. Message was edited by: Anbarasu

I think restricting user to logon SMC is possible if you remove SMC software from the user machine. Because all SAS Client (including SMC) software logins are depend on Centralized SAS metadata profile which is stored in SAS Metadata server. So I hope u shall not have separate metadata profile for individual clients.

If it is shared computer system you can give read access to the particular user’s Metadata profile so that you can prevent data & other damages.

Correct me if I am wrong.

What you have said is correct, and infact we are following the same here, but I though there should be a away to restrict users for login to SMC.
And I was also looking at ways of blocking a user from accessing any of the tools, say if a user is given access to CI studio, but now we realized that he should be blocked or locked for some reason, but I did not find a way to do that.

From my experience and talking about the v9.1.3 SP4, access restrictions are not at the client level, but at the server level. So access management is specific to the metadata that is stored within the server (repositories, tables, users, etc...). This said, the way you access the server cannot be limited (SAS DI, SMC, or even proc metadata through a SAS Base session).

For restricting the use to one of the clients application you should indeed uninstall the application from the user workstation.

Access to the metadata can be restricted. And you can easily block the access to any user you wish, just by doing the right user group management.

You should be aware of the two implicit user groups.

PUBLIC - this is for any users that can access the metadata server.
SASUSERS - this is for any users that can access the metadata server AND is registered there.

So, any user that can access the metadata server is a PUBLIC user, and may or may not be a SASUSER (registered user).

Now if you remove every access of the PUBLIC group (read, write, administer) and unregister the user you want to block from the metadata server, the user will fall into the PUBLIC group and so, will not be permitted any kind of access to the metadata.
If you wish to grant him readonly access, you could set the all permissions of the SASUSERS to readonly, remove the user of any group, leave its registration, and so the user will implicitly be part of the SASUSERS group.

Another thing that is misunderstood is the Authorization tab of the User Manager. This actually does not define the access that the user or group has to other resources. It controls who can view or update that user or group definition. Access control to the resources is done through the ACT (Access Control Template) under the Authorization Manager.

Hope it helps.

Cheers from Portugal.

Daniel Santos @ www.cgd.pt.

Thanks for a detailed reply.
And I agree uninstall is a way, but its also possible that the user may can reinstall the application.
Or if we want to lock the user temporary then uninstall is not an option.
Actually I am trying to compare it with Oracle, where in a User can be locked and unlocked, its that simple.
I find thus user access control quite confusing here.