From the subject line it sound like you are trying to restrict an unrestricted user - is this correct? If a user needs to be restricted in the scope of their application capabilities (e.g. access to SAS Management Console plug-ins) or metadata object permissions then they need to be restricted users. Unrestricted users (being direct or indirect members of the Metadata Server: Unrestricted role, or having their user id, prefixed with an *, in the adminUsers.txt file), as the name suggests, are unrestricted. It doesn't matter what you have done with role/capability assignments or metadata permissions in access controls, unrestricted users always have all capabilities in all applications and all permissions on all objects.
If you want to limit the scope of this user's access to SAS Management Console plug-ins or permissions on servers, then you will need to first convert them to a restricted user (by removing their unrestricted access) before looking at roles/capabilities and permissions.
In deciding on server permissions, refer to the SAS(R) 9.3 Intelligence Platform: Security Administration Guide book, Permissions by Object Type page, and the Permission Tips for Selected System and Administrative Objects section:
To monitor or operate servers other than the metadata server, you need the Administer permission on the server. (The metadata server requires the Metadata Server: Operation role instead of the Administer permission.)
To associate a stored process, OLAP schema, or library with an application server, you need WriteMetadata permission for that application server. Certain service identities need ReadMetadata permission to all server definitions. See Permissions on Servers.
Essentially be aware that an effective +WM is required to be able to associate other objects (stored processes, libraries etc) with a application server and an effective +WM also means they can delete the server. If you need them to have +WM to associate objects but also want to limit (somewhat) the ability of that person to delete the server then you may consider removing the capability for that person to get access by hiding Server Manager (if they are skilled enough they could potentially use metadata APIs to still delete the server - unlikely but not sure if you need/want to consider that).
I'm really grateful for your response. Thanks a lot for the links. They are very helpful 🙂
I'm sorry for my mistake in the title. Of course I meant restricted users. I've changed the title.
I have a problem with setting permissions for the new test user to give him acesss to a logical server
(Stored Process Server) that way, he could see this server, connect to it, monitor processes but has disabled delete and
add server functions. Do you know how to set set his permission to achieve that ? I would be grateful for any tips.
My main goal is to give some users permission to see all folders and ability to monitor servers without extent them permissions to change anything. I mean that users from this group who had had before permissions to modifying something I don't want to restrict them now. I want to extend their ability to only read access to the resources (folders, servers) which they hadn't access before at all.
I have not been in a situation where there's an admin-like person who can see and monitor a server but has no ability to manage/modify that server (or associated/link objects to it). However, if I understand your requirement correctly then those people would need an effective permission pattern of +RM, -WM, +A. That could be accomplished with the use of a Protect ACT (see Baseline ACTs and Protect Server Definitions) to set the baseline permissions for the server object(s), plus the application of an ACT/ACE to provide +WM to those groups of people that need to associate objects (assign libraries, stored processes etc), plus an ACT/ACE to provide only +A (without WM) to those groups of people that need to monitor but not modify.