwords in the SAS metadata for the purpose of identifying a user. SAS identity is determined by examining stored user IDs, not by examining stored passwords.
Note: For some service identities and metadata administrators, you can use a SAS internal account instead of a stored SAS copy of an external account ID.

Who Can Manage Users, Groups, and Roles?

In the initial configuration for a new deployment, the SAS Administrators group has the user administration role, so members of that group can perform almost all user management tasks. The following table outlines the distribution of user administration capabilities.
User Administration Capabilities
Metadata Server Role
Actions Supported
Unrestricted
Perform all identity management tasks.
User administration
Add, modify, and delete most identities.
None
Update your own personal logins.
For restricted user administrators (users who have the user administration role but are not unrestricted), the following constraints apply:
  • Restricted user administrators cannot update the unrestricted role.
  • To update or delete an identity, restricted user administrators must have the WriteMetadata permission for that identity. For example, to prevent JoeRestrictedUserAdmin from updating UserA’s metadata definition, open UserA’s definition, add JoeRestrictedUserAdmin, and explicitly deny the WriteMetadata permission to JoeRestrictedUserAdmin.
  • To change a role's capabilities, restricted user administrators must have the WriteMetadata permission for the associated software component.
  • To access user management features in SAS Management Console, restricted user administrators must have the User Manager capability.
Note: You can delegate administration of an existing identity to someone who isn't a user administrator. In the target identity's metadata definition, explicitly grant the WriteMetadata permission to the delegated administrator.

Where is User Administration Performed?

Metadata-layer user administration is performed as follows:
  • To manage identity information interactively, use SAS Management Console. See SAS Management Console: Guide to Users and Permissions.
  • To import identity information in bulk from an external user store (such as Active Directory) to the SAS metadata, write SAS code. See User Import Macros.
  • To copy identity metadata from one SAS repository to another, use the metadata promotion tools. See Promotion Tools Overview in SAS Intelligence Platform: System Administration Guide.
  • To audit changes to metadata identity definitions, use the Audit.Meta.Security.GrpAdm and Audit.Meta.Security.UserAdm log categories. See Auditing of Security Events.