To
practice customizing the distribution of capabilities across roles,
complete this exercise in SAS Management Console:
-
Log on as someone who
has user administration capabilities and is a member of the SAS Administrators
group (for example, sasadm@saspw).
-
On the Plug-ins tab,
select User Manager (make sure you are in
the foundation repository). In the display area, clear the Show
Users and Show Groups check
boxes. The roles that exist in your deployment are displayed.
-
Right-click
User
Manager and select
NewRole. On the
General tab,
enter
Test Role
in the
Name field.
Note: Creating a new role isolates
this exercise from the rest of your deployment, ensuring that your
current configuration is preserved.
-
To learn how to directly
assign capabilities, select the Capabilities tab:
-
Notice that a message
at the top of the tab reminds you that a few capabilities (for example,
those of the metadata server's roles) are not listed on this
tab (because those capabilities are implicit).
-
Notice that the first
node (
Applications) has an empty branch icon
. This indicates that no explicit capabilities are assigned to this
role.
-
Notice that there is a second-level node for each component that provides explicit
capabilities. A role can provide capabilities from multiple applications.
-
Click
+
to
expand the
Management Console node. Click
+
to expand the
Plug-ins node.
Select the
Authorization Manager check box.
Notice that the branch icons are now partial
. This indicates that some of the capabilities are
selected.
Note: To see a description of any
capability, click that capability's text and look at the Description field
at the bottom of the tab.
-
Click the partial icon
for the
Plug-ins folder.
This action causes all of the capabilities beneath that node to be
explicitly selected. Click again to cycle back to the empty branch
icon (no capabilities assigned). Click a third time to revert to the
immediately preceding state (only the
Authorization Manager check
box selected).
-
Click the Authorization
Manager check box to clear it.
-
To learn how to indirectly
assign capabilities, select the Contributing Roles tab:
-
In the Available
Roles list, select Management Console: Content
Management. Before you make this a contributing role, verify its capabilities.
-
Move the Management
Console: Content Management role to the Current
Roles list. This role now contributes all of its capabilities
to your new role. If capabilities of this contributing role change,
the capabilities of your test role change also.
It is necessary to use
contributing roles in these circumstances:
-
You want to extend implicit capabilities
(like the capabilities of the metadata server roles) to other roles.
-
You want to provide dynamic aggregation of roles so that changes to one role propagate
to other roles that have the first role as a contributing role.
-
To learn about interactions between contributed and directly assigned capabilities,
select your test role's Capabilities tab again.
-
Under
Management ConsolePlug-ins, notice that capabilities from the
Management
Console: Content Management role are now selected. A gray circle icon identifies these as contributed capabilities.
-
Select the already-selected Authorization
Manager check box. This adds a direct assignment on top of the contributed assignment, making
the assignment independent from the underlying contributing role.
-
Click the tree icon
for the Plug-ins folder three times (stop
when only the Authorization Manager check
box is explicitly selected).
-
Select the
Authorization
Manager check box again. It reverts back to the contributed state. You cannot incrementally
remove a contributed
capability.
-
To close the dialog box (and not save the test role), click Cancel.