Updating Groups and Roles for SAS Business Rules Manager 3.2

When you perform a migration or an upgrade, the groups, roles, and capabilities defined in SAS Management Console are preserved in case they have been customized for your site. To take advantage of new roles and capabilities available in SAS Business Rules Manager, you might need to modify the settings in SAS Management Console.
Enable Business Rules Folder Administration
Update User Group Membership and Authorization
Update Administrator Groups and Roles
Configure the Ability to Import and Export Content
Control Access to the Import and Export Macros
Create a Runtime User for SAS Decision Manager Common Data Server
Create a Runtime User for Oracle

Enable Business Rules Folder Administration

Note: This information applies to all new installations, upgrades, and migrations. Enabling folder administration is optional.
A business rules folder administrator specifies which groups have permission to create and update top-level business rules folders and to modify the location of tests and test data for those folders. See Create New Top-Level Folders in SAS Business Rules Manager: User’s Guide for more information.
Note: After you enable folder administration, you must assign a group to any pre-existing folders. Any folder that has not been assigned a group is visible only to folder administrators.
Follow these steps in SAS Management Console:
  1. Set the brm.folder.config.enabled property to true. See Review Application Properties in SAS Management Console for more information.
    Note: Setting brm.folder.config.enabled to true disables the ability to import and export business rules content. Business rules content includes business rules folders, vocabularies, terms, lookup tables, rule sets, and rule flows. You can override this restriction by setting brm.import.restriction.override to true.
  2. Click the User Manager plug-in.
  3. Select Actionsthen selectNewthen selectRole. The New Role Properties dialog appears.
  4. On the General tab, enter a name for the administrator role.
  5. On the Capabilities tab, select Business Rules Manager Web 3.2then selectAdministrationthen selectFolder Administration.
    Folder Administration capability in SAS Management Console
  6. On the Members tab, add the necessary identities to the role.
  7. Click OK.

Update User Group Membership and Authorization

Note: This section applies only if you are upgrading or migrating from SAS Business Rules Manager 2.1 to 3.2.
In SAS Business Rules Manager 2.1, all users that needed access to the SAS Business Rules Manager database were assigned to the Business Rules Manager Users group. Beginning with SAS Business Rules Manager 2.2, users are assigned to the Decision Manager Users group. If you migrate or upgrade from SAS Business Rules Manager 2.1 to SAS Business Rules Manager 3.2, you might need to update the membership or authorization for the Business Rules Manager and Decision Manager User groups.
You can continue to use the Business Rules Manager Users group as your primary group, or you can start using the Decision Manager Users group. If you continue to use the Business Rules Manager Users group, you can preserve customized authorization settings.
To use the Decision Manager Users group as your primary group, in SAS Management Console, assign all users that need access to SAS Business Rules Manager to the Decision Manager Users group.
To continue to use the Business Rules Manager Users group:
  1. Ensure that all users that need access to the SAS Business Rules Manager database are assigned to the Business Rules Manager Users group.
  2. If you are using a different database instance in the migrated environment, update the authentication domains for migrated user groups. Complete the following steps in SAS Management Console:
    1. Remove the identity for the authentication domain edm_db_auth from the Decision Manager Users group.
      1. Select the User Manager plug-in.
      2. Right-click Decision Manager Users and select Properties.
      3. Click the Accounts tab. Record the user ID that is specified for the edm_db_auth authentication domain. This user ID is the user ID that you need to add to the Business Rules Manager Users group.
      4. Select the row for edm_db_auth and click Delete.
        Properties window for the Decision Manager Users group
      5. Click OK.
    2. Update the identity for the authentication domain edm_db_auth for the Business Rules Manager Users group to match the updated login that was added to the Decision Manager Users group.
      1. Select the User Manager plug-in.
      2. Right-click Business Rules Manager Users and select Properties.
      3. Click the Accounts tab, and click New. The New Login Properties dialog box appears.
      4. Enter the user ID that you recorded for the edm_db_auth domain and the password for this user ID. Select the edm_db_auth domain, and click OK.
      5. Click OK to save the changes to the Business Rules Manager Users group.

Update Administrator Groups and Roles

Note: This information applies only if you are upgrading from SAS Decision Manager 2.1 to 3.2.
SAS Decision Manager 2.1 created the Decision Manager Common Administrator group and the Decision Manager Common: Administrator role. When you upgrade from SAS Decision Manager 2.1 to 3.2, the second pass of the SAS Deployment Wizard creates a new group named Decision Manager Common Administrators and a new role named Decision Manager Common: Administration.
Follow these steps in SAS Management Console:
  1. Add the members of the Decision Manager Common Administrator group to the Decision Manager Common Administrators group.
  2. Add the members of the Decision Manager Common Administrators role to the Decision Manager Common: Administration role.
  3. Delete the old Decision Manager Common Administrator group and the old Decision Manager Common Administrators role.
See Adjust Group or Role Membership in SAS Management Console: Guide to Users and Permissions for more information.

