Problem Note 41201: The SAS® Metadata Server might report that the members of the SAS Metadata Server fixed roles no longer have the associated privileges
A SAS® Metadata Server runs for a while before a client request changes an
IdentityGroup membership or a Login for a Person object. When this occurs,
requests from users who are members of the Unrestricted Users fixed role no
longer have Unrestricted privilege. The security server Open Metadata Interface (ISecurity.GetInfo) method reports the UserClass as Normal instead of Unrestricted AND the user is also denied access to objects that Unrestricted privilege grants. The GetInfo method is called by many applications (for example, SAS® Management Console) to determine whether a person has the privileges that are required accomplish certain tasks.
For more information on the GetUnfo method, see the Authorization (ISecurity Interface) GetInfo method in SAS(R) 9.2 Open Metadata Interface: Reference and Usage.
The SAS Metadata Server might indicate that a user with membership in one of the
SAS Metadata Server fixed roles does not have the role. The SAS Metadata Server fixed roles that are affected are the following:
- Metadata Server: UnRestricted
- Metadata Server: User Administration
- Metadata Server: Operation
Requests from users who are members of these fixed roles no longer have the associated privileges. The server will report that the UserClass value is Normal instead of IdentityAdmin and that the user is also
denied access to objects that the privilege grants.
Similarly, requests from users who are members of the Unrestricted Users fixed role no longer have Unrestricted privilege. In addition, requests from users who are members of the Operation fixed role no longer have the Operation privilege.
To circumvent this issue, the search for membership in one of the fixed roles will fail until the SAS Metadata Server is restarted.
The login user ID that matches a user ID entry in the adminusers.txt file is not effected by this issue.
Click the Hot Fix tab in this note to access the hot fix for this issue.
Operating System and Release Information
SAS System | SAS Metadata Server | HP-UX IPF | 9.2 TS2M2 | 9.3 TS1M0 |
64-bit Enabled Solaris | 9.2 TS2M2 | 9.3 TS1M0 |
64-bit Enabled HP-UX | 9.2 TS2M2 | 9.3 TS1M0 |
64-bit Enabled AIX | 9.2 TS2M2 | 9.3 TS1M0 |
Windows Vista for x64 | 9.2 TS2M2 | 9.3 TS1M0 |
Windows Vista | 9.2 TS2M2 | 9.3 TS1M0 |
Windows 7 Ultimate x64 | 9.2 TS2M2 | 9.3 TS1M0 |
Windows 7 Ultimate 32 bit | 9.2 TS2M2 | 9.3 TS1M0 |
Windows 7 Professional x64 | 9.2 TS2M2 | 9.3 TS1M0 |
Windows 7 Professional 32 bit | 9.2 TS2M2 | 9.3 TS1M0 |
Windows 7 Home Premium x64 | 9.2 TS2M2 | 9.3 TS1M0 |
Windows 7 Home Premium 32 bit | 9.2 TS2M2 | 9.3 TS1M0 |
Windows 7 Enterprise x64 | 9.2 TS2M2 | 9.3 TS1M0 |
Windows 7 Enterprise 32 bit | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft Windows XP Professional | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft Windows Server 2008 for x64 | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft Windows Server 2008 | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft Windows Server 2003 for x64 | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft Windows Server 2003 Standard Edition | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft Windows Server 2003 Enterprise Edition | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft Windows Server 2003 Datacenter Edition | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft® Windows® for x64 | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft Windows XP 64-bit Edition | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft Windows Server 2003 Enterprise 64-bit Edition | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft Windows Server 2003 Datacenter 64-bit Edition | 9.2 TS2M2 | 9.3 TS1M0 |
Microsoft® Windows® for 64-Bit Itanium-based Systems | 9.2 TS2M2 | 9.3 TS1M0 |
z/OS | 9.2 TS2M2 | |
Linux | 9.2 TS2M2 | 9.3 TS1M0 |
Linux for x64 | 9.2 TS2M2 | 9.3 TS1M0 |
Solaris for x64 | 9.2 TS2M2 | 9.3 TS1M0 |
*
For software releases that are not yet generally available, the Fixed
Release is the software release in which the problem is planned to be
fixed.
In rare cases, a search fails for a user who is searching the membership of the SAS® Metadata Server fixed roles (Unrestricted, User Administration or Operation). The requesting user is shown as a "Normal" UserClass instead of the "unrestricted", "IdentityInfo" or "Operator" UserClass.
Type: | Problem Note |
Priority: | medium |
Date Modified: | 2010-11-09 09:27:31 |
Date Created: | 2010-10-11 15:03:14 |