Administering SAS BI Dashboard

Implementing Security for SAS BI Dashboard

You can use metadata layer permissions to manage access to dashboard objects such as dashboards, indicators, models, and ranges. This topic documents the requirements and describes the predefined groups that you can choose to use to manage access.

Predefined Administration Role for SAS BI Dashboard

SAS BI Dashboard includes a predefined role, BI Dashboard: Administration. In order to manage SAS BI Dashboard, administrators must meet the following criteria:

Be assigned to the BIDashboard:Administration role. When SAS Deployment Wizard completes installation, the BI Administration role is added to the SAS BI Dashboard administrators group by default. If you create a different group for administrators, the BI Administration role must be added to that group.
Explicitly have ReadMetadata, WriteMetadata, and WriteMemberMetadata permissions to folders. This is necessary in order for administrators to create, read, modify, and delete objects.

Manage Users in SAS BI Dashboard Groups

You enable users to log on to the SAS BI Dashboard by creating metadata identities for the users, and assigning them to the predefined BI Dashboard Users group or any other group that you have created.

By default, two groups are available for SAS BI Dashboard:

BI Dashboard Users
BI Dashboard Administrators

You can use dashboard groups to manage access to dashboard objects. You are not required to use the BI Dashboard Users or the BI Dashboard Administrator groups. You can create your own groups that meet your organizational needs. Typically, you grant access to data designers so that they can create the dashboards, indicators, data models, and ranges using the graphical interface. You typically limit access for other users who need only to see dashboards in the BI Dashboard Viewer or on the portal page. You can manage user access by creating metadata identities for users, adding users to the appropriate group, and then by assigning permissions to the groups on the BI Dashboard folder.

These default groups determine which dashboard objects users can access and manipulate as follows:

Predefined Default User Groups and Their Access to Dashboard Objects
Group	Type of Access
BI Dashboard Users	Members of this group can view dashboards in the BI Dashboard Viewer or in the portlet.
BI Dashboard Administrators	Members of this group can view dashboards in portlets and change the dashboard layout. Members also have access to a Manage Dashboards Application either by direct access to the BI Dashboard application or via the link in the portlet (if the value for the portlet ShowManageLink property is true). After they click this link, members can create, edit, and delete dashboard objects.

You implement authorization in order to control the types of permissions granted to users. You configure permissions for the users and groups that are defined in SAS metadata. You can add Dashboard users to groups that you define in SAS metadata, grant the necessary permissions to those groups, and then limit the permissions for the PUBLIC group.

Key Aspects of Security for SAS BI Dashboard

The following list summarizes some key points that apply to SAS BI Dashboard 4.3 security.

For SAS applications including SAS BI Dashboard and the SAS Information Delivery Portal, authentication is through the SAS Logon Manager.
The ability to render, create, edit, and delete dashboard objects is controlled by the permissions on the objects in the metadata.
When a user wants to view a dashboard, the user's permissions for the dashboard, indicators, ranges, and data models are verified. If a user has permission to view a dashboard, but is not granted permission to read any of the indicators in the dashboard, an empty dashboard is displayed. If a user has permission to read an indicator, but does not have permission to read the data point model, the indicator does not render for that user.
If data caching is not enabled, and a user does not have read permissions on an underlying information map, cube, or data set, then the query fails and an error message is returned. If data caching is enabled, the queries are run by the SAS Trusted User for all users.
If an information map uses row-level permissions, then only the data that is readable by a particular user appears in a dashboard indicator when that user is logged on to the portal.
To ensure performance, object permissions are established at the beginning of the user's session. If a user has read permission on an indicator at the beginning of the session, that permission applies to the entire session even if the administrator changes the permission in SAS Management Console during the user's session.

Enable the Display of Custom Repository Folders in SAS BI Dashboard

If you create custom repository folders, add them to the Foundation Services in SAS Management Console. As a result, you can view and access the custom repository folders within SAS BI Dashboard. For information about different repositories and administrative tasks associated with repositories, see "Creating, Registering, Moving, Copying, Renaming, and Deleting SAS Metadata Repositories" in the SAS 9.2 Intelligence Platform System Administration Guide.

To enable the display of custom repository folders in SAS BI Dashboard, complete the following tasks:

Specify the custom repository. See Specify the Custom Repository.
Register the custom repository in SAS Foundation Services. See Register the Custom Repository in SAS Foundation Services.

Specify the Custom Repository

To specify the custom repository, follow these steps:

On the Plug-ins tab in SAS Management Console, navigate to Environment Management Foundation Services Manager SAS BI Dashboard 4.3 Local Services Information Service.
Right-click and select Properties to display the Information Properties dialog box.
Click the Service Configuration tab.
Click Configuration.
Click the Repositories tab, and select New.
In the New Information Service Repository dialog box, follow the instructions on the wizard pages. As you answer the wizard's prompts, be sure to specify a unique name for the repository and select the check box for AutoConnect. Specify the values for the following required fields or retain the default values:
1. Name: Nameofyourcustomrepository
2. Host: MetadataServer
3. Port: PortNumber
4. Domain: DefaultAuth
5. Base: Nameofyourcustomrepository
Save your changes.
Register the custom repository in SAS Foundation Services. See Register the Custom Repository in SAS Foundation Services.

Register the Custom Repository in SAS Foundation Services

To register the custom repository in SAS Foundation Services, follow these steps:

On the Plug-ins tab in SAS Management Console, navigate to Environment Management Foundation Services Manager and click on SASBIDashboard4.3 Local Services.
Within the Core folder, right-click on Information Service and select Properties.
Click the Service Configuration tab.
Click Configuration.
Click the Repositories tab, and select New.
In the Information Repositories dialog box, follow the instructions on the wizard pages. When you answer the wizard's prompts, the values supplied for Name, Host, Port, Domain, and Base fields must match the values that were specified previously for the custom repository. See Specify the Custom Repository.
Select the check box for AutoConnect.
To enable this property to take effect, restart the Foundation Services and your Web application server.

Configuration for Dashboard Portlets That Are Shared

About Shared Dashboard Portlets

Shared portlets are appropriate for users who need only to view dashboards. These users cannot manipulate portlet content in any way. Like other portlets, dashboard portlets can be shared with a group that is defined in metadata. To share a portlet, you must be a group content administrator or a sastrust user for the respective group. For more information about sharing portlets, see Sharing Content in the Portal.

When you share a SAS BI Portlet with a group, members of the group have read-only access to the portlet.

Top of Page