Previous Page | Next Page

Understanding the State of Your System

Overview of Initial Roles, Groups, and Users


About User Roles for System Administration


Overview of System Administration User Roles

A user role is a set of capabilities. Some SAS applications make certain actions available only to users or groups that have a particular role. To enable a user or group to perform those actions, you add the user or group to the appropriate role.

During installation, the SAS Deployment Wizard creates metadata definitions for several user roles. The following initial roles are created for performing system administration tasks:

The SAS Deployment Wizard also creates some additional roles for users of specific client applications, including SAS Enterprise Guide, SAS Web Report Studio, and SAS Add-In for Microsoft Office.

Note:   

  [cautionend]

Metadata Server: Unrestricted Role

Note:   The initial name of this role is META: Unrestricted Users Role, and the initial display name for this role is Metadata Server: Unrestricted.  [cautionend]

The Metadata Server: Unrestricted role has access to all metadata regardless of SAS permissions settings. Users in this role, which are referred to as unrestricted users, can do the following:

Follow these important guidelines when using an account that is in the Metadata Server: Unrestricted role:

The SAS Deployment Wizard places one user in this role. This user, which is generally called the SAS Administrator, is specified in the file adminUsers.txt. For details, see About the Initial User Accounts.

Note:   The Metadata Server: Unrestricted role provides access to the metadata server, not to other SAS servers. Some administration tasks require access to a SAS Application Server, which might require additional credentials. For details, see Who Can Do What: Credential Requirements for SAS Management Console Tasks.  [cautionend]


Metadata Server: User Administration Role

Note:   The initial name of this role is META: User and Group Administrators Role, and the initial display name for this role is Metadata Server: User Administration. The SAS Deployment Wizard assigns the SAS Administrators group to this role.  [cautionend]

Users who are assigned to the Metadata Server: User Administration role can create and modify users, groups, and roles. Users in this role are authorized to update user passwords. They cannot read existing passwords, except the passwords for their own logins.

For details about the user administration tasks, see the SAS Intelligence Platform: Security Administration Guide.


Metadata Server: Operation Role

Note:   The initial name of this role is META: Operators Role, and the initial display name for this role is Metadata Server: Operation. The SAS Deployment Wizard assigns the SAS Administrators group to this role.  [cautionend]

Users who are assigned to the Metadata Server: Operation role can perform the following tasks:

Users who perform these tasks must also be assigned to the SAS Management Console Advanced Role, which provides access to the Metadata Manager plug-in.

Management Console: Advanced Role

The Management Console: Advanced role is initially configured to allow access to all of the plug-ins in SAS Management Console. The SAS Deployment Wizard assigns the SAS Administrators group to this role.

You must make the following additional role assignments to enable certain functions:


Management Console: Content Management Role

The Management Console: Content Management role is initially configured to enable access to the following features of SAS Management Console:

To have access to certain functionality within User Manager plug-in, the user must also be assigned to the Metadata Server: User Administration" role or the Metadata Server: Unrestricted role.


About the Initial User Groups


User Groups Initially Defined in the Operating System

On some of the machines in your configuration, the following operating system user groups might have been defined during installation:

sas (UNIX only)

This group is used to control access to the configuration directories on UNIX machines. The group includes the installer (the sas user). Typically, you will not add any other users to this group.

SAS Server Users (Windows only)

This group might have been created on Windows machines that have stored process servers, pooled workspace servers, or standard workspace servers installed. During the installation process, you should have assigned this group the right to Log on as a batch job, which is required in order to start processes for those servers.

If you are not using Integrated Windows authentication, then you can add users to this group to enable them to start workspace server processes.

SASGRP (z/OS only)

On z/OS systems, this RACF group is used to control access to the configuration directory. The group is defined with an OMVS segment and is set as the default group for the SAS Installer and SAS Spawned Servers accounts.


User Groups Initially Defined in Metadata

The SAS Deployment Wizard creates the following user groups in metadata. These groups are part of the SAS Intelligence Platform security infrastructure. For information about how they are used to implement security, see the SAS Intelligence Platform: Security Administration Guide.

PUBLIC

a standard group with implicit membership. This group includes everyone who can access the metadata server, either directly or through a trust relationship. A user who does not have an individual identity uses the PUBLIC group identity.

SASUSERS

a standard group with implicit membership. This group includes all users who have individual identities.

SAS Administrators

a standard group for metadata administrators. By default, this group is granted broad access to the metadata and has all roles other than the Metadata Server: Unrestricted role.

SAS System Services

a standard group for service identities that need to read server definitions or other system resources.

SAS General Servers

a standard group whose members can be used for launching stored process servers and pooled workspace servers.

Table Server Administrators

a standard group that has permission to administer SAS Table Servers.

LSF Services

a group whose members can schedule jobs in the LSF component of Platform Suite for SAS. Beginning with the second maintenance release for SAS 9.2, this group is part of the standard configuration for sites that use Platform Suite for SAS to schedule SAS Web Report Studio reports.

The LSF Services group is not needed if you use SAS In-Process Services to schedule reports.

See also: lsfuser


About the Initial User Accounts


Overview of the Initial User Accounts

During installation, the SAS Deployment Wizard creates several initial user accounts. Some of these user accounts are created for all installations, some of the accounts are optional, and some of the accounts are created only if certain software components are installed. For each account, the following topics provide the default name and user ID, information about whether or when the account is required, the account's purpose and use, and the locations where the account is set up:

These user accounts might have been assigned different names at your site.

