The initial installation of a SAS Metadata Server allows for all undefined (in SAS