Controlling Access to SAS Environment Manager

SAS Environment Manager controls access and permissions within the application with its own registry of users and its own system of roles and permissions. In order to distinguish between the SAS Environment Manager access features and those in SAS metadata, this document and the SAS Environment Manager online Help refers to features internal to SAS Environment Manager as native features (such as native users or native roles). However, the SAS Environment Manager interface does not use the native terminology.

Although native user definitions are internal to SAS Environment Manager, they are mapped to user definitions created in SAS metadata. Native users are created by first creating the user definition in metadata and then synchronizing the user information with SAS Environment Manager. You cannot create or edit native user definitions in SAS Environment Manager directly.

Native roles enable you to grant capabilities and permissions for actions in SAS Environment Manager to selected users. For example, an administrator role could be granted full permissions for all resource types and the ability to acknowledge and fix alerts, whereasf a guest role could be denied the ability to fix or acknowledge alerts and have only Read permission for resources. Assigning a native role to a native user determines the actions that the user can perform in SAS Environment Manager.

Each native role also has its own unique Dashboard page. Each user has access to their own personal Dashboard page and the Dashboard pages of all native roles of which they are a member.

Users in SAS Environment Manager are mapped to users created in SAS metadata. During installation, three user groups are created in SAS metadata to contain SAS Environment Manager users. Users and subgroups that are members of these groups are mapped to user definitions in SAS Environment Manager with corresponding roles. The user groups and their corresponding roles are as follows:

For example, users that are members of the group SAS_EV_Guest in metadata are created as users in SAS Environment Manager and are assigned to the Guest role when the users are synchronized.

When you install SAS Environment Manager, all existing SAS Environment Manager user definitions are automatically added to the SAS_EV_Guest group in metadata. After the existing users have been added to the SAS_EV_Guest group, use SAS Management Console to modify the user definitions or assign users to other SAS_EV groups in metadata.

After you have defined new users in SAS metadata, sign on to SAS Environment Manager, and select ManageSynchronize Users. User definitions are created for all users that are defined in the three SAS_EV groups in metadata. Any SAS Environment Manager users that are not associated with user definitions in metadata are deleted. When synchronizing, user definitions are not treated as case-sensitive (for example, sasuser@domain and SASUSER@domain are treated as the same user).Synchronization will fail for any users whose display name in metadata is longer than 100 characters.

If you sign on to SAS Environment Manager using a user ID that is defined in metadata, is a member of one of the SAS_EV groups, but is not defined in SAS Environment Manager, then a user definition is automatically created in SAS Environment Manager and assigned to the correct group.

The mapping between user information in metadata and in a SAS Environment Manager user definition is as follows:

To create a new SAS Environment Manager user, select AdministrationUsers in SAS Environment Manager to define the user in metadata and assign it to the appropriate SAS_EV user group, and then select ManageSynchronize Users to create the native user and assign the user to the proper role.

The users in the SAS App Tier role are automatically granted access to the resources in these resource groups:

An internal account, sasevs (sasevs@saspw), is also created during installation. This account is assigned to the SAS Environment Manager roles SAS App Tier Role and Guest Role (which map to the SAS_EV_AppServer_Tier and SAS_EV_Guest groups in SAS metadata). The account is used for communications between the SAS Environment Manager agent and server and enables plugins to access the SAS Metadata Server. The internal account sasadm@saspw is the default account for signing on to SAS Environment Manager.

The SAS Logon Manager is used to control the process of logging on to SAS Environment Manager. The application uses the same authentication process and authentication provider as the other SAS web applications. User credentials are case-sensitive only on Linux platforms.

In the third maintenance release after SAS 9.4, the method of storing SAS Environment Manager user accounts in the database changed. In previous releases, when a user logged on to SAS Environment Manager, the account name that they used to log on was also used to identify them in the SAS Environment Manager session. In the third maintenance release after SAS 9.4, a user logs on using the same account name, but SAS Environment Manager uses their SAS identity to identify the user. This change does not affect how users log on to SAS Environment Manager. Users will continue to use the same accounts and credentials. However, the SAS Environment Manager database contains only the SAS user name for each user account, rather than multiple account names for each user.

To update the password for the sasevs@saspw account, follow these steps:

To create a native role, follow these steps: