ITRM Report Center Users and Groups

Understanding Groups, Roles, and Capabilities

Membership in IT Resource Management groups and roles is necessary in order to work with ITRM Report Center.
Note: Membership in SAS IT Resource Management groups and roles is not necessary to work with the SAS IT Resource Management client.
Using the User Manager component of SAS Management Console, the SAS administrator can manage users, groups, and roles. A group’s membership in a role determines the SAS application capabilities for the users in that group. Typically, users are members of groups and groups are members of roles.
Here are some definitions of the terms that pertain to this topic:
Group
A group is a set of users. Membership in a group provides the member with the ability to access certain objects. Using groups facilitates setting security on objects, such as assigning access to the SAS Content Server locations where SAS IT Resource Management reports are available.
CAUTION:
ITRM Report Center does not support nested groups for the IT Resource Management Report Center Users group.
For this reason, to create a new IT Resource Management Report Center group, add the IT Resource Management: Report Center role to that group.
If you want to create an administrators group, make that group a member of the supplied IT Resource Management Report Center Administrators group.
Role
A role determines the capabilities that you have when you use a SAS application. Membership in a role provides the member with the capability to perform a task. The role controls the availability of application capabilities (or features) such as access to ITRM Report Center workspaces.
Note: Each role provides multiple capabilities. Your administrator can assign you to the groups that are members of the appropriate roles for the SAS work that you perform.
Capability
A capability is a SAS application feature that is under role-based management. Anyone who is a member of a role or who inherits a role through its group membership has all of that role's capabilities. For example, a capability might be the ability to perform the duties of an IT Resource Management Report Center administrator in ITRM Report Center.
For more information about defining sign-in metadata for users, see the SAS 9.4 Intelligence Platform: Security Administration Guide. This document can be found in the Administration Documentation section of the SAS Intelligence Platform documentation that is available at this location: http://support.sas.com/documentation/onlinedoc/intellplatform/index.html.

User Authorization

When SAS IT Resource Management is installed, two SAS metadata-based application groups are created to control access to ITRM Report Center workspaces and functions: IT Resource Management Report Center Users and IT Resource Management Report Center Administrators. In addition, for all SAS applications, a group called SASUSERS is established. SAS administrators can define additional users and groups as part of the setup tasks for SAS IT Resource Management.
Each user who is established with a metadata identity in SAS Management Console can be a member of a group that is assigned capabilities through a role.
Groups That Are Supported by ITRM Report Center
Application Groups
Roles
Capabilities
Notes
SASUSERS
(not applicable)
Has limited access to the Home and Gallery workspaces (if not a member of any other group)
SASUSERS are users who have metadata identities.
IT Resource Management Report Center Users
IT Resource Management: Report Center User
Has access to ITRM Report Center Home, Gallery, and Resource workspaces
IT Resource Management Report Center Administrators
IT Resource Management: Report Center Administrator
Has access to all ITRM Report Center workspaces and functions
SAS Administrators (members of the Metadata Server: Unrestricted role)
Has access to the Administration workspace
SAS administrators cannot access the other workspaces of ITRM Report Center.
SAS administrators can use SAS Management Console to assign individual users to groups that are members of roles with capabilities that are appropriate for the work that they perform. For more information about how to use SAS Management Console, see Chapter 2, “Preparing to Work with the SAS IT Resource Management Client,” in the SAS IT Resource Management 3.7: Administrator’s Guide. To locate the SAS IT Resource Management documentation, use the Products Index at http://support.sas.com/documentation/index.html.

About the SASUSERS Group

The most basic access to ITRM Report Center is granted to users who are members of the SASUSERS group. Members of this group have limited access to the Home and Gallery workspaces. They can also use the functions of these workspaces such as viewing shared galleries and creating folders and albums that are not restricted by metadata roles. SASUSERS have access to reports that are stored in the SAS Content Server location that is defined in the ITRM Report Center Administration workspace.
SASUSERS group members are those users who have a SAS metadata identity on the IT Resource Management metadata server. They are implicitly defined by SAS as described in the Members property for this group in SAS Management Console.
The following table shows the capabilities that are available to SASUSERS.
Table of ITRM Report Center Capabilities for SASUSERS
Capability
SASUSERS
Home Workspace
Yes
Note: The Alerts pane and the Show Related Report action of the Watch List pane are not available.
Gallery Workspace
Yes
Folders
Yes
Note: SASUSERS can create, edit, delete, copy, and share personal folders.
Access to Galleries
Yes
Note: SASUSERS can access galleries that are shared with them. SASUSERS can also access reports in those galleries that are in SCS locations to which they have access.
Albums
Yes
Note: SASUSERS can create, edit, delete, share, and copy personal albums.
Access to Exception Reports
Yes
Watch Lists
Yes
Email Reports
Yes

