Roles and Capabilities Overview
The SAS implementation of roles enables administrators to manage the availability of
application features such as menu items, plug-ins, and buttons. Applications that have
roles include the SAS Add-In for Microsoft Office, SAS Enterprise Guide, SAS Forecast
Studio, SAS Management Console, and SAS Web Report Studio. For example, role
memberships determine whether a user can see the Server Manager plug-in (in SAS
Management Console), compare data (in SAS Enterprise Guide), or directly open an
information map (in SAS Web Report Studio). Administrators can assign roles to users
and to groups.
An application feature that is under role management is called a capability. Each
application that supports roles provides a fixed set of explicit and implicit capabilities.
Explicit capabilities can be incrementally added to or removed from any role (other than
the unrestricted role, which always provides all explicit capabilities). An implicit
capability is permanently bound to a certain role. A contributed capability is an implicit
or explicit capability that is assigned through role aggregation. If one role is designated
as a contributing role for another role, all of the first role's capabilities become
contributed capabilities for the second role.
In general, roles are separate from permissions and do not affect access to metadata or
Authentication and Identity Management
Authentication is an identity verification process that attempts to determine whether
users (and other entities) are who they say they are. In the simplest case, users already
have accounts that are known to the metadata server's host. For example, if the metadata
server is on UNIX, then users might have accounts in an LDAP provider that the UNIX
host recognizes. If the metadata server is on Windows, then users might have Active
For accountability, we recommend creating an individual SAS identity for each person
who uses the SAS environment. These identities enable administrators to make access
distinctions and audit individual actions in the metadata layer. The identities also provide
personal folders for each user. The metadata server maintains its own copy of each user
ID for the purpose of establishing a SAS identity.
Identity management tasks can be performed manually using SAS Management Console
or by using the following batch processes:
• To load user information into the metadata repository, you first extract user and
group information from one or more enterprise identity sources. Then you use SAS
bulk-load macros to create identity metadata from the extracted information. SAS
provides sample applications that extract user and group information and logins from
an Active Directory server and from UNIX /etc/passwd and /etc/group files.
• To periodically update user information in the metadata repository, you extract user
and group information from your enterprise identity sources and from the SAS
metadata. Then you use SAS macros to compare the two sets of data and identify the
56 Chapter 7 • Security Overview