I've bragged about how easy it is to install custom tasks for SAS Enterprise Guide. It's simple: you copy the .NET assembly (usually a single DLL file) into one of the designated folders in your SAS Enterprise Guide installation, and your task just shows up in the menu. Since I have made several custom tasks available for download from this blog, it's possible for users to spend just a few minutes to acquire capabilities that they didn't have before. (By the way, this also applies to the SAS Add-In for Microsoft Office.)
This can trigger anxiety for some SAS administrators. A custom task, despite it's usefulness, might work against the policies of those who maintain a SAS environment. For example, the Copy Files task makes it very easy to move files between your SAS server and your local PC. Some organizations don't want server-based files to leave their controlled server environment, so this type of custom task is a thorn in their side.
Fortunately, SAS administrators can control access to these capabilities by defining roles in SAS metadata, and then associating those roles with users or groups of users. Each role has a list of capabilities that are permitted. If a user's role doesn't permit a certain capability, then that feature simply doesn't appear in the SAS Enterprise Guide user interface.
Custom tasks are a special case for administration. A custom task is a new capability, and so by definition it's not known to SAS metadata. If it's not known, how can you control it? You accomplish it by following these general steps:
- First, examine the capability named Access Unregistered Custom Tasks. Do you want your users to be able to add their own tasks? Even if you allow this, you can still "disallow" certain custom tasks if you register them in metadata.
- Next, register the custom tasks that you want to control into SAS metadata. SAS Enterprise Guide provides a tool to do this. (It's not in SAS Management Console.)
- With the task now listed in SAS metadata, use SAS Management Console to control which roles (and therefore, which users) have the permission to run the task.
In the remainder of this post, we'll explore these steps...in pictures.
In SAS Enterprise Guide, select Tools->Add-In Manager to register the task on one machine
It's important to use Add-In Manager (not the easier "drop-in" deployment) for this step, as it updates a version of the local SAS Enterprise Guide task list so that it contains information about the task.
In SAS Enterprise Guide, select Tools->SAS Enterprise Guide Explorer and use the Task Import Wizard
SAS Enterprise Guide Explorer provides this special tool that can examine the local task list (which now contains your custom task) and identify the "new" tasks that are not yet part of the SAS Metadata Server. This tool allows you to add those new tasks into the metadata-controlled list.
In SAS Management Console, edit role to disallow unregistered custom tasks
This step is optional -- if you don't want your end users to add any custom tasks on their own. You can restrict access to any custom tasks that you add to SAS metadata.
In SAS Management Console, edit role to allow desired custom tasks for appropriate groups
The new tasks show up under an "Imported Tasks" group. For any given role you can decide whether the task is allowed.
Result: End user sees "restricted" functions
Once the settings are in effect, the end user will see that his/her functions are restricted -- as indicated in the SAS Enterprise Guide status area on the bottom of the window.
The user can click the "Functions" link to see the full list of features that are available in the product, along with an indication as to which are disallowed for the user. The user can use this information to "petition" the SAS administrator for access to additional capabilities, if desired. (Ah, the power of a SAS administrator!)