SAS Administrator

Type of Installation Default User Name Default User ID Required? Location of Account
New with default settings SAS Administrator sasadm@saspw Yes Metadata
New with external authentication selected SAS Administrator sasadm Yes Metadata and OS
Migrated from 9.1.3 SAS Administrator sasadm Yes Metadata and OS

The SAS Administrator user account has privileges that are associated with the Metadata Server: Unrestricted role (see Metadata Server: Unrestricted Role). In addition, the SAS Administrator account is initially a member of the SAS Administrators group.

This user is defined in the following locations:

In new, default installations of SAS 9.2, the SAS Administrator is an internal user account that is known only to SAS and that is authenticated internally in metadata. When internal authentication is used, it is not necessary for this user to have a local or network account.

Note:   We recommend that you establish individual metadata administrators rather than sharing the SAS Administrator account. See "Security Tasks" in the SAS Intelligence Platform: Security Administration Guide.  [cautionend]


SAS Trusted User

Type of Installation Default User Name Default User ID Required? Location of Account
New with default settings SAS Trusted User sastrust@saspw Yes Metadata
New with external authentication selected SAS Trusted User sastrust Yes Metadata and OS
Migrated from 9.1.3 SAS Trusted User sastrust Yes Metadata and OS

The SAS Trusted User is a privileged service account that can act on behalf of other users on a connection to the metadata server. No user should log on directly as a trusted user, except to perform certain administrative tasks associated with the SAS Information Delivery Portal. For details about those tasks, see the SAS Intelligence Platform: Web Application Administration Guide.

The SAS Trusted User is defined in the following locations:

In new, default installations of SAS 9.2, the SAS Trusted User is an internal user account that is known only to SAS and that is authenticated internally in metadata. When internal authentication is used, it is not necessary for this user to have a local or network account.

For detailed information about this user, see the SAS Intelligence Platform: Security Administration Guide.


SAS Installer

Default User Name Default User ID Required? Location of Account
SAS Installer sas Yes OS

The SAS Installer is a user account that is used to install and configure SAS software. On UNIX and z/OS systems, this account is the owner of configuration directories and their contents and is the process owner for items such as the metadata server, the OLAP server, and the object spawner. The account should continue to be available after installation so that it can be used to apply maintenance.

The SAS Installer account must be defined in the operating systems of the following machines:

This user is not defined in metadata.

SAS Spawned Servers Account

Default User Name Default User ID Required? Location of Account
SAS Spawned Servers sassrv Yes OS and metadata (as a login for the SAS General Servers group)

The SAS Spawned Servers account is the initially configured process owner for pooled workspace servers and stored process servers. An account for this user must be defined in the operating system of the following machines:

During the installation process on Windows machines, this user should have been assigned the right to Log on as a batch job. This right can also be assigned by adding the user to the SAS Server Users group.

This user does not have an individual metadata identity. However, a login for this user is defined for the SAS General Servers group.


SAS First User

Default User Name Default User ID Required? Location of Account
SAS Demo User sasdemo No Metadata and OS

The SAS First User is an optional account that can serve as a generic end user when you are testing any of the SAS client applications. During installation, the Software Deployment Wizard enables you to specify whether to create this user.

If you selected the option to create this user, then the user's account is defined in the following locations:

During the installation process on Windows machines, this user should have been assigned the right to Log on as a batch job. This right can also be assigned by adding the user to the SAS Server Users group.


SAS Anonymous Web User

Type of Installation Default User Name Default User ID Required? Location of Account
New with default settings SAS Anonymous Web User webanon@saspw No Metadata
New with external authentication selected SAS Anonymous Web User webanon No Metadata and OS

The SAS Anonymous Web User is an optional account that is used to grant clients access to applicable SAS Web Infrastructure Platform components. When Web clients request access to Web services, they are not prompted for credentials but instead are granted access under this user account.

This user is defined in the following locations:


LSF Administrator

Default User ID Required? Location of Account
none Yes, if Platform Suite for SAS is installed OS

The LSF administrator is the primary administrator for the Platform scheduling server and the owner of the Process Manager server. This user is required only if you have installed Platform Suite for SAS in support of either scheduling or grid computing.

The LSF administrator account must be defined in the operating system of the machine where Platform Suite for SAS is installed. This user must have full control of the LSF and Process Manager directories. On Windows systems, this user must belong to the Administrators Group and must have rights to Act as part of the operating system and Log on as a batch job.

This user is not defined in metadata.


lsfuser

Default User ID Required? Location of Account
lsfuser Yes, if Platform Suite for SAS is installed and is used to schedule WRS reports OS, metadata (as a login for the LSF Services group), and password file in LSF

The lsfuser account is used by default when you schedule SAS Web Report Studio reports using the LSF component of Platform Suite for SAS. The lsfuser account must be defined in the operating system of the machine where Platform Suite for SAS is installed. On Windows machines, the account must also be added to the password file in the LSF software. For details, see "Enabling Report Scheduling With Platform Suite for SAS" in Scheduling in SAS.

This user does not have an individual metadata identity. However, a login for this user is defined for the LSF Services group, effective with the second maintenance release for SAS 9.2.

Note:   

  [cautionend]

Previous Page | Next Page | Top of Page