BookmarkSubscribeRSS Feed
MaCom
Calcite | Level 5

Hello,

 

I can't set user permissions in order to let him see servers in Server Manager plugin, connect to them but don't let him to delete servers or add new servers.

 

I created a new test user, a new test role and a new test ACT.

In my new role I checked a capability to Server Manager plugin.

In my new ACT on the Permission Pattern page I checked grant only on ReadMetadata and Administer permisions. The other permissions I left empty. (I've also tried with Deny on WriteMetadata)

Next, I added my user to this new role and to my new ACT.

Next, I assigned my ACT to the one of the logical workspace Server on the Authorization page .

This server had checked "Use Server Access Security" on the Server options page.

 

Then I logged in as my new test user. He could see this server but he had also enabled Delete and Add Server functions on its context menu.

Is it possible to set user permissions that way he had disabled this Delete and Add Server ?

 

My environment is: SAS 9.3 Management Console

 

Thank you for advice in advance.

 

Kind Regards,

Mark

 

3 REPLIES 3
PaulHomes
Rhodochrosite | Level 12

Hi Mark,

 

From the subject line it sound like you are trying to restrict an unrestricted user - is this correct? If a user needs to be restricted in the scope of their application capabilities (e.g. access to SAS Management Console plug-ins) or metadata object permissions then they need to be restricted users. Unrestricted users (being direct or indirect members of the Metadata Server: Unrestricted role, or having their user id, prefixed with an *, in the adminUsers.txt file), as the name suggests, are unrestricted. It doesn't matter what you have done with role/capability assignments or metadata permissions in access controls, unrestricted users always have all capabilities in all applications and all permissions on all objects.

 

If you want to limit the scope of this user's access to SAS Management Console plug-ins or permissions on servers, then you will need to first convert them to a restricted user (by removing their unrestricted access) before looking at roles/capabilities and permissions.

 

In deciding on server permissions, refer to the SAS(R) 9.3 Intelligence Platform: Security Administration Guide book, Permissions by Object Type page, and the Permission Tips for Selected System and Administrative Objects section:

To monitor or operate servers other than the metadata server, you need the Administer permission on the server. (The metadata server requires the Metadata Server: Operation role instead of the Administer permission.)


To associate a stored process, OLAP schema, or library with an application server, you need WriteMetadata permission for that application server. Certain service identities need ReadMetadata permission to all server definitions. See Permissions on Servers.

 

Essentially be aware that an effective +WM is required to be able to associate other objects (stored processes, libraries etc) with a application server and an effective +WM also means they can delete the server. If you need them to have +WM to associate objects but also want to limit (somewhat) the ability of that person to delete the server then you may consider removing the capability for that person to get access by hiding Server Manager (if they are skilled enough they could potentially use metadata APIs to still delete the server - unlikely but not sure if you need/want to consider that).

 

For more information on setting server permissions see Protect Server Definitions.

 

Cheers
Paul

MaCom
Calcite | Level 5

Hi Paul,

 

I'm really grateful for your response. Thanks a lot for the links. They are very helpful 🙂

 

I'm sorry for my mistake in the title. Of course I meant restricted users. I've changed the title.

 

I have a problem with setting permissions for the new test user to give him acesss to a logical server

(Stored Process Server) that way, he could see this server, connect to it, monitor processes but has disabled delete and

add server functions. Do you know how to set set his permission to achieve that ? I would be grateful for any tips.
 
My main goal is to give some users permission to see all folders and ability to monitor servers without extent them permissions to change anything. I mean that users from this group who had had before permissions to modifying something I don't want to restrict them now. I want to extend their ability to only read access to the resources (folders, servers) which they hadn't access before at all.

 

Cheers,

Mark

PaulHomes
Rhodochrosite | Level 12

Hi Mark,

 

I have not been in a situation where there's an admin-like person who can see and monitor a server but has no ability to manage/modify that server (or associated/link objects to it). However, if I understand your requirement correctly then those people would need an effective permission pattern of +RM, -WM, +A. That could be accomplished with the use of a Protect ACT (see Baseline ACTs and Protect Server Definitions) to set the baseline permissions for the server object(s), plus the application of an ACT/ACE to provide +WM to those groups of people that need to associate objects (assign libraries, stored processes etc), plus an ACT/ACE to provide only +A (without WM) to those groups of people that need to monitor but not modify.

 

I hope this helps. Please let us know how you go.

 

Cheers
Paul

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

CLI in SAS Viya

Learn how to install the SAS Viya CLI and a few commands you may find useful in this video by SAS’ Darrell Barton.

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 3 replies
  • 1345 views
  • 1 like
  • 2 in conversation