Controlling Access to SAS Environment Manager

SAS Environment Manager controls access and permissions within the application with its own registry of users and its own system of roles and permissions. In order to distinguish between the SAS Environment Manager access features and those in SAS metadata, this document and the SAS Environment Manager online Help refers to features internal to SAS Environment Manager as native features (such as native users or native roles). However, the SAS Environment Manager interface does not use the native terminology.

Although native user definitions are internal to SAS Environment Manager, they are mapped to user definitions created in SAS metadata. Native users are created by first creating the user definition in metadata and then synchronizing the user information with SAS Environment Manager. You cannot create native user definitions in SAS Environment Manager directly.

Native roles enable you to grant capabilities and permissions for actions in SAS Environment Manager to selected users. For example, an administrator role could be granted full permissions for all resource types and the ability to acknowledge and fix alerts, and a guest role could be denied the ability to fix or acknowledge alerts and have only Read permission for resources. Assigning a native role to a native user determines the actions that the user can perform in SAS Environment Manager.

Each native role also has its own unique Dashboard page, which you can customize to match the native role’s tasks. Each user has access to their own personal Dashboard page and the Dashboard pages of all native roles of which they are a member.

Users in SAS Environment Manager are mapped to users created in SAS metadata. During installation, three user groups are created in SAS metadata to contain SAS Environment Manager users. Users that are members of these groups are mapped to user definitions in SAS Environment Manager with corresponding roles. The user groups and their corresponding roles are as follows:

For example, users added to the group SAS_EV_Guest are added as users in SAS Environment Manager under the Guest role when the users are synchronized.

When you install SAS Environment Manager 2.1, all existing SAS Environment Manager user definitions are automatically added to the SAS_EV_Guest group in metadata. After the existing users have been added to the SAS_EV_Guest group, use SAS Management Console to modify the user definitions or assign the users to other SAS_EV groups in metadata.

After you have defined new users in SAS metadata, sign on to SAS Environment Manager, and select ManageSynchronize Users. User definitions are created for all users that are defined in the three SAS_EV groups in metadata. Any SAS Environment Manager users that are not associated with user definitions in metadata are deleted.

If you sign on to SAS Environment Manager using a user ID that is defined in metadata, is a member of one of the SAS_EV groups, but is not defined in SAS Environment Manager, then a user definition is automatically created in SAS Environment Manager and assigned to the correct role.

To create a new SAS Environment Manager user, use an application such as SAS Management Console to define the user and assign it to the appropriate SAS_EV user group, and then select ManageSynchronize Users to create the user in SAS Environment Manager and assign the user to the proper role.

An internal account, sasevs (sasevs@saspw), is also created during installation. This account is assigned to the SAS_EV_Guest group. The account is used for communications between the SAS Environment Manager agent and server and enables plugins to access the SAS Metadata Server. The internal account sasadm@saspw is the default account for signing on to SAS Environment Manager.

The SAS Logon Manager is used to control the process of logging on to SAS Environment Manager. The application uses the same authentication process and authentication provider as the other SAS web applications.

To create a native role, follow these steps: