ITRM Report Center Users and Groups :: SAS(R) IT Resource Management 3.4: Report Center Guide

Understanding Groups, Roles, and Capabilities

Membership in IT Resource Management groups and roles is necessary in order to work with ITRM Report Center.

Note: Membership in SAS groups and roles is not necessary to work with the SAS IT Resource Management client.

Using the User Manager component of SAS Management Console, the SAS administrator can manage users, groups, and roles. A group’s membership in a role determines the SAS application capabilities for the users in that group. Typically, groups are members of roles, and users are members of groups.

Here are some definitions of the terms that pertain to this topic:

Group

A group is a set of users. Using groups facilitates setting security on objects, such as assigning access to the SAS Content Server locations where ITRM reports are available.

CAUTION:

ITRM Report Center does not support nested groups.

For this reason, groups used for ITRM Report Center should not be members of other groups.

Role

A role determines the capabilities that you have when you use a SAS application. It controls the availability of application capabilities (or features) such as access to ITRM Report Center workspaces.

Note: Each role provides multiple capabilities. Your administrator can assign you to the groups that are members of the appropriate roles for the SAS work that you perform.

Capability

A capability is a SAS application feature that is under role-based management. Anyone who is a member of a role or who inherits a role via its group membership has all of that role's capabilities. For example, a capability might be the ability to perform the duties of an IT Resource Management Administrator in ITRM Report Center.

For more information about defining login metadata for users, see the SAS 9.4 Intelligence Platform: Security Administration Guide. This document can be found in the Administration Documentation section of the SAS Intelligence Platform documentation that is available at this location: http://support.sas.com/documentation/onlinedoc/intellplatform/index.html.

User Authorization

When SAS IT Resource Management is installed, three SAS metadata-based application groups are created to control access to ITRM Report Center workspaces and functions: SASUSERS, IT Resource Management Users, and IT Resource Management Administrators. SAS administrators define additional users and groups as part of the setup tasks for SAS IT Resource Management.

Each user who is established in SAS Management Console can be a member of a group that is assigned SAS capabilities through a role.

ITRM Report Center supports the following user groups:

SASUSERS

SASUSERS are users who have metadata identities. In ITRM Report Center, SASUSERS have limited access to the Home and Gallery workspaces.
IT Resource Management Users

The IT Resource Management Users Group has these roles:
- IT Resource Management: User—This role provides access to ITRM Report Center Home, Gallery, and Resource workspaces.
- IT Resource Management: Report Center Group
IT Resource Management Administrators

The IT Resource Management Administrators Group has these roles:
- IT Resource Management: Administrator—This role provides access to all ITRM Report Center workspaces and functions.
- IT Resource Management: Report Center Group

SAS administrators can use SAS Management Console to assign individual users to groups that are members of roles with SAS capabilities that are appropriate for the work that they perform. For more information about how to use SAS Management Console, see Chapter 2, “Preparing to Work with the SAS IT Resource Management Client” in SAS IT Resource Management 3.4: Administrator’s Guide. To locate the SAS IT Resource Management documentation, use the Products Index at http://support.sas.com/documentation/index.html.

About the SASUSERS Group

The most basic access to ITRM Report Center is granted to users who are members of the SASUSERS group. Members of this group have limited access to the Home and Gallery workspaces. They can also use the functions of these workspaces such as viewing shared galleries and creating folders and albums that are not restricted by metadata roles. SASUSERS have access to reports that are stored in the SCS location that is defined in the ITRM Report Center Administration workspace.

SASUSERS group members are those users who have a SAS metadata identity on the IT Resource Management metadata server. They are implicitly defined by SAS as described in the Members property for this group in SAS Management Console.

Note: In the ITRM Report Center, Administration workspace, members of the SAS Users group are referred to as "ITRM Report Center Viewer (SASUSERS)".

The following table shows the capabilities that are available to SASUSERS.

Table of ITRM Report Center Capabilities for SASUSERS
Capability	SASUSERS
Home Workspace	Yes Note: The Alerts pane and the Show Related Report action of the Watch List pane are not available.
Gallery Workspace	Yes
Folders	Yes Note: SASUSERS can create, edit, delete, copy, and share personal folders.
Access to Galleries	Yes Note: SASUSERS can access galleries that are shared with them. SASUSERS can also access reports in those galleries that are in SCS locations to which they are granted access.
Albums	Yes Note: SASUSERS can create, edit, delete, share, and copy personal albums.
Access to Exception Reports	Yes
Watch Lists	Yes
E-mail Reports	Yes

About the IT Resource Management Administrators Group and IT Resource Management: User Role

Other users access ITRM Report Center with specific groups and roles that allow them to perform ITRM Report Center functions. These are the IT Resource Management Administrators group and the IT Resource Management: User role.

Users who are members of the IT Resource Management Administrators group have full access to ITRM Report Center workspaces and functionality.

