ITRM Report Center Users and Groups :: SAS(R) IT Resource Management 3.6: Report Center Guide

Understanding Groups, Roles, and Capabilities

Membership in IT Resource Management groups and roles is necessary in order to work with ITRM Report Center.

Note: Membership in SAS IT Resource Management groups and roles is not necessary to work with the SAS IT Resource Management client.

Using the User Manager component of SAS Management Console, the SAS administrator can manage users, groups, and roles. A group’s membership in a role determines the SAS application capabilities for the users in that group. Typically, users are members of groups and groups are members of roles.

Here are some definitions of the terms that pertain to this topic:

Group

A group is a set of users. Membership in a group provides the member with the ability to access certain objects. Using groups facilitates setting security on objects, such as assigning access to the SAS Content Server locations where SAS IT Resource Management reports are available.

CAUTION:

ITRM Report Center does not support nested groups for the IT Resource Management Report Center Users group.

For this reason, to create a new IT Resource Management Report Center group, add the IT Resource Management: Report Center role to that group.

If you want to create an administrators group, make that group a member of the supplied IT Resource Management Report Center Administrators group.

Role

A role determines the capabilities that you have when you use a SAS application. Membership in a role provides the member with the capability to perform a task. The role controls the availability of application capabilities (or features) such as access to ITRM Report Center workspaces.

Note: Each role provides multiple capabilities. Your administrator can assign you to the groups that are members of the appropriate roles for the SAS work that you perform.

Capability

A capability is a SAS application feature that is under role-based management. Anyone who is a member of a role or who inherits a role through its group membership has all of that role's capabilities. For example, a capability might be the ability to perform the duties of an IT Resource Management Report Center administrator in ITRM Report Center.

For more information about defining sign-in metadata for users, see the SAS 9.4 Intelligence Platform: Security Administration Guide. This document can be found in the Administration Documentation section of the SAS Intelligence Platform documentation that is available at this location: http://support.sas.com/documentation/onlinedoc/intellplatform/index.html.

User Authorization

When SAS IT Resource Management is installed, two SAS metadata-based application groups are created to control access to ITRM Report Center workspaces and functions: IT Resource Management Report Center Users and IT Resource Management Report Center Administrators. In addition, for all SAS applications, a group called SASUSERS is established. SAS administrators can define additional users and groups as part of the setup tasks for SAS IT Resource Management.

Each user who is established with a metadata identity in SAS Management Console can be a member of a group that is assigned capabilities through a role.

Groups That Are Supported by ITRM Report Center
Application Groups	Roles	Capabilities	Notes
SASUSERS	(not applicable)	Has limited access to the Home and Gallery workspaces (if not a member of any other group)	SASUSERS are users who have metadata identities.
IT Resource Management Report Center Users	IT Resource Management: Report Center User	Has access to ITRM Report Center Home, Gallery, and Resource workspaces
IT Resource Management Report Center Administrators	IT Resource Management: Report Center Administrator	Has access to all ITRM Report Center workspaces and functions
SAS Administrators (members of the Metadata Server: Unrestricted role)		Has access to the Administration workspace	SAS administrators cannot access the other workspaces of ITRM Report Center.

SAS administrators can use SAS Management Console to assign individual users to groups that are members of roles with capabilities that are appropriate for the work that they perform. For more information about how to use SAS Management Console, see Chapter 2, “Preparing to Work with the SAS IT Resource Management Client,” in the SAS IT Resource Management 3.6: Administrator’s Guide. To locate the SAS IT Resource Management documentation, use the Products Index at http://support.sas.com/documentation/index.html.

About the SASUSERS Group

The most basic access to ITRM Report Center is granted to users who are members of the SASUSERS group. Members of this group have limited access to the Home and Gallery workspaces. They can also use the functions of these workspaces such as viewing shared galleries and creating folders and albums that are not restricted by metadata roles. SASUSERS have access to reports that are stored in the SAS Content Server location that is defined in the ITRM Report Center Administration workspace.

SASUSERS group members are those users who have a SAS metadata identity on the IT Resource Management metadata server. They are implicitly defined by SAS as described in the Members property for this group in SAS Management Console.

The following table shows the capabilities that are available to SASUSERS.

Table of ITRM Report Center Capabilities for SASUSERS
Capability	SASUSERS
Home Workspace	Yes Note: The Alerts pane and the Show Related Report action of the Watch List pane are not available.
Gallery Workspace	Yes
Folders	Yes Note: SASUSERS can create, edit, delete, copy, and share personal folders.
Access to Galleries	Yes Note: SASUSERS can access galleries that are shared with them. SASUSERS can also access reports in those galleries that are in SCS locations to which they have access.
Albums	Yes Note: SASUSERS can create, edit, delete, share, and copy personal albums.
Access to Exception Reports	Yes
Watch Lists	Yes
Email Reports	Yes

About the IT Resource Management Report Center Administrators Group and the IT Resource Management Report Center Users Group

Other users access ITRM Report Center with specific groups and roles that allow them to perform ITRM Report Center functions. These are the IT Resource Management Administrators group and the IT Resource Management Report Center Users group.

