Hello Juan,
When performing a Check out on an object like a SAS Data Integration Studio job, the job will almost always contain references to metadata objects that are not surfaced within Folders. Objects that are not surfaced in Folders tabs in SAS Management Console or SAS Data Integration Studio inherit permissions directly from the Default ACT (or the ACT that is designated as Default). Query Tables, Work Tables, Feature Maps, and Classifier Maps are examples of objects that fall into this category.
As you have discovered, if the user that is attempting to perform a Change Management task (like Check Out) is not granted CheckInMetadata permissions via an ACT, you will not be able to leverage Change Management in DI Studio.
Here is one solution:
Go to the Authorization Manager plug-in and edit the Default ACT. Grant CheckInMetadata permissions to the SASUSERS group on the Permissions Pattern tab under Properties for the Default ACT. Save the change.
Open Properties on the root "SAS Folders" object under the Folders tab in SAS Management Console, go to the Authorization tab, highlight the SASUSERS group, then select on Deny for CheckInMetadata so this permission is explicitly denied at the folder root.
This grants the CheckInMetadata permission for all dependent metadata objects, but denies CheckInMetadata to all registered users for all objects that do inherit permissions from folders. The result is that the only folders that will allow Check Out and Check In will be those that you configured based on the Change Management documentation.
If you prefer, you can limit the scope using an alternative like the following:
Create a new Group under User Manager (Change Management Users?) and make all users that need to leverage Change Management functionality within DI Studio members of this group. Save the group.
Go to the Authorization Manager plug-in and edit the Default ACT. Add this new group to the Default ACT on the Permission Pattern tab and grant this group ReadMetadata and CheckInMetadata.
Open Properties on the root "SAS Folders" object under the Folders tab in SAS Management Console, go to the Authorization tab, examine the permissions for each of the Users/Groups to verify that no one is being granted CheckInMetadata at this level.
The only users that are granted any CheckInMetadata permissions in the Default ACT are those in the Change Management Users group, not all users. The only locations where users will be able to perform Check Out and Check In will be those you set up when following the documentation on using Change Management.
I performed testing and confirmed that these options successfully resolve the Check Out issues.
Regards,
Tom
... View more