Paul,
...AD integration (joined a domain) only. I think you just answered my when you wrote "...7.3 release) does not use native AD/LDAP groups for access control." I am currently not giving passwords when I add my users in the console Ad\{SomeUserID}, so assumed it could also add a group somewhere instead. I guess I just assumed I had missed the notes/instructions on configuring that service. If 7.3 needs to be scripted to add users to metadata then at least until we upgrade my user pool is small enough to just manually add the users. I was hoping to get a head start on expanded used. Thank you for replying.  If I have miss under stood your comment please advise.  -KJ

Hi KJ,

When you are manually adding AD users via SAS Management Console User Manager you do not need to specify a password. Think of that user as a reference to an AD user and the user id is the key (linking the host/AD authenticated user to the SAS identity in metadata).  AD authenticates the user but SAS needs an entity within SAS metadata to use for (SAS metadata) access control decisions, to associated private user content, store user preferences etc. The SAS metadata groups have no connection to AD groups unless you set up a sync process to effectively copy/replicate the desired set of groups into SAS metadata.  When you have a small number of users it may be easier to manage them and the local SAS groups manually like this. As the number of users increases people often turn to AD synchronisation to automate this process using AD as the source of user and group information. If you're a SAS coder, take a look at the User Import Macros section of the SAS® 9.4 Intelligence Platform: Security Administration Guide. We also have a commercial Metacoda Identity Sync plug-in that makes this easier to implement for those who are not coders (or do not want to keep maintaining code). 

To find out more about managing users, groups and access (and many other SAS admin topics) I would wholeheartedly recommend the SAS Platform Administration: Fast Track course from SAS Education. In terms of documentation I would start with the About User Administration section in the SAS® 9.4 Intelligence Platform: Security Administration Guide. That book also has some nice worked examples of group-based access control for SAS metadata content in the Access to Metadata Folders section. Another document to read is the SAS® 9.4 Management Console: Guide to Users and Permissions.  In addition to the SAS documentation I would definitely recommend looking at some of the best practice papers for proven patterns that make this much more manageable:

• Five papers on Recommended SAS 9.4 Security Model Design (part 1 & part 2) as published by @DavidStern from the SAS Global Enablement and Learning (GEL) team.
• SAS Global Forum 2011 paper 376-2011: Best Practice Implementation of SAS® Metadata Security at Customer Sites in Denmark by @CecilyHoffritz and @JohannesJørgensen from SAS Institute Denmark.
• SAS Global Forum 2017 paper: Getting Started with Designing and Implementing a SAS 9.4 Metadata and File System Security Design by @angieh from SAS Consulting

Cheers
Paul