Controlling Access to SAS Environment Manager

About Native Roles and Users

SAS Environment Manager controls access and permissions within the application with its own registry of users and its own system of roles and permissions. In order to distinguish between the SAS Environment Manager access features and those in SAS metadata, this document and the SAS Environment Manager online Help refers to features internal to SAS Environment Manager as native features (such as native users or native roles). However, the SAS Environment Manager interface does not use the native terminology.
Although native user definitions are internal to SAS Environment Manager, they are mapped to user definitions created in SAS metadata. Native users are created by first creating the user definition in metadata and then synchronizing the user information with SAS Environment Manager. You cannot create or edit native user definitions in SAS Environment Manager directly.
Native roles enable you to grant capabilities and permissions for actions in SAS Environment Manager to selected users. For example, an administrator role could be granted full permissions for all resource types and the ability to acknowledge and fix alerts, whereasf a guest role could be denied the ability to fix or acknowledge alerts and have only Read permission for resources. Assigning a native role to a native user determines the actions that the user can perform in SAS Environment Manager.
Each native role also has its own unique Dashboard page. Each user has access to their own personal Dashboard page and the Dashboard pages of all native roles of which they are a member.

SAS Environment Manager and SAS Metadata Users

Users in SAS Environment Manager are mapped to users created in SAS metadata. During installation, three user groups are created in SAS metadata to contain SAS Environment Manager users. Users and subgroups that are members of these groups are mapped to user definitions in SAS Environment Manager with corresponding roles. The user groups and their corresponding roles are as follows:
Group name in SAS metadata
Role in SAS Environment Manager
SAS_EV_Super_User
Super User role
SAS_EV_Guest
Guest role
SAS_EV_AppServer_Tier
SAS App Tier role
For example, users that are members of the group SAS_EV_Guest in metadata are created as users in SAS Environment Manager and are assigned to the Guest role when the users are synchronized.
When you install SAS Environment Manager, all existing SAS Environment Manager user definitions are automatically added to the SAS_EV_Guest group in metadata. After the existing users have been added to the SAS_EV_Guest group, use SAS Management Console to modify the user definitions or assign users to other SAS_EV groups in metadata.
After you have defined new users in SAS metadata, sign on to SAS Environment Manager, and select Managethen selectSynchronize Users. User definitions are created for all users that are defined in the three SAS_EV groups in metadata. Any SAS Environment Manager users that are not associated with user definitions in metadata are deleted. When synchronizing, user definitions are not treated as case-sensitive (for example, sasuser@domain and SASUSER@domain are treated as the same user).Synchronization will fail for any users whose display name in metadata is longer than 100 characters.
Note: Only users who are assigned to the Super User role can perform the Synchronize Users action.
If you sign on to SAS Environment Manager using a user ID that is defined in metadata, is a member of one of the SAS_EV groups, but is not defined in SAS Environment Manager, then a user definition is automatically created in SAS Environment Manager and assigned to the correct group.
The mapping between user information in metadata and in a SAS Environment Manager user definition is as follows:
Metadata field
SAS Environment Manager field
Display Name
Display Name
Name
Display Name if the Display Name is not specified in metadata
Metadata user
Username
Email (only the first email address specified is mapped)
Email
Phone (only the first phone number specified is mapped)
Phone
To create a new SAS Environment Manager user, select Administrationthen selectUsers in SAS Environment Manager to define the user in metadata and assign it to the appropriate SAS_EV user group, and then select Managethen selectSynchronize Users to create the native user and assign the user to the proper role.
The users in the SAS App Tier role are automatically granted access to the resources in these resource groups:
  • SAS App Tier group
  • SAS App Tier Server group
  • SAS App Tier Services group
An internal account, sasevs (sasevs@saspw), is also created during installation. This account is assigned to the SAS Environment Manager roles SAS App Tier Role and Guest Role (which map to the SAS_EV_AppServer_Tier and SAS_EV_Guest groups in SAS metadata). The account is used for communications between the SAS Environment Manager agent and server and enables plugins to access the SAS Metadata Server. The internal account sasadm@saspw is the default account for signing on to SAS Environment Manager.
CAUTION:
All accounts in the SAS Environment Manager Super User group have access to the gconsole plugin, which allows Groovy code to be submitted. A side effect of this capability is that Groovy code can be executed as the server process owner, which is typically the SAS installer account. If your security policy does not permit this account to have this capability, you can move or delete the gconsole plugin. Move or delete the directory <levelroot>/Web/SASEnvironmentManager/server-5.8.0-EE/hq-engine/hq-server/webapps/ROOT/hqu/gconsole.
The SAS Logon Manager is used to control the process of logging on to SAS Environment Manager. The application uses the same authentication process and authentication provider as the other SAS web applications. User credentials are case-sensitive only on Linux platforms.
In the third maintenance release after SAS 9.4, the method of storing SAS Environment Manager user accounts in the database changed. In previous releases, when a user logged on to SAS Environment Manager, the account name that they used to log on was also used to identify them in the SAS Environment Manager session. In the third maintenance release after SAS 9.4, a user logs on using the same account name, but SAS Environment Manager uses their SAS identity to identify the user. This change does not affect how users log on to SAS Environment Manager. Users will continue to use the same accounts and credentials. However, the SAS Environment Manager database contains only the SAS user name for each user account, rather than multiple account names for each user.

Updating Passwords for SAS Environment Manager Metadata Identities

To update the password for the sasevs@saspw account, follow these steps:
  1. Stop SAS Environment Manager and all SAS Environment Manager agents on the system.
  2. On the middle-tier machine, use the SAS Deployment Manager to change the password for the sasevs account.
  3. Use the SAS Deployment Manager to update the sasevs password on the machines in the other tiers in the system.
  4. Restart SAS Environment Manager and the SAS Environment Manager agents.

Creating a Native Role

To create a native role, follow these steps:
  1. On the Manage page, select New Role.
  2. On the New Role page, specify a name for the role and select the native permissions and capabilities for each resource type. If you grant the Read Only permission for a resource type, you can also select the native capabilities for the resource type. For all other permissions, the capabilities are automatically selected or disabled and cannot be changed.
  3. Use these guidelines to determine the native permissions to set:
    Adding a resource to the inventory and creating alert definitions
    Select Full or Read / Write permissions. Users can also respond to alerts and control resources.
    Monitoring resources, responding to alerts, controlling resources
    Select the Read Only permission and grant the capability to acknowledge and fix alerts and to control resources. Users can respond to alerts and control resources but cannot create or modify alerts or resources.
    Monitoring resources
    Select the Read Only permission, but do not grant capabilities for alerts resource control. Users can view and monitor only resources.
  4. When you click OK, the role and associated Dashboard page are created, and the Role Properties page is displayed. Use this page to select native users and resource groups that should be associated with the role and to create an alert calendar.
  5. To create an alert calendar, select the days and times during which the roles’ users will be notified of alerts. Make sure that at least one role is available during every time period.
    alert calendar