Using AMO 7.15 and SAS 9.4M5.
The requirements
1) To prevent non-approved users from using AMO, even if installed .
2) Prevent non-approved users to access Data using AMO, even if installed.
We want to use Active Directory (AD) to set users that can use AMO. So we created a group for that and let it synchronize with a Metadata group. The Metadata group was included in the Role "Add-In for Microsoft Office: Advanced" and all other memberships was removed from all AMO Roles.
When testing we realized this didn't work at all. All users that have AMO installed can do everything that the AMO Advanced Role specify even if they are not included in any AMO Role (like copy, print and save content).
How do we perform this in a best practice?