Updating Groups and Roles for SAS Decision Manager 3.2

When you perform a migration or an upgrade, the groups, roles, and capabilities defined in SAS Management Console are preserved in case they have been customized for your site. To take advantage of new roles and capabilities available in SAS Decision Manager, you might need to modify the settings in SAS Management Console.
Enable Business Rules Folder Administration
Create the Decision Builder User Role
Update Administrator Groups and Roles
Configure the Ability to Import and Export Content
Control Access to the Import and Export Macros
Create a Runtime User for SAS Decision Manager Common Data Server
Create a Runtime User for Oracle

Enable Business Rules Folder Administration

Note: This information applies to all new installations, upgrades, and migrations. Enabling folder administration is optional.
A business rules folder administrator specifies which groups have permission to create and update top-level business rules folders and to modify the location of tests and test data for those folders. See Create New Top-Level Folders in SAS Decision Manager: User’s Guide for more information.
Note: After you enable folder administration, you must assign a group to any pre-existing folders. Any folder that has not been assigned a group is visible only to folder administrators.
Follow these steps in SAS Management Console:
  1. Set the brm.folder.config.enabled property to true. See Review Application Properties in SAS Management Console for more information.
    Note: Setting brm.folder.config.enabled to true disables the ability to import and export business rules content. Business rules content includes business rules folders, vocabularies, terms, lookup tables, rule sets, and rule flows. You can override this restriction by setting brm.import.restriction.override to true.
  2. Click the User Manager plug-in.
  3. Select Actionsthen selectNewthen selectRole. The New Role Properties dialog appears.
  4. On the General tab, enter a name for the administrator role.
  5. On the Capabilities tab, select Business Rules Manager Web 3.2then selectAdministrationthen selectFolder Administration.
    Folder Administration capability in SAS Management Console
  6. On the Members tab, add the necessary identities to the role.
  7. Click OK.

Create the Decision Builder User Role

Note: This information applies if you are upgrading to SAS Decision Manager 3.2 from any earlier release.
When you install a new deployment of SAS Decision Manager 3.2 or migrate to SAS Decision Manager 3.2 from an earlier version, the Decision Builder User role is predefined for you. If you upgrade your existing deployment to SAS Decision Manager 3.2, you must create this role. For instructions about creating a new role in SAS Management Console, see How to Create a Custom Role in SAS Management Console: Guide to Users and Permissions.
  • On the Capabilities tab, add the Decision and Decision Test capabilities to the role. These capabilities are under Decision Manager 3.2.
    Decision and Decision Test capabilities under Decision Manager 3.2 in SAS Management Console.
  • On the Members tab, add the Decision Manager Users group to the role.

Update Administrator Groups and Roles

Note: This information applies only if you are upgrading from SAS Decision Manager 2.1 to 3.2.
SAS Decision Manager 2.1 created the Decision Manager Common Administrator group and the Decision Manager Common: Administrator role. When you upgrade from SAS Decision Manager 2.1 to 3.2, the second pass of the SAS Deployment Wizard creates a new group named Decision Manager Common Administrators and a new role named Decision Manager Common: Administration.
Follow these steps in SAS Management Console:
  1. Add the members of the Decision Manager Common Administrator group to the Decision Manager Common Administrators group.
  2. Add the members of the Decision Manager Common Administrators role to the Decision Manager Common: Administration role.
  3. Delete the old Decision Manager Common Administrator group and the old Decision Manager Common Administrators role.
See Adjust Group or Role Membership in SAS Management Console: Guide to Users and Permissions for more information.

Configure the Ability to Import and Export Content

SAS Decision Manager provides several macros for importing and exporting business rules content from the Decision Manager database. (Business rules content includes business rules folders, vocabularies, terms, lookup tables, rule sets, and rule flows.) You can limit the ability of users to run these macros by setting the correct properties and configuring identities in SAS Management Console.For information about the macros, see Introduction to the Import and Export Macros.

