In the initial configuration
for a new deployment, the SAS Administrators group has the user administration
role, so members of that group can perform almost all user management
tasks. The following table outlines the distribution of user administration
capabilities.
User Administration Capabilities
|
|
|
Perform all identity
management tasks.
|
|
Add, modify, and delete
most identities.
|
|
Update your own personal
logins.
|
For restricted user
administrators (users who have the user administration role but are
not unrestricted), the following constraints apply:
-
Restricted user administrators
cannot update the unrestricted role.
-
To update or delete an identity,
restricted user administrators must have the WriteMetadata permission
for that identity. For example, to prevent JoeRestrictedUserAdmin
from updating UserA’s metadata definition, open UserA’s
definition, add JoeRestrictedUserAdmin, and explicitly deny the WriteMetadata
permission to JoeRestrictedUserAdmin.
-
To change a role's capabilities,
restricted user administrators must have the WriteMetadata permission
for the associated software component.
-
To access user management features
in SAS Management Console, restricted user administrators must have
the User Manager capability.
Note: You can delegate administration
of an existing identity to someone who isn't a user administrator.
In the target identity's metadata definition, explicitly grant the
WriteMetadata permission to the delegated administrator.