SAS 9 Refresher Series: Roles and Functionality
This is part of a series on refreshing knowledge of SAS 9 Administration topics. You may find the other posts in this larger series here: SAS 9 Administration Refresher Series - SAS Support Communities
Authorization in SAS 9 determines which users have access to various resources. In part one of this security discussion, I covered an overview of Metadata-based Authorization and how it can be used to control access to content. Here I will discuss using roles and capabilities to grant access to functionality.
Metadata Roles
Roles in SAS 9 control access to application features. These control what users can do, not what they can access. Application features like menu options, plug-ins, or buttons are controlled by capabilities granted by roles. Those capabilities enable specific features in SAS applications.
How do users get this functionality? Usually through group memberships. Roles assigned to groups grant their functionality to people in those groups. Notice that I write about granting functionality – there is no revoking a capability or functionality once a capability is granted. Being additive, it is important to know for troubleshooting that multiple roles may offer the same capabilities.
Administrators can, if needed, create custom roles for finer control. You can use SAS Management Console or SAS Environment Manager to assess capabilities and roles, under the User Manager in SAS Management Console, or the Users page of SAS Environment Manager’s Administration Page.
Access to Functionality
SAS 9 ships with a wide range of pre-configured roles that govern this access to functionality. And most non-administrator capabilities are granted at a high level. Below is an overview of some of the capabilities assigned to common roles.
When you view roles in the user interfaces, you can tell immediately whether all capabilities under a category are granted or not, based on the iconography present.
SAS Management Console on the left, SAS Environment Manager Administration on the right.
Below you will find some information about pre-configured roles.
> Note: There is no automated way to roll back a role to its original capabilities. In many cases making a copy of a role or creating a new role is the best way to change predefined roles.
Roles for SAS Management Console
SAS Management Console provides two default roles: Advanced and Content Management. As you can see, these capabilities are bundled together. You might want to create a Scheduler Role and select different capabilities to grant that group.
|
Capability |
Advanced Role | Content Management Role |
| Access Unregistered Plug-ins | X | |
| Application Monitor | X | |
| Authorization Manager | X | X |
| Data Library Manager | X | X |
| Folder View | X | X |
| Foundation Services Manager | X | |
| Metadata Manager | X | |
| Publishing Framework | X | |
| Schedule Manager | X | |
| Server Manager | X | |
| User Manager | X | X |
Chart from: SAS Help Center: Administering Roles
SAS Studio Role
There is a predefined role for SAS Studio: Usage that is granted to all SASUSERS of the SAS 9 environment. By default, SASUSERS include everyone who can successfully log on to SAS 9, so everyone may use SAS Studio. But if you wish to change that and modify the scope of who may use the tool, you can remove the role from SASUSERS and grant it to another group.
Roles for SAS Enterprise Guide
There are four roles included with SAS Enterprise Guide: Advanced, OLAP, Analysis, and Programming. If you create additional custom roles make sure they are exported in a package before an upgrade of SAS Enterprise Guide, so you can import them again afterwards.
Due to the extensive capabilities, here’s a link to the chart in SAS Documentation listing the capabilities here: SAS Help Center: Default Roles and Capabilities for SAS Enterprise Guide.
Roles for SAS Add-In for Microsoft Office
There are three roles included for the SAS Add-In for Microsoft Office: Advanced, OLAP, and Analysis. Due to the extensive capabilities, here’s a link to the chart in SAS Documentation listing the capabilities here: SAS Help Center: Default Roles and Capabilities for the SAS Add-In for Microsoft Office.
Roles for SAS Environment Manager Administration
Page-level capabilities and features for SAS Environment Manager Administration are controlled by a variety of capabilities in the SAS 9 platform. Both the initial capabilities and any role requirements are documented here: SAS Help Center: Roles and Capabilities.
Roles for SAS Visual Analytics
SAS Visual Analytics has five predefined roles: Basic, Report Viewing, Analysis, Data Building, and Administration. These roles and the capabilities they grant for SAS Visual Analytics are documented here: SAS Help Center: Roles and Capabilities.
Roles for SAS Web Report Studio
SAS Web Report Studio includes three predefined roles: Report Viewing, Report Creation, Advanced. These roles and the capabilities they grant are documented here: SAS Help Center: Predefined Roles.
Roles for the Metadata Server
In addition to client application roles, there are some administrative roles that allow control over the metadata server. These capabilities cannot be modified. Also please don’t give them out unless someone is a SAS Administrator.
|
Metadata Server: Unrestricted |
Members have all capabilities and full access to metadata (but they cannot read other users’ passwords). |
| Metadata Server: User Administration | Members can create and manage restricted users, groups, roles, internal accounts, logins, and authentication domains. |
| Management Console: Advanced | Members can see all plug-ins in SAS Management Console. |
Make sure to view SAS documentation for more roles that give out capabilities if some of the ones you are looking at here do not suit your needs. Alternatively, remember that you can create your own as well, if some functionality that you want to give to a group of users is not covered by the built-in functionality. Thanks for reading!
Find more articles from SAS Global Enablement and Learning here.
