Overview of SAS Administration :: SAS(R) Cloud: Account Administrator's Guide

About Using SAS Management Console for SAS Administration

Some SAS environments contain an administrative application called SAS Management Console. This application enables you to view and manage a central repository of metadata that is used by applications in your environment and that is controlled by a SAS Metadata Server. The repository contains information about the following:

the data sources and data structures that are accessed by SAS applications in the environment
other servers in the environment
content that is created and used by SAS applications in the environment
users and groups of users who are allowed to use the environment
the levels of access that users and groups have to resources

This chapter provides basic information about using SAS Management Console.

Note: Depending on which SAS products you have licensed, you might need to perform other administration tasks either in SAS Management Console or in other SAS applications. For details, see your product documentation.

SAS Management Console System Requirements

When you click the SAS Management Console icon in SAS App Central, a copy of the SAS Management Console executable is downloaded to your computer. The executable can be run only in Microsoft Windows for x64 operating environments.

About Metadata Identities

A metadata identity is a metadata object that represents an individual user or a group of users in a SAS environment. Each individual and group that accesses secured resources on a SAS Metadata Server should have a unique metadata identity within that server.

When you use SAS App Central to give a user access to a SAS application that requires a metadata identity, the user’s identity is automatically created. The identity consists of a copy of the user name.

All of a user’s group memberships, application role memberships, and permission assignments are tied to the user’s metadata identity. Metadata identities enable administrators to audit individual actions in the metadata layer. The identities also provide personal folders for each user.

About Groups

A group is a set of users. The following two predefined groups are provided for SAS Cloud users:

Group	Description
SASUSERS	Includes all users who have been assigned to applications that require metadata identities.
SAS Administrators	Enables users to perform metadata administration tasks.

You might have other predefined groups that pertain to specific SAS applications that you have licensed. Users are automatically added to the appropriate groups based on their role assignments in SAS App Central.

To simplify security management, you might want to create additional groups. Groups provide the following benefits:

It is more efficient to assign permissions to groups than to individual users.
It is sometimes more efficient to manage role membership by assigning groups to roles instead of by assigning users directly to roles.

Tip

A group’s membership can include other groups as well as individual users. This enables you to create a nested group structure.

Users are automatically added to the appropriate groups in SAS metadata based on their role assignments in SAS App Central. When you change a user’s role assignments in SAS App Central, the user’s corresponding group memberships are updated automatically in metadata.

CAUTION:

If you use SAS Management Console to add a user to (or remove a user from) a group that corresponds to a SAS App Central role, an out-of-alignment condition occurs. The membership change is overridden when roles are re-aligned.

To avoid alignment issues, use SAS App Central rather than SAS Management Console to manage membership in the SASUSERS group, the SAS Administrators group, and other groups that correspond to SAS App Central roles.

For more information, see Managing Users’ SAS App Central Roles.

About Roles in SAS Metadata

In SAS metadata, a role manages the availability of application features such as menu items.

An application feature that is under role-based management is called a capability. Anyone who is a member of a role has all of that role’s capabilities.

Each application that supports roles provides one or more predefined roles. Each predefined role has a unique initial set of capabilities. The capabilities that a role provides should reflect the activities and responsibilities of that role’s members. You can adjust the distribution of capabilities if needed.

Roles in SAS metadata are distinct from the roles that you assign to users in SAS App Central. When you assign users to roles in SAS App Central, the users are automatically assigned to the appropriate groups in SAS metadata. In turn, groups are assigned to specific roles in SAS metadata. You can use SAS Management Console to change these role assignments.

About Folders

SAS applications use a hierarchy of SAS folders to store metadata for content such as tables, libraries, stored processes, and reports. These folders include personal folders for individual users, a folder for shared data, and folders for system content that is generally not accessed by users. Within this structure, you can create additional folders to meet your information management, data sharing, and security requirements.

The Folders tab of SAS Management Console displays all SAS folders that the user has permission to view. Most other client applications display SAS folders only if they contain content that is relevant to the application, subject to the user's permissions. The initial folder structure includes the following main components:

Folder	Purpose
`SAS Folders`	The root folder for the folder structure. This folder can contain other folders, but it cannot contain individual objects.
`My Folder`	A shortcut to the personal folder of the user who is currently logged on. See `User Folders` in this table.
`Products`	Contains folders for individual SAS products. These folders contain sample content that demonstrates product capabilities and that users can modify for their own purposes.
`Shared Data`	Is provided for you to store user-created content that is shared among multiple users. You can create any number of subfolders to further organize content. You can also create additional shared folders directly under `SAS Folders`.
`System`	Contains SAS system objects. In SAS Cloud environments, these objects generally do not need to be accessed by users or account administrators.
`User Folders`	Contains folders that belong to individual users. These folders are referred to as users' home folders and are designated with the user’s name. Each home folder contains a folder called `My Folder`. This folder is the standard location for storing content that the user creates.

To ensure the integrity of your SAS environment, do not delete or rename the Products folder, the System folder, the

User
                     Folders

folder, or the home folder or personal folder of an active user.

About Permissions

SAS provides a metadata-based access control system that supplements protections in other layers, such as the operating system. Protections are cumulative across layers. You cannot perform a task unless you have sufficient access in all layers. The following table introduces the general-purpose permissions:

Permission (Abbreviation)	Actions Affected
ReadMetadata (RM)	Viewing an object. For example, to see a report, you need the ReadMetadata permission for that report.
WriteMetadata (WM)	Editing, deleting, or setting permissions for an object. To delete an object, you also need the WriteMemberMetadata permission for the object’s parent folder.
WriteMemberMetadata (WMM)	Adding an object to a folder or deleting an object from a folder. To enable someone to interact with a folder's contents but with not the folder itself, grant WMM and deny WM.

Users are automatically given appropriate permissions based on their role assignments in SAS App Central.