Configure the Ability to Import and Export Content

SAS Business Rules Manager provides several macros for importing and exporting business rules content from the Decision Manager database. (Business rules content includes business rules folders, vocabularies, terms, lookup tables, rule sets, and rule flows.) You can limit the ability of users to run these macros by setting the correct properties and configuring identities in SAS Management Console.For information about the macros, see Introduction to the Import and Export Macros.

Control Access to the Import and Export Macros

Perform the following steps in SAS Management Console:
  1. Set the brm.import.restriction.override property to true if the brm.folder.config.enabled property is also set to true.
    Note: Setting brm.folder.config.enabled to true disables the ability to import and export business rules content. To override this restriction, set brm.import.restriction.override to true. See Review Application Properties in SAS Management Console for more information.
  2. Create a new group for users with full access. For example, create a new group named Business Rules Admin Users.
  3. Add the new group as a member of the existing Decision Manager Users group. Members of the new group have the same access as members of the Decision Manager Users group. This access includes the ability to run the import and export macros and to update content through the user interface.
  4. Create a second new group for users with limited access. For example, create a new group named Business Rules NonAdmin Users. Members of this group will be able to update content through the user interface but will not be able to run the import or export macros.
  5. Create a runtime database user that has Read access to lookup tables only. This permission is the only one that is required to be able to run rules in SAS Business Rules Manager and in SAS Data Integration Studio. Follow the instructions for your database:
  6. Add a new login for the runtime user to the second new group (Business Rules NonAdmin Users). Specify the user ID and password that were created in the previous step, and select the authentication domain edm_db_auth.
    Properties dialog for the Business Rules NonAdmin Users group in SAS Management Console. The Accounts tab is selected and shows a login for the new runtime user for the edm_db_auth domain.
  7. Add any additional roles or capabilities that are needed by members of the new group.

Create a Runtime User for SAS Decision Manager Common Data Server

Run the createRuntimeUser script for your operating environment. This script creates an identity that has Read permission only for lookup tables.
The script for Windows platforms is named createRuntimeUser.bat, and the script for UNIX platforms is named createRuntimeUser.sh. They are located in the following directory:
SASHome/SASDecisionManagerCommonDataServer/3.2/Config/Deployment/createUser
Note: This directory contains a README.TXT file that contains information about the parameters for these scripts.
When you run the script, substitute the correct values for the port number, host name, and user ID for your database. The script prompts you to enter a password. The syntax for these scripts is as follows:
createRuntimeUser.[bat | sh] SASHome port host admin db_name user_ID
SASHome
specifies the SAS Home installation directory location. In Windows operating environments, it is recommended that you enclose this parameter in double quotation marks.
port
specifies the port number of your database.
host
specifies the host name of the database.
admin
specifies the user ID of the database administrator for the database. This user ID must have access to all of the database content. You can find the correct value for this parameter in SAS Management Console. In SAS Management Console, select the User Manager plug-in. Right-click the SAS Administrator user, and select Properties. The user ID of the database administrator is the user ID for the DecisionManagerComDataSvrCfg3.2Admin domain.
db_name
specifies the name of the database. You can find the correct value for this parameter in the SASCONFIG/Web/WebAppServer/SASServer7_1/conf/server.xml file on the middle-tier server. The database name is the text after the final forward slash (/) in the URL. For example, if the attribute is url="jdbc:postgresql://host:10482/dcmdb", then specify dcmdb for db_name.
user_ID
specifies a user ID for the new identity that will have Read permission only for lookup tables.

Create a Runtime User for Oracle

Ask your Oracle database administrator to perform the following tasks:
  1. Create a new user and schema in Oracle and provide you with the new user ID and password.
  2. Grant SELECT access to the following views for the new user in the SAS Business Rules Manager database.
    • DCM_LOOKUP_VIEW
    • DCM_SELECTED_LOOKUP_VIEW
  3. Create synonyms in the new user’s default schema so that they can execute queries with unqualified references to those views. 
    CREATE SYNONYM DCM_LOOKUP_VIEW FOR @brm.schema.name@.DCM_LOOKUP_VIEW;
CREATE SYNONYM DCM_SELECTED_LOOKUP_VIEW FOR 
@brm.schema.name@.DCM_SELECTED_LOOKUP_VIEW;
Copyright © SAS Institute Inc. All Rights Reserved.
Last updated: February 22, 2017