Add Administrators

To create an individual SAS identity that is based on an internal account:
  1. On the Plug-ins tab, select User Manager. Make sure that you are in the foundation repository.
  2. For each administrator:
    1. Right-click and select Newthen selectUser.
    2. On the General tab, enter a name.
      Note: The administrator's internal user ID will be based on this name, so it is a good idea to use a short identifier.
    3. On the Accounts tab, click Create Internal Account. In the New Internal Account dialog box, enter and confirm an initial password.
      Note: By initial policy, internal passwords must be at least six characters, don't have to include mixed case or numbers, and don't expire.
      Tip
      If you want to force a password change on first use, set a password expiration period.
    4. On the Groups and Roles tab, move the SAS Administrators group to the Member of list box. This makes the new user a member of SAS Administrators.
    5. Click OK to save the new administrator.
  3. (Optional) To verify your work, examine the SAS Administrators group:
    1. In the main display, select the SAS Administrators group, right-click, and select Properties.
    2. On the Members tab, verify that the new administrators are in the Current Members list box.
    3. On the Groups and Roles tab, verify that the Member of list box includes at least these standard memberships:
      • Metadata Server: User Administration
      • Metadata Server: Operation
      • Management Console: Advanced
      In a standard configuration, members of the SAS Administrators group are able to perform almost all administrative tasks.
This list highlights key points:
  • You don't have to use internal accounts for your administrators. You can choose to give an administrator an external account and a corresponding login as you would for a regular user.
  • When you log on with an internal account, remember to include the @saspw suffix (for example, sasadm@saspw).
  • A few administrative tasks (such as validating a workspace server, testing prompts, performing backups, and importing and exporting physical content) use a standard workspace server. Someone who has only an internal account can't perform such tasks without interactively providing external credentials.
  • If you want to make someone an unrestricted administrator, move the Metadata Server: Unrestricted role to the Member of list box in step 2d.
  • To conform to the rule of least privilege, we recommend that administrators do not also serve as regular users. If you want someone to be an administrator only some of the time, create two user definitions for that person.
    • One definition is based on an external account and is not a member of SAS Administrators.
    • The other definition is based on an internal account and is a member of SAS Administrators.
    A dual user logs on with their internal account when they need administrative privileges and with their external account the rest of the time.