 |
|
| Security Tasks |
Add Administrators
For accountability, we recommend that you establish individual metadata administrators rather than sharing the unrestricted SAS Administrator account.
-
Log on to SAS Management Console as someone who has user administration capabilities (for example, sasadm@saspw).
-
On the Plug-ins tab, select User Manager
![[icon]](images/usermanager.gif)
(in the
foundation repository). -
Create a user definition for each administrator:
-
Right-click and select New
![[arrow]](../../../../common/63294/HTML/default/images/arrow.gif)
User. -
On the General tab, enter a name.
Note: The administrator's internal user ID is based on this name, so it is a good idea to use a short identifier here.
![[cautionend]](../../../../common/63294/HTML/default/images/cautend.gif)
-
On the Accounts tab, click Create Internal Account. In the New Internal Account dialog box, enter and confirm an initial password. Click OK.
Note: By initial policy, internal passwords must be at least six characters, don't have to include mixed case or numbers, and don't expire. If you want to force a password change on first use, set a password expiration period.
-
Click OK to save the new internal user.
-
-
Provide privileges for each administrator:
-
Right-click the SAS Administrators group and select Properties. On the Members tab, move the new users to the Current Members list. Click OK.
-
(Optional) Right-click the Metadata Server: Unrestricted role and select Properties. On the Members tab, move the new user to the Current Members list. Click OK. To perform this step, you must be unrestricted.
Note: Step 4b establishes a single level of administrative privilege. If you omit step 4b for an administrator, that administrator can perform almost all metadata administrative tasks but is subject to all permission and capability requirements. See Main Administrative Roles.
-
Here are some details and tips:
-
If you log on with an internal account, you must include the @saspw suffix in the user ID that you submit (for example, sasadm@saspw). See SAS Internal Authentication.
-
To conform to the rule of least privilege, do not use an administrative identity to perform regular user tasks. See How to Create a Dual User.
-
The advantage of using an internal account in step 3c is that this facilitates creation of a dual user, because this approach leaves the user's external account available for use in a second user definition. A disadvantage of using an internal account is that such an account can't launch a standard workspace server. These administrators are prompted for host credentials if they attempt to validate or use that server. See Who Can Launch a Standard Workspace Server?.
Note: It is possible to avoid the prompt by replacing the step 3c instructions above with the step 3c instructions from the following topic. However, this makes it difficult to establish a dual user (because each account can be referenced in only one user definition).
|
|
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.