Control Access to the Import and Export Macros

Perform the following steps in SAS Management Console:
  1. Set the brm.import.restriction.override property to true if the brm.folder.config.enabled property is also set to true.
    Note: Setting brm.folder.config.enabled to true disables the ability to import and export business rules content. To override this restriction, set brm.import.restriction.override to true. See Review Application Properties in SAS Management Console for more information.
  2. Create a new group for users with full access. For example, create a new group named Business Rules Admin Users.
  3. Add the new group as a member of the existing Decision Manager Users group. Members of the new group have the same access as members of the Decision Manager Users group. This access includes the ability to run the import and export macros and to update content through the user interface.
  4. Create a second new group for users with limited access. For example, create a new group named Business Rules NonAdmin Users. Members of this group will be able to update content through the user interface but will not be able to run the import or export macros.
  5. Create a runtime database user that has Read access to lookup tables only. This permission is the only one that is required to be able to run rules in SAS Decision Manager and in SAS Data Integration Studio. Follow the instructions for your database:
  6. Add a new login for the runtime user to the second new group (Business Rules NonAdmin Users). Specify the user ID and password that were created in the previous step, and select the authentication domain edm_db_auth.
    Properties dialog for the Business Rules NonAdmin Users group in SAS Management Console. The Accounts tab is selected and shows a login for the new runtime user for the edm_db_auth domain.
  7. Add any additional roles or capabilities that are needed by members of the new group.

Create a Runtime User for SAS Decision Manager Common Data Server

Run the createRuntimeUser script for your operating environment. This script creates an identity that has Read permission only for lookup tables.
The script for Windows platforms is named createRuntimeUser.bat, and the script for UNIX platforms is named createRuntimeUser.sh. They are located in the following directory:
SASHome/SASDecisionManagerCommonDataServer/3.2/Config/Deployment/createUser
Note: This directory contains a README.TXT file that contains information about the parameters for these scripts.
When you run the script, substitute the correct values for the port number, host name, and user ID for your database. The script prompts you to enter a password. The syntax for these scripts is as follows:
createRuntimeUser.[bat | sh] SASHome port host admin db_name user_ID
SASHome
specifies the SAS Home installation directory location. In Windows operating environments, it is recommended that you enclose this parameter in double quotation marks.
port
specifies the port number of your database.
host
specifies the host name of the database.
admin
specifies the user ID of the database administrator for the database. This user ID must have access to all of the database content. You can find the correct value for this parameter in SAS Management Console. In SAS Management Console, select the User Manager plug-in. Right-click the SAS Administrator user, and select Properties. The user ID of the database administrator is the user ID for the DecisionManagerComDataSvrCfg3.2Admin domain.
db_name
specifies the name of the database. You can find the correct value for this parameter in the SASCONFIG/Web/WebAppServer/SASServer7_1/conf/server.xml file on the middle-tier server. Find the resource with the name sas/jdbc/DecisionManagerDS, and look for the value of the url attribute. The database name is the text after the final forward slash (/) in the URL. For example, if the attribute is url="jdbc:postgresql://host:10482/dcmdb", then specify dcmdb for db_name.
user_ID
specifies a user ID for the new identity that will have Read permission only for lookup tables.

Create a Runtime User for Oracle

Ask your Oracle database administrator to perform the following tasks:
  1. Create a new user and schema in Oracle and provide you with the new user ID and password.
  2. Grant SELECT access to the following views for the new user in the SAS Decision Manager database.
    • DCM_LOOKUP_VIEW
    • DCM_SELECTED_LOOKUP_VIEW
  3. Create synonyms in the new user’s default schema so that they can execute queries with unqualified references to those views. 
    CREATE SYNONYM DCM_LOOKUP_VIEW FOR @brm.schema.name@.DCM_LOOKUP_VIEW;
CREATE SYNONYM DCM_SELECTED_LOOKUP_VIEW FOR 
@brm.schema.name@.DCM_SELECTED_LOOKUP_VIEW;
Copyright © SAS Institute Inc. All Rights Reserved.
Last updated: February 22, 2017