06-27-2012 03:02 PM
I'm a brand new SAS administrator who's been thrust into the middle of my company's fledgling SAS implementation, and I'm slowly getting up to speed with the environment. I have a quick question regarding setting up user administration. We have a team of help desk employees that are focused on security administration (things like fileshare access, user account activations/deactivations, etc.) I want to look into giving them rights to do basic user administration (account creation/deletion, role/group membership) in SAS without (at least initially) giving them the ability to modify other things. It looks like this is the basic process:
1) Add a SAS group for the users
2) Give the SAS group the "Metadata Server: User Administration" role. Also create a new role that gives them access only to the User Manager plugin in Management Console, and assign that role to the SAS group.
3) Add SAS user accounts for the help desk users, and put those SAS user accounts into the new SAS group.
Am I missing anything here, or am I on the right track? Any tips or best practices would be greatly appreciated.
06-27-2012 10:43 PM
When you create the new role to limit access to the User Manager plug-in, watch out for the "Management Console: Content Management" role which has SASUSERS as a member by default. Unless you remove the SASUSERS membership from that role, your restricted user administrators will still get access to the User Manager, Authorization Manager, Data Library Manager, Folder tab & Search tab. I did a blog post a while back which discussed multiple access paths to a capability. However, removing SASUSERS from the content management role will also impact any existing non-administrative users of SAS Management Console (maybe DI developers), so you may want to add those user's group(s) back as members of the role to ensure continued access.
Will your restricted user administrators be managing Portal Group Content Administrators? If so then they will also need access to the Authorization Manager plug-in to be able to set appropriate permissions on portal permission trees.
I'm assuming you have also considered identity synchronization with Active Directory, LDAP or other sources of user, group and membership information. That can significantly reduce the requirement for manual identity management in SAS Management Console by help desk staff.
If you haven't already seen them, I'd recommend reading the follow resources too:
06-28-2012 09:10 AM
Thank you so much for the detailed and informative response! I have read a couple of the linked documents, but there's definitely some more information in there that I haven't seen yet.
As far as managing Group Content Administrators, I don't think they'll be responsible for that yet, but it's a possibility as use of SAS grows within our company. Right now it's only 5 or so users, but we anticipate that to grow pretty rapidly once we really start using it.
I hadn't seen the bit about identity sync, I will definitely have to look at that.
I plan on taking SAS Platform Administration training very soon, so hopefully that will help fill in some of the blanks as well.
Thanks for helping a SAS newbie!