topic How to disable SMC plug-in for selected users in Administration and Deployment

How to disable SMC plug-in for selected users

Saud — Thu, 03 Dec 2015 12:07:22 GMT

Grating,

We have a requirement to segregate the SMC plug-in based on the SAS admin user role. For example, SAS security user can only see (User Manager) plug-in and all other should be disabled and on the other hand, the SAS server Admin user, can see only (server manager)

Is there any way to achieve this.

Regards

Re: How to disable SMC plug-in for selected users

LinusH — Thu, 03 Dec 2015 13:57:20 GMT

There are something called "Capabilities", which lets you restrict functionality in some SAS clients based on user/group membership. Not sure if there is a capability for your specific requirement, but this i definitely your starting point.

http://support.sas.com/documentation/cdl/en/mcsecug/64770/HTML/default/viewer.htm#n0s6jxhq6hmvb3n107jastiuavn9.htm

Re: How to disable SMC plug-in for selected users

MichelleHomes — Thu, 03 Dec 2015 18:54:55 GMT

Hi @Saud,

As @LinusH pointed out it is with Role-based capabilities to enable this. We have a step by step description with screen shots to describe how to enable Metacoda Plug-ins in SAS Management Console at http://platformadmin.com/blogs/paul/2012/02/metacoda-security-plug-ins-role-based-access/ You may find these visual instructions useful and in step 4 is the capability tab for the SMC plug-in(s) you wish to enable.

Kind Regards,

Michelle

Re: How to disable SMC plug-in for selected users

jakarman — Sat, 05 Dec 2015 20:15:01 GMT

The capabilties are for menu-tailoring in some programs like SMC. Your requiement however is looking to come by a requirement normally known as "segregation of duties"
The do not offer real security segration as that part is not menu tailoring but of autorisation on objects.

The user-management plugin as menu is no problem for normal users as they shoudl be able and maintain their own login settings. (authdomains).

There is another reason users could easily see other users in the metadata. There is an option of distribution output by registered mail-adresses in the SAS-metadata. Using that you must be able to read those

Something strange there, as user can add uncontrolled autdomains themself but not deleting them again. Seeing groups/logins can have the impact you can also change those. Change is wanted wiht logins not wiht the groupmembership the latter is effectively sayin granting yourself any righst as you like. Wiht 9.1.3 and using DI that granting of groups by users themself was not preventable.

The normal requiment would be an restricted (not the unrestricted) SAS adminsitrator is the only one responsible for user management (adding/deleting identities) and can be combined wiht granting/deleting group to users.

Re: How to disable SMC plug-in for selected users

Saud — Sun, 06 Dec 2015 07:52:40 GMT

Jakarman Thanks a lot. I’ll discover suggested solution which's looks interesting