Security Tasks |
The initial configuration provides sufficient access to data and resources, with these exceptions:
Only unrestricted users can access data through information maps, reports that are based on information maps, the metadata LIBNAME engine, or the OLAP server. In the initial configuration, the only grants of the Read permission are in each user's personal content area (My Folder).
Only unrestricted users and members of the SAS Administrators group can register cubes.
To ensure access to resources and data:
Log on to SAS Management Console as an administrator (for example, sasadm@saspw).
(Optional) Verify that all registered users have at least the minimum required repository-level access.
On the Plug-ins tab, under Authorization Manager , expand the Access Control Templates node.
Right-click the repository ACT (Default ACT) and select Properties.
On the Permission Pattern tab, select SASUSERS. Verify that the ReadMetadata and WriteMetadata permissions are granted.
(Optional) Verify that all registered users have basic access to the folder tree.
On the Folders tab, right-click the root folder ( SAS Folders) and select Properties.
On the folder's Authorization tab, select SASUSERS. Verify that the ReadMetadata permission is granted.
Provide metadata layer access to data (this is a broad approach).
On the Authorization tab for the root folder ( SAS Folders), select SASUSERS.
Note: To access this tab, select the Folders tab, right-click the root folder, and select Properties.
Grant the Read permission. This enables registered users to perform tasks such as querying cubes, accessing data through information maps, and viewing the contents of tables.
If you want to manage access to data more narrowly, set grants of the Read permission on specific folders for specific users. Users need the Read permission as follows:
Users need Read permission on an information map in order to access data through that information map. For example, if Joe is denied Read permission on an information map, he can't view reports that are based on that information map.
Users always need Read permission on OLAP data in order to access that data.
Users sometimes need Read permission on relational data in order to access that data. Read permission is required when data is accessed using the metadata LIBNAME engine.
If users who aren't in the SAS Administrators group will register cubes, grant those users the WriteMetadata permission on the OLAP schema.
On the Folders tab, expand the Shared Data and SASApp - OLAP Schema folders.
Right-click the schema and select Properties.
On the Authorization tab, select or add an identity and grant WriteMetadata permission to that identity. For example, to allow all registered users to add cubes, assign the grant of WriteMetadata permission to SASUSERS.
Verify that physical-layer access is available. These are the requirements:
Anyone who accesses SAS data sets from a standard workspace server needs host operating system permissions to those files.
Anyone who performs tasks that involve writing to a host directory needs host layer write access to that directory.
The launch credential for the pooled workspace server, stored process server and, if applicable, workspace server that uses SAS token authentication needs physical-layer access to any SAS data that the server retrieves. Initially, the SAS Spawned Servers account (sassrv) is the launch credential for all of these servers.
See Also
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.