Solved: Re: Creating roles in SMC

rag · Posted 11-13-2012 03:00 PM

Hi,

I am trying to create roles in such a way that: useradmin roles has capabilities only to user management, library admin to be able to create only libraries in smc etc...i tried to create new roles and assign on particular capability for eg: only usermanager capability iin capability tab, and then even tried to deny readmetadata to sasusers for content management role but nothing worked.... ....i even tried to add usermanagement cabaility into contributing roles tab and tried all over again but nothin.. am i really missing something here....please advice...

Thanks.

PaulHomes · Posted 11-13-2012 05:38 PM

Hi,

I suspect you are experiencing this because the SASUSERS group (of which everyone who has a SAS identity is an implicit member of) is, by default, a member of the "Management Console: Advanced" role which provides access to a number of plug-ins (including User Manager, Data Library Manager and Authorization Manager). If you want to limit a subset of your users to a smaller set of plug-ins then it will be necessary to first remove SASUSERS from this role (remembering to ensure that everyone who should have access to those plug-ins still has access to them via another role or roles). An alternative way is to edit the "Management Console: Advanced" role and remove the capabilities you don't want to provide to SASUSERS, however modifying the capability set for pre-defined roles is not a recommend approach. Instead the recommendations are to only modify the membership of the pre-defined roles and create custom roles with appropriate memberships when you need different capability sets.

In addition to the standard SAS documentation on roles and capabilities, I would recommend having a read of an excellent SAS Global Forum 2010 paper by Kathy Wisniewski on the topic: Be All That You Can Be: Best Practices in Using Roles to Control Functionality in SAS® 9.2.

I've also wrote about tracking multiple paths to a capability in a blog post last year: Capability Reviewer Preview: who has access to a capability and how?

I hope this helps.

Cheers

Paul

View solution in original post

PaulHomes · Posted 11-13-2012 05:38 PM

Hi,

I suspect you are experiencing this because the SASUSERS group (of which everyone who has a SAS identity is an implicit member of) is, by default, a member of the "Management Console: Advanced" role which provides access to a number of plug-ins (including User Manager, Data Library Manager and Authorization Manager). If you want to limit a subset of your users to a smaller set of plug-ins then it will be necessary to first remove SASUSERS from this role (remembering to ensure that everyone who should have access to those plug-ins still has access to them via another role or roles). An alternative way is to edit the "Management Console: Advanced" role and remove the capabilities you don't want to provide to SASUSERS, however modifying the capability set for pre-defined roles is not a recommend approach. Instead the recommendations are to only modify the membership of the pre-defined roles and create custom roles with appropriate memberships when you need different capability sets.

In addition to the standard SAS documentation on roles and capabilities, I would recommend having a read of an excellent SAS Global Forum 2010 paper by Kathy Wisniewski on the topic: Be All That You Can Be: Best Practices in Using Roles to Control Functionality in SAS® 9.2.

I've also wrote about tracking multiple paths to a capability in a blog post last year: Capability Reviewer Preview: who has access to a capability and how?

I hope this helps.

Cheers

Paul

rag · Posted 11-14-2012 01:52 PM

Thanks Paul, That really helped me. I saw that SASUsers was group was added to content management role but then i removed it from there and denied read metadata option for sasusers there and it looks like it worked. But will have to test and see if removing sasusers affects any user/role or anything.

Thank you much.

Ragu.

PaulHomes · Posted 11-14-2012 06:48 PM

Glad I could help. By the way, you don't normally need to change the metadata permissions on the roles (away from the defaults) unless you have particular requirements to do so.