Users, Groups, and Roles

Who Can Manage Users, Groups, and Roles?

Your roles and permissions determine which user management tasks you can perform. In a standard configuration, any member of the SAS Administrators group has the capabilities and permissions to perform almost all user management tasks.

The following table provides basic information:

Who Can Manage Users, Groups and Roles?
Metadata Server Role	Actions Supported
Unrestricted	Perform all identity management tasks.
User administration	Add, modify, and delete most identities.¹
None	Update your personal logins in SAS Personal Login Manager.²
1 Permission requirements apply. The User Manager capability (which enables you to see the User Manager plug-in in SAS Management Console) is also required. 2 If you have the User Manager capability, you can perform this task in SAS Management Console.

Here are some additional details:

A special rule prevents restricted user administrators from updating the unrestricted role.
In order to change a role's capabilities, restricted user administrators must also have the WriteMetadata permission on the associated software component. In the standard configuration, the SAS Administrators group has this grant.
To prevent a restricted user administrator from updating a particular identity, deny that user administrator the WriteMetadata permission on that identity's Authorization tab.
To delegate management of an existing identity to someone who isn't a user administrator, grant the WriteMetadata permission to the delegated administrator on the target identity's Authorization tab.
In the initial configuration in a new deployment, all registered users have the User Manager capability through SASUSERS membership in the Management Console: Content Management role.