About the IT Resource Management Report Center Administrators Group and the IT Resource Management Report Center Users Group

Other users access ITRM Report Center with specific groups and roles that allow them to perform ITRM Report Center functions. These are the IT Resource Management Administrators group and the IT Resource Management Report Center Users group.
  • Users who are members of the IT Resource Management Report Center Administrators group have full access to ITRM Report Center workspaces and functionality.
    Any user who administers ITRM Report Center must be a member of the IT Resource Management Report Center Administrators group that is supplied when SAS IT Resource Management is installed.
  • Users who are members of the IT Resource Management Report Center Users group have access to ITRM Report Center Home, Gallery, and Resource workspaces and the full functionality in each.
Note: SAS IT Resource Management supports multiple IT Resource Management Report Center Administrators groups and IT Resource Management Report Center Users groups.
Permission to access the SAS IT Resource Management performance and exception reports stored in the SAS Content Server is granted based on the SAS metadata-based application group to which a user belongs. By default, SAS IT Resource Management reports are written to <Middle-Tier-Server-Name>/SASContentServer/repository/default/sasdav/ITRM and all ITRM Report Center users have access to this location. Multiple SAS Content Server locations can be used to permit and restrict groups of users to access SAS IT Resource Management reports.
Note: For more information about using multiple SAS Content Server locations, see Overview of the Administration Workspace.
Members of the IT Resource Management Report Center Administrators group are members of the IT Resource Management: Report Center Administrator role. Members of the IT Resource Management Report Center Users group are members of the IT Resource Management: Report Center User role. The following table shows the capabilities that are available for these IT Resource Management: Report Center roles.
Table of ITRM Report Center Capabilities for Users and Administrators
Capability
IT Resource Management: Report Center User Role
IT Resource Management: Report Center Administrator Role
Administration Workspace
No
Yes
Home Workspace
Yes
Yes
Gallery Workspace
Yes
Yes
Note: The Edit button is not enabled for this role while working on the Users' Galleries and Albums folder. Therefore, the administrator cannot modify the gallery objects of another user.
Resource Workspace
Yes
Yes
Folders
Yes
Yes
Note: Administrators can also copy and delete the folders of other users.
Galleries
Yes
Yes
Note: Administrators can also copy and delete the galleries of other users.
Albums
Yes
Yes
Note: Administrators can also copy and delete the albums of other users.
Exception Reports
Yes
Yes
Alerts
Yes
Yes
Watch Lists
Yes
Yes
Email Reports
Yes
Yes
Administrative Tasks
No
Yes
Note: For information about administrative tasks, see Overview of the Administration Workspace.
Note: ITRM Report Center capabilities that are not restricted by role are available to the IT Resource Management: Report Center User role. Similarly, the capabilities of the IT Resource Management: Report Center User role are available to the IT Resource Management: Report Center Administrator role.

About the Metadata Server: Unrestricted Role

User IDs with the SAS Metadata Server: Unrestricted role can access SAS Management Console to assign and manage ITRM Report Center roles, groups, and users. The SAS Metadata Server: Unrestricted role is also used to manage the IT Resource Management application configuration properties. The following documentation provides pertinent information:
  • SAS 9.4 Management Console: Guide to Users and Permissions
  • SAS 9.4 Intelligence Platform: Security Administration Guide
  • SAS IT Resource Management 3.7: Administrator’s Guide
Note: Locate this documentation by using the Products Index A-Z at http://support.sas.com/documentation/index.html.
User IDs with the SAS Metadata Server: Unrestricted role can view and manage files and WebDAV folders in the SAS Content Server. Using the Administration Console component of the SAS Content Server, you can view, delete, and set permissions for WebDAV folders and files. For more information see “Using the SAS Content Server Administration Console” in the SAS 9.4 Intelligence Platform: Middle-Tier Administration Guide.
Note: User IDs with the SAS Metadata Server: Unrestricted role should not be used to access ITRM Report Center. If a user with the SAS Metadata Server: Unrestricted role accesses ITRM Report Center, then access is limited to the Administration workspace only. This ITRM Report Center restriction is in effect to avoid situations where users with the SAS Metadata Server: Unrestricted role create ITRM Report Center objects that cannot be managed by members of the IT Resource Management Report Center Administrators group.

Additional Notes about Roles, Capabilities, and Groups

A role manages the availability of capabilities such as menu items. This list highlights key points:
  • Roles are used to manage SAS application capabilities.
  • Roles and groups serve distinct purposes. You cannot assign permissions to a role or capabilities to a group.
  • Capabilities are always additive. Assigning someone to a role never reduces what that user can do.
Tip
Creating groups can simplify security management. For best results, consider the following advice:
  • It is not advisable to create a custom role and assign that role to a group. For best results, create a group and assign the supplied roles to it.
  • It is more efficient to assign permissions to groups than to individual users.