Users who are members of the IT Resource Management Report Center Administrators group have full access to ITRM Report Center workspaces and functionality.

Any user who administers ITRM Report Center must be a member of the IT Resource Management Report Center Administrators group that is supplied when SAS IT Resource Management is installed.
Users who are members of the IT Resource Management Report Center Users group have access to ITRM Report Center Home, Gallery, and Resource workspaces and the full functionality in each.

Note: SAS IT Resource Management supports multiple IT Resource Management Report Center Administrators groups and IT Resource Management Report Center Users groups.

Permission to access the SAS IT Resource Management performance and exception reports stored in the SAS Content Server is granted based on the SAS metadata-based application group to which a user belongs. By default, SAS IT Resource Management reports are written to <Middle-Tier-Server-Name>/SASContentServer/repository/default/sasdav/ITRM and all ITRM Report Center users have access to this location. Multiple SAS Content Server locations can be used to permit and restrict groups of users to access SAS IT Resource Management reports.

Note: For more information about using multiple SAS Content Server locations, see Overview of the Administration Workspace.

Members of the IT Resource Management Report Center Administrators group are members of the IT Resource Management: Report Center Administrator role. Members of the IT Resource Management Report Center Users group are members of the IT Resource Management: Report Center User role. The following table shows the capabilities that are available for these IT Resource Management: Report Center roles.

Table of ITRM Report Center Capabilities for Users and Administrators
Capability	IT Resource Management: Report Center User Role	IT Resource Management: Report Center Administrator Role
Administration Workspace	No	Yes
Home Workspace	Yes	Yes
Gallery Workspace	Yes	Yes Note: The Edit button is not enabled for this role while working on the `Users' Galleries and Albums` folder. Therefore, the administrator cannot modify the gallery objects of another user.
Resource Workspace	Yes	Yes
Folders	Yes	Yes Note: Administrators can also copy and delete the folders of other users.
Galleries	Yes	Yes Note: Administrators can also copy and delete the galleries of other users.
Albums	Yes	Yes Note: Administrators can also copy and delete the albums of other users.
Exception Reports	Yes	Yes
Alerts	Yes	Yes
Watch Lists	Yes	Yes
Email Reports	Yes	Yes
Administrative Tasks	No	Yes Note: For information about administrative tasks, see Overview of the Administration Workspace.

Note: ITRM Report Center capabilities that are not restricted by role are available to the IT Resource Management: Report Center User role. Similarly, the capabilities of the IT Resource Management: Report Center User role are available to the IT Resource Management: Report Center Administrator role.

About the Metadata Server: Unrestricted Role

User IDs with the SAS Metadata Server: Unrestricted role can access SAS Management Console to assign and manage ITRM Report Center roles, groups, and users. The SAS Metadata Server: Unrestricted role is also used to manage the IT Resource Management application configuration properties. The following documentation provides pertinent information:

SAS 9.4 Management Console: Guide to Users and Permissions
SAS 9.4 Intelligence Platform: Security Administration Guide
SAS IT Resource Management 3.6: Administrator’s Guide

Note: Locate this documentation by using the Products Index A-Z at http://support.sas.com/documentation/index.html.

User IDs with the SAS Metadata Server: Unrestricted role can view and manage files and WebDAV folders in the SAS Content Server. Using the Administration Console component of the SAS Content Server, you can view, delete, and set permissions for WebDAV folders and files. For more information see “Using the SAS Content Server Administration Console” in the SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide.

Note: User IDs with the SAS Metadata Server: Unrestricted role should not be used to access ITRM Report Center. If a user with the SAS Metadata Server: Unrestricted role accesses ITRM Report Center, then access is limited to the Administration workspace only. This ITRM Report Center restriction is in effect to avoid situations where users with the SAS Metadata Server: Unrestricted role create ITRM Report Center objects that cannot be managed by members of the IT Resource Management Report Center Administrators group.

Additional Notes about Roles, Capabilities, and Groups

A role manages the availability of capabilities such as menu items. This list highlights key points:

Roles are used to manage SAS application capabilities.
Roles and groups serve distinct purposes. You cannot assign permissions to a role or capabilities to a group.
Capabilities are always additive. Assigning someone to a role never reduces what that user can do.

Tip

Creating groups can simplify security management. For best results, consider the following advice:

It is not advisable to create a custom role and assign that role to a group. For best results, create a group and assign the supplied roles to it.
It is more efficient to assign permissions to groups than to individual users.