05-17-2012 11:03 AM
We have a SAS 9.2 TS2M3 server and need to create a role to deny end users save data on their desktop.
I saw in SAS Management Console(SAS SMC) that have a capabilitie that can restrict this. But, its works only for SAS Guide 4.3. If the end user use Guide 4.2, the role is not respected.
There are any way to limit the access to SAS server only by Guide 4.3?
Thanks a lot
05-17-2012 05:55 PM
One of the things to look out for with roles & capabilities is that you cannot explicitly deny a capability. Capabilities can only be 'granted by any path' or 'not granted in any possible path' considering all possible user/group/role/capability membership/access paths. It only takes a single grant by any membership path to provide a capability to someone. To effectively 'deny' someone a capability you need to ensure that the capability is not granted by any membership path (i.e. eliminate all of the grants to that person considering all of their nested group and role memberships). I wrote a blog post about this (and our tool for reviewing capability access paths) last year if you want to take a look Capability Reviewer Preview: who has access to a capability and how? | platformadmin.com
I would take a look at your "Enterprise Guide: Advanced" role first. By default this role has PUBLIC as a member which grants all EG capabilities (including 'Save Files to Local Computer') to all users. This is often the culprit when it comes to removing capabilities. Of course by removing PUBLIC from that role nobody (other than unrestricted users) will then have any EG capabilities, so you will want to make sure your users are members of appropriate custom roles to get the capabilities they need. It's a good idea to test this out in a development/test environment before implementing it production (and take a metadata backup so you can revert if necessary)
If you haven't already seen it there's a great SAS Global Forum 2010 Paper by Kathy Wisniewski about roles & capabilities: 324-2010 Be All That You Can Be: Best Practices in Using Roles to Control Functionality in SAS® 9.2
Hope this helps.