Any user who administers ITRM Report Center must be a member of the IT Resource Management Administrators group that is supplied when IT Resource Management is installed.
Users who are members of the IT Resource Management: Users role have access to ITRM Report Center Home, Gallery, and Resource workspaces and the full functionality in each.

Permission to access the IT Resource Management performance and exception reports stored in the SAS Content Server is granted based on the SAS metadata-based application group to which a user belongs. By default, IT Resource Management reports are written to <Middle-Tier-Server-Name>/SASContentServer/repository/default/sasdav/ITRM and all users of ITRM Report Center have access to this location. Multiple SAS Content Server locations can be used to permit and restrict groups of users to access IT Resource Management reports.

Note: For more information about using multiple SAS Content Server locations, see Overview of the Administration Workspace.

The following table shows the capabilities that are available for the IT Resource Management: User role and the IT Resource Management: Administrator role.

Table of ITRM Report Center Capabilities for Users and Administrators
Capability	IT Resource Management: User Role	IT Resource Management: Administrator Role
Administration Workspace	No	Yes
Home Workspace	Yes	Yes
Gallery Workspace	Yes	Yes Note: The Edit button is not enabled for this role while working on the `Users' Galleries and Albums` folder. Therefore, the administrator cannot modify gallery objects of another user.
Resource Workspace	Yes	Yes
Folders	Yes	Yes Note: Administrators can also copy and delete the folders of other users.
Galleries	Yes	Yes Note: Administrators can also copy and delete the galleries of other users.
Albums	Yes	Yes Note: Administrators can also copy and delete the albums of other users.
Exception Reports	Yes	Yes
Alerts	Yes	Yes
Watch Lists	Yes	Yes
E-mail Reports	Yes	Yes
Perform Administrative Tasks	No	Yes Note: For information about administrative tasks, see Overview of the Administration Workspace.

Note: ITRM Report Center capabilities that are not restricted by role are available to the IT Resource Management: User role. Similarly, the capabilities of the IT Resource Management: User role are available to the IT Resource Management: Administrator role.

About the Metadata Server: Unrestricted Role

User IDs with the SAS Metadata Server: Unrestricted role can access SAS Management Console to assign and manage ITRM Report Center roles, groups, and users. For more information about defining login metadata for users, see the SAS 9.4 Intelligence Platform: Security Administration Guide. This document can be found in the Administration Documentation section of the SAS Intelligence Platform documentation that is available at this location: http://support.sas.com/documentation/onlinedoc/intellplatform/index.html. The SAS Metadata Server: Unrestricted role is also used to manage the IT Resource Management application configuration properties. For more information, see SAS IT Resource Management 3.4: Administrator’s Guide.

User IDs with the SAS Metadata Server: Unrestricted role can view and manage files and WebDAV folders in the SAS Content Server. Using the SAS Content Server Administration Console, you can view, delete, and set permissions for WebDAV folders and files. For more information see “Using the SAS Content Server Administration Console” in the SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide.

Note: User IDs with the SAS Metadata Server: Unrestricted role should not be used to access ITRM Report Center. If a user with the SAS Metadata Server: Unrestricted role accesses ITRM Report Center, then access is limited to the Administration workspace only. This ITRM Report Center restriction is in effect to avoid situations where users with the SAS Metadata Server: Unrestricted role create ITRM Report Center objects that cannot be managed by members of the IT Resource Management Administrators group.

About the IT Resource Management: Report Center Group Role

The IT Resource Management: Report Center Group role is used to identify the SAS metadata-based application groups that are associated with ITRM Report Center. All groups that are members of the IT Resource Management: User role also need to be members of the IT Resource Management: Report Center Group role. Groups that are members of both the IT Resource Management: User and the IT Resource Management: Report Center Group roles are displayed in the User Group column of the Assign location to user group dialog box of the Administration workspace. On this workspace, they can be assigned access to SAS Content Server locations that contain IT Resource Management reports. For moreinformation about this workspace, see Overview of the Administration Workspace.

Note: The SASUSERS group is displayed in the Administration workspace as ITRM Report Center Viewers (SASUSERS). Members of the IT Resource Management Administrators group have access to all SAS Content Server locations where IT Resource Management reports are written and, as such, are not displayed in the Administration workspace.

Additional Notes about Roles, Capabilities, and Groups

A role manages the availability of capabilities such as menu items. This list highlights key points:

Roles are used to manage SAS application capabilities.
Roles and groups serve distinct purposes. You cannot assign permissions to a role or capabilities to a group.
Capabilities are always additive. Assigning someone to a role never reduces what that user can do.

Tip

Creating groups can simplify security management. For best results, consider the following advice:

It might be more efficient to manage role membership by assigning groups to roles instead of by assigning users directly to roles.
It is more efficient to assign permissions to groups than to individual users.

CAUTION:

ITRM Report Center does not support nested groups.

For this reason, groups used for ITRM Report Center should not be members of other groups.