Who Can Manage Users, Groups, and Roles?

The following table summarizes the permissions and capabilities that are required for selected user administration tasks in SAS Management Console.

Minimum Requirements by Task
Task Set	Requirements
Create, update, or delete your own logins.	The User Manager capability.
Create, update, or delete restricted identities.	The User Manager capability. User administration capabilities (provided implicitly by the Metadata Server: User Administration role). The WriteMetadata permission (for existing identities, software component objects that provide role capabilities, and the repository).
Create or delete an unrestricted user. Change memberships of an unrestricted user. Make changes to the Metadata Server: Unrestricted role.	Unrestricted status (provided implicitly by the Metadata Server: Unrestricted role).

Here are some additional details:

In the initial configuration, user administration privileges are distributed as follows:
- All registered users can update their own logins.
- Members of the SAS Administrators group can add and manage restricted identities.
- Only one user, the SAS Administrator, can add and manage unrestricted identities.
As an alternative to using SAS Management Console to update your logins, you can use SAS Personal Login Manager (a stand-alone desktop utility).
You can delegate management of an existing group or role to someone who does not have user administration capabilities. See Delegate Management of a Group or Role.