Understanding the State of Your System |
About User Roles for System Administration |
A user role is a set of capabilities. Some SAS applications make certain actions available only to users or groups that have a particular role. To enable a user or group to perform those actions, you add the user or group to the appropriate role.
During installation, the SAS Deployment Wizard creates metadata definitions for several user roles. The following initial roles are created for performing system administration tasks:
The SAS Deployment Wizard also creates some additional roles for users of specific client applications, including SAS Enterprise Guide, SAS Web Report Studio, and SAS Add-In for Microsoft Office.
Note:
To understand how role assignments affect a user's ability to perform the system administration tasks that are documented in this guide, see Who Can Do What: Credential Requirements for SAS Management Console Tasks.
For information about how to add users to roles or to define additional roles, see "Managing Users, Groups, and Roles" in the SAS Intelligence Platform: Security Administration Guide.
Note: The initial name of this role is META: Unrestricted Users Role, and the initial display name for this role is Metadata Server: Unrestricted.
The Metadata Server: Unrestricted role has access to all metadata regardless of SAS permissions settings. Users in this role, which are referred to as unrestricted users, can do the following:
perform all of the functions that users in the Metadata Server: User Administration and Metadata Server: Operation roles can perform
access all metadata except user passwords
continue to access metadata repositories and use features of SAS Management Console when the metadata server is paused to the Administration state
Follow these important guidelines when using an account that is in the Metadata Server: Unrestricted role:
This role is intended only for tasks that require unrestricted access to metadata (for example, adding other users to the Metadata Server: Unrestricted role, performing tasks when the metadata server is paused to the Administration state, and creating, deleting, formatting, and unregistering foundation repositories).
Use the accounts in this role only to log on to SAS Management Console. You should not use these accounts to log on to other client applications.
Note: The Metadata Server: Unrestricted role provides access to the metadata server, not to other SAS servers. Some administration tasks require access to a SAS Application Server, which might require additional credentials. For details, see Who Can Do What: Credential Requirements for SAS Management Console Tasks.
Note: The initial name of this role is META: User and Group Administrators Role, and the initial display name for this role is Metadata Server: User Administration. The SAS Deployment Wizard assigns the SAS Administrators group to this role.
Users who are assigned to the Metadata Server: User Administration role can create and modify users, groups, and roles. Users in this role are authorized to update user passwords. They cannot read existing passwords, except the passwords for their own logins.
For details about the user administration tasks, see the SAS Intelligence Platform: Security Administration Guide.
Note: The initial name of this role is META: Operators Role, and the initial display name for this role is Metadata Server: Operation. The SAS Deployment Wizard assigns the SAS Administrators group to this role.
Users who are assigned to the Metadata Server: Operation role can perform the following tasks:
stop, pause, resume, and reset (or refresh) the metadata server
add, delete, format, and unregister metadata repositories (except the foundation repository)
The Management Console: Advanced role is initially configured to allow access to all of the plug-ins in SAS Management Console. The SAS Deployment Wizard assigns the SAS Administrators group to this role.
You must make the following additional role assignments to enable certain functions:
the Metadata Server: User Administration role or the Metadata Server: Unrestricted role, to access functionality within the User Manager plug-in
the Metadata Server: Operation role or the Metadata Server: Unrestricted role, to access some functions within the Metadata Manager plug-in
The Management Console: Content Management role is initially configured to enable access to the following features of SAS Management Console:
the User Manager, Authorization Manager, and Library Manager plug-ins
the Folders tab
To have access to certain functionality within User Manager plug-in, the user must also be assigned to the Metadata Server: User Administration" role or the Metadata Server: Unrestricted role.
About the Initial User Groups |
On some of the machines in your configuration, the following operating system user groups might have been defined during installation:
This group is used to control access to the configuration directories on UNIX machines. The group includes the installer (the sas user). Typically, you will not add any other users to this group.
This group might have been created on Windows machines that have stored process servers, pooled workspace servers, or standard workspace servers installed. During the installation process, you should have assigned this group the right to Log on as a batch job, which is required in order to start processes for those servers.
If you are not using Integrated Windows authentication, then you can add users to this group to enable them to start workspace server processes.
On z/OS systems, this RACF group is used to control access to the configuration directory. The group is defined with an OMVS segment and is set as the default group for the SAS Installer and SAS Spawned Servers accounts.
The SAS Deployment Wizard creates the following user groups in metadata. These groups are part of the SAS Intelligence Platform security infrastructure. For information about how they are used to implement security, see the SAS Intelligence Platform: Security Administration Guide.
a standard group with implicit membership. This group includes everyone who can access the metadata server, either directly or through a trust relationship. A user who does not have an individual identity uses the PUBLIC group identity.
a standard group with implicit membership. This group includes all users who have individual identities.
a standard group for metadata administrators. By default, this group is granted broad access to the metadata and has all roles other than the Metadata Server: Unrestricted role.
a standard group for service identities that need to read server definitions or other system resources.
a standard group whose members can be used for launching stored process servers and pooled workspace servers.
a standard group that has permission to administer SAS Table Servers.
a group whose members can schedule jobs in the LSF component of Platform Suite for SAS. Beginning with the second maintenance release for SAS 9.2, this group is part of the standard configuration for sites that use Platform Suite for SAS to schedule SAS Web Report Studio reports.
The LSF Services group is not needed if you use SAS In-Process Services to schedule reports.
See also: lsfuser
About the Initial User Accounts |
During installation, the SAS Deployment Wizard creates several initial user accounts. Some of these user accounts are created for all installations, some of the accounts are optional, and some of the accounts are created only if certain software components are installed. For each account, the following topics provide the default name and user ID, information about whether or when the account is required, the account's purpose and use, and the locations where the account is set up:
The SAS Administrator user account has privileges that are associated with the Metadata Server: Unrestricted role (see Metadata Server: Unrestricted Role). In addition, the SAS Administrator account is initially a member of the SAS Administrators group.
This user is defined in the following locations:
in the file adminUsers.txt, which is typically located in the following path:
SAS-configuration-directory\Lev1\SASMeta\MetadataServer
This file ensures that your site will always have at least one user with the privileges of an unrestricted user, regardless of what is specified in metadata. You cannot override this user's privileges by modifying the user definition in SAS Management Console.
in metadata.
in the operating system of the metadata server machine, only in the following situations:
You selected the External authentication option for this user during a custom installation.
You migrated your system from SAS 9.1.3 to SAS 9.2.
In new, default installations of SAS 9.2, the SAS Administrator is an internal user account that is known only to SAS and that is authenticated internally in metadata. When internal authentication is used, it is not necessary for this user to have a local or network account.
Note: We recommend that you establish individual metadata administrators rather than sharing the SAS Administrator account. See "Security Tasks" in the SAS Intelligence Platform: Security Administration Guide.
The SAS Trusted User is a privileged service account that can act on behalf of other users on a connection to the metadata server. No user should log on directly as a trusted user, except to perform certain administrative tasks associated with the SAS Information Delivery Portal. For details about those tasks, see the SAS Intelligence Platform: Web Application Administration Guide.
The SAS Trusted User is defined in the following locations:
in metadata.
in the file trustedUsers.txt, which is typically located in the following path:
SAS-configuration-directory\Lev1\SASMeta\MetadataServer
A user is granted privileges as a trusted user only if the user is specified in this file.
Note: Typically, there is no reason to add more IDs to this file. In particular, do not add regular users to this file.
in the operating system of the metadata server machine, only in the following situations:
You selected the External authentication option for this user during a custom installation.
You migrated your system from SAS 9.1.3 to SAS 9.2.
For detailed information about this user, see the SAS Intelligence Platform: Security Administration Guide.
Default User Name | Default User ID | Required? | Location of Account |
---|---|---|---|
SAS Installer | sas | Yes | OS |
The SAS Installer is a user account that is used to install and configure SAS software. On UNIX and z/OS systems, this account is the owner of configuration directories and their contents and is the process owner for items such as the metadata server, the OLAP server, and the object spawner. The account should continue to be available after installation so that it can be used to apply maintenance.
The SAS Installer account must be defined in the operating systems of the following machines:
the metadata server machine
machines that host an OLAP server
machines where the object spawner is installed
Default User Name | Default User ID | Required? | Location of Account |
---|---|---|---|
SAS Spawned Servers | sassrv | Yes | OS and metadata (as a login for the SAS General Servers group) |
The SAS Spawned Servers account is the initially configured process owner for pooled workspace servers and stored process servers. An account for this user must be defined in the operating system of the following machines:
machines that host a stored process server
machines that host a pooled workspace server
During the installation process on Windows machines, this user should have been assigned the right to Log on as a batch job. This right can also be assigned by adding the user to the SAS Server Users group.
This user does not have an individual metadata identity. However, a login for this user is defined for the SAS General Servers group.
Default User Name | Default User ID | Required? | Location of Account |
---|---|---|---|
SAS Demo User | sasdemo | No | Metadata and OS |
The SAS First User is an optional account that can serve as a generic end user when you are testing any of the SAS client applications. During installation, the Software Deployment Wizard enables you to specify whether to create this user.
If you selected the option to create this user, then the user's account is defined in the following locations:
in metadata
in the operating system of the metadata server machine and workspace server machine
During the installation process on Windows machines, this user should have been assigned the right to Log on as a batch job. This right can also be assigned by adding the user to the SAS Server Users group.
The SAS Anonymous Web User is an optional account that is used to grant clients access to applicable SAS Web Infrastructure Platform components. When Web clients request access to Web services, they are not prompted for credentials but instead are granted access under this user account.
This user is defined in the following locations:
in metadata. In default installations of SAS 9.2, the SAS Anonymous Web User is an internal user account that is known only to SAS and that is authenticated internally in metadata. When internal authentication is used, it is not necessary for this user to have a local or network account.
in the operating system of the metadata server machine, only if you selected the External authentication option for this user during a custom installation.
Default User ID | Required? | Location of Account |
---|---|---|
none | Yes, if Platform Suite for SAS is installed | OS |
The LSF administrator is the primary administrator for the Platform scheduling server and the owner of the Process Manager server. This user is required only if you have installed Platform Suite for SAS in support of either scheduling or grid computing.
The LSF administrator account must be defined in the operating system of the machine where Platform Suite for SAS is installed. This user must have full control of the LSF and Process Manager directories. On Windows systems, this user must belong to the Administrators Group and must have rights to Act as part of the operating system and Log on as a batch job.
This user is not defined in metadata.
The lsfuser account is used by default when you schedule SAS Web Report Studio reports using the LSF component of Platform Suite for SAS. The lsfuser account must be defined in the operating system of the machine where Platform Suite for SAS is installed. On Windows machines, the account must also be added to the password file in the LSF software. For details, see "Enabling Report Scheduling With Platform Suite for SAS" in Scheduling in SAS.
This user does not have an individual metadata identity. However, a login for this user is defined for the LSF Services group, effective with the second maintenance release for SAS 9.2.
Note:
If you have not yet installed the second maintenance release for SAS 9.2, follow the instructions in SAS Installation Note 35283 to set up credentials for scheduling reports in LSF.
The lsfuser account is not needed if you use SAS In-process Services to schedule reports.
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.