A SAS^® Metadata Server runs for a while before a client request changes an IdentityGroup membership or a Login for a Person object. When this occurs, requests from users who are members of the Unrestricted Users fixed role no longer have Unrestricted privilege. The security server Open Metadata Interface (ISecurity.GetInfo) method reports the UserClass as Normal instead of Unrestricted AND the user is also denied access to objects that Unrestricted privilege grants. The GetInfo method is called by many applications (for example, SAS^® Management Console) to determine whether a person has the privileges that are required accomplish certain tasks.

For more information on the GetUnfo method, see the Authorization (ISecurity Interface) GetInfo method in SAS(R) 9.2 Open Metadata Interface: Reference and Usage.

The SAS Metadata Server might indicate that a user with membership in one of the SAS Metadata Server fixed roles does not have the role. The SAS Metadata Server fixed roles that are affected are the following:

• Metadata Server: UnRestricted
• Metadata Server: User Administration
• Metadata Server: Operation

Requests from users who are members of these fixed roles no longer have the associated privileges. The server will report that the UserClass value is Normal instead of IdentityAdmin and that the user is also denied access to objects that the privilege grants. Similarly, requests from users who are members of the Unrestricted Users fixed role no longer have Unrestricted privilege. In addition, requests from users who are members of the Operation fixed role no longer have the Operation privilege.

To circumvent this issue, the search for membership in one of the fixed roles will fail until the SAS Metadata Server is restarted.

The login user ID that matches a user ID entry in the adminusers.txt file is not effected by this issue.

Click the Hot Fix tab in this note to access the hot fix for this issue.

Operating System and Release Information

Product Family	Product	System	SAS Release
			Reported	Fixed*
SAS System	SAS Metadata Server	HP-UX IPF	9.2 TS2M2	9.3 TS1M0
		64-bit Enabled Solaris	9.2 TS2M2	9.3 TS1M0
		64-bit Enabled HP-UX	9.2 TS2M2	9.3 TS1M0
		64-bit Enabled AIX	9.2 TS2M2	9.3 TS1M0
		Windows Vista for x64	9.2 TS2M2	9.3 TS1M0
		Windows Vista	9.2 TS2M2	9.3 TS1M0
		Windows 7 Ultimate x64	9.2 TS2M2	9.3 TS1M0
		Windows 7 Ultimate 32 bit	9.2 TS2M2	9.3 TS1M0
		Windows 7 Professional x64	9.2 TS2M2	9.3 TS1M0
		Windows 7 Professional 32 bit	9.2 TS2M2	9.3 TS1M0
		Windows 7 Home Premium x64	9.2 TS2M2	9.3 TS1M0
		Windows 7 Home Premium 32 bit	9.2 TS2M2	9.3 TS1M0
		Windows 7 Enterprise x64	9.2 TS2M2	9.3 TS1M0
		Windows 7 Enterprise 32 bit	9.2 TS2M2	9.3 TS1M0
		Microsoft Windows XP Professional	9.2 TS2M2	9.3 TS1M0
		Microsoft Windows Server 2008 for x64	9.2 TS2M2	9.3 TS1M0
		Microsoft Windows Server 2008	9.2 TS2M2	9.3 TS1M0
		Microsoft Windows Server 2003 for x64	9.2 TS2M2	9.3 TS1M0
		Microsoft Windows Server 2003 Standard Edition	9.2 TS2M2	9.3 TS1M0
		Microsoft Windows Server 2003 Enterprise Edition	9.2 TS2M2	9.3 TS1M0
		Microsoft Windows Server 2003 Datacenter Edition	9.2 TS2M2	9.3 TS1M0
		Microsoft® Windows® for x64	9.2 TS2M2	9.3 TS1M0
		Microsoft Windows XP 64-bit Edition	9.2 TS2M2	9.3 TS1M0
		Microsoft Windows Server 2003 Enterprise 64-bit Edition	9.2 TS2M2	9.3 TS1M0
		Microsoft Windows Server 2003 Datacenter 64-bit Edition	9.2 TS2M2	9.3 TS1M0
		Microsoft® Windows® for 64-Bit Itanium-based Systems	9.2 TS2M2	9.3 TS1M0
		z/OS	9.2 TS2M2
		Linux	9.2 TS2M2	9.3 TS1M0
		Linux for x64	9.2 TS2M2	9.3 TS1M0
		Solaris for x64	9.2 TS2M2	9.3 TS1M0

* For software releases that are not yet generally available, the Fixed Release is the software release in which the problem is planned to be fixed.

---

A fix for this issue for Base SAS 9.21_M1 is available at:

http://ftp.sas.com/techsup/download/hotfix/HF2/A50.html#41201

---

A fix for this issue for Base SAS 9.21_M3 is available at:

http://ftp.sas.com/techsup/download/hotfix/HF2/B25.html#41201

---

In rare cases, a search fails for a user who is searching the membership of the SAS® Metadata Server fixed roles (Unrestricted, User Administration or Operation). The requesting user is shown as a "Normal" UserClass instead of the "unrestricted", "IdentityInfo" or "Operator" UserClass.

Type:	Problem Note
Priority:	medium

Date Modified:	2010-11-09 09:27:31
Date Created:	2010-10-11 15:03:14