Solved: Re: How to disable SMC plug-in for selected users

Saud · Posted 12-03-2015 07:07 AM

Grating,

We have a requirement to segregate the SMC plug-in based on the SAS admin user role. For example, SAS security user can only see (User Manager) plug-in and all other should be disabled and on the other hand, the SAS server Admin user, can see only (server manager)

Is there any way to achieve this.

Regards

MichelleHomes · Posted 12-03-2015 01:54 PM

Hi @Saud,

As @LinusH pointed out it is with Role-based capabilities to enable this. We have a step by step description with screen shots to describe how to enable Metacoda Plug-ins in SAS Management Console at http://platformadmin.com/blogs/paul/2012/02/metacoda-security-plug-ins-role-based-access/ You may find these visual instructions useful and in step 4 is the capability tab for the SMC plug-in(s) you wish to enable.

Kind Regards,

Michelle

//Contact me to learn how Metacoda software can help keep your SAS platform secure - https://www.metacoda.com

View solution in original post

LinusH · Posted 12-03-2015 08:57 AM

There are something called "Capabilities", which lets you restrict functionality in some SAS clients based on user/group membership. Not sure if there is a capability for your specific requirement, but this i definitely your starting point.

http://support.sas.com/documentation/cdl/en/mcsecug/64770/HTML/default/viewer.htm#n0s6jxhq6hmvb3n107...

Data never sleeps

MichelleHomes · Posted 12-03-2015 01:54 PM

Hi @Saud,

As @LinusH pointed out it is with Role-based capabilities to enable this. We have a step by step description with screen shots to describe how to enable Metacoda Plug-ins in SAS Management Console at http://platformadmin.com/blogs/paul/2012/02/metacoda-security-plug-ins-role-based-access/ You may find these visual instructions useful and in step 4 is the capability tab for the SMC plug-in(s) you wish to enable.

Kind Regards,

Michelle

//Contact me to learn how Metacoda software can help keep your SAS platform secure - https://www.metacoda.com

jakarman · Posted 12-05-2015 03:15 PM

The capabilties are for menu-tailoring in some programs like SMC. Your requiement however is looking to come by a requirement normally known as "segregation of duties"
The do not offer real security segration as that part is not menu tailoring but of autorisation on objects.

The user-management plugin as menu is no problem for normal users as they shoudl be able and maintain their own login settings. (authdomains).

There is another reason users could easily see other users in the metadata. There is an option of distribution output by registered mail-adresses in the SAS-metadata. Using that you must be able to read those

Something strange there, as user can add uncontrolled autdomains themself but not deleting them again. Seeing groups/logins can have the impact you can also change those. Change is wanted wiht logins not wiht the groupmembership the latter is effectively sayin granting yourself any righst as you like. Wiht 9.1.3 and using DI that granting of groups by users themself was not preventable.

The normal requiment would be an restricted (not the unrestricted) SAS adminsitrator is the only one responsible for user management (adding/deleting identities) and can be combined wiht granting/deleting group to users.

---->-- ja karman --<-----

Saud · Posted 12-06-2015 02:52 AM

Jakarman Thanks a lot. I’ll discover suggested solution which's looks interesting