![]() |
![]() |
Users, Groups, and Roles |
To learn about customizing the distribution of capabilities across roles, complete this exercise in SAS Management Console.
Log on as someone who has user administration capabilities and is a member of the SAS Administrators group (for example, sasadm@saspw).
On the
Plug-ins
tab, select User Manager
(make
sure you are in the foundation repository). In the display area, clear the Show
Users and Show Groups check
boxes. The roles that exist in your deployment are displayed.
Right-click User Manager and select
New Role. On the General tab, enter Test
Role
in the Name field.
Note: Creating a new role isolates this exercise
from the rest of your deployment, ensuring that your current configuration
is preserved.
To learn how to directly assign capabilities, select the Capabilities tab:
Notice that a message at the top of the tab reminds you that a few capabilities (for example, those of the metadata server's roles) aren't listed on this tab (because those capabilities are implicit).
Notice that the first node (Applications)
has an empty branch icon
. This indicates that no explicit capabilities
are assigned to this
role.
Notice that there is a second-level node for each component that provides explicit capabilities. A role can provide capabilities from multiple applications.
Click +
to expand the SAS Management Console
node. Click + to expand the Plug-ins node. Select the Authorization Manager check
box. Notice that the branch icons are now partial
. This indicates that
some of the capabilities
are selected.
Note: To see a description of any capability, click
that capability's text and look at the Description field at the bottom of the tab.
Click the partial icon
for the Plug-ins folder. This
action causes all of the capabilities beneath that node to be selected. Click
again to cycle back to the empty branch icon (no capabilities assigned). Click
a third time to revert to the immediately preceding state (only the Authorization
Manager check box selected).
Click the Authorization Manager check box to clear it.
To learn how to indirectly assign capabilities, select the Contributing Roles tab:
In the Available Roles list, select Management Console: Content Management. Before you make this a contributing role, verify its capabilities.
Click Properties,
select the candidate role's Capabilities
tab, and expand SAS Management Console Plug-ins. Notice that
four capabilities are selected. All check boxes are disabled because this
dialog box is in read-only mode when it is accessed in this manner.
Check the role's description on the General tab to determine whether the role provides any further capabilities (implicit capabilities).
Check the role's Contributing Roles tab (just in case it has a contributing role that provides implicit capabilities).
Click Cancel to return to the Contributing Roles tab of your test role.
Move the Management Console: Content Management role to the Current Roles list. This role now contributes all of its capabilities to your new role. If capabilities of this contributing role change, the capabilities of your test role change also.
It is necessary to use contributing roles in these circumstances:
You want to extend implicit capabilities (like the capabilities of the metadata server roles) to other roles.
You want to provide dynamic aggregation of roles so that changes to one role propagate to other roles that have the first role as a contributing role.
To learn about interactions between contributed and directly assigned capabilities, select your test role's Capabilities tab again.
Under
SAS
Management Console Plug-ins,
notice that capabilities from the Management Console:
Content Management role are now selected. A visual indicator
identifies these as contributed capabilities.
Select the already-selected Authorization Manager check box. This adds a direct assignment on top of the contributed assignment, making the assignment independent from the underlying contributing role.
Click the tree icon for the Plug-ins folder three times (stop when only the Authorization Manager check box is explicitly selected).
Select the Authorization Manager check box again. It reverts back to the contributed state. You can't incrementally remove a contributed capability.
If you want to make your role independent of the Management Console: Content Management role:
Add explicit selections on top of all contributed capabilities.
Select the Contributed Roles tab. Move the Management Console: Content Management role back to the Available roles list box.
Select the Capabilities tab. Notice that you can now clear any capability.
Note: This technique (trace a contributing role
and then remove it) is a good way to create a new role that is based on another
role but offers fewer capabilities. Of course, anyone who has both roles has
any capability that is offered by either role.
To close the dialog box (and not save the test role), click Cancel.
See Also
![]() |
![]() |
Copyright © 2011 by SAS Institute Inc., Cary, NC, USA. All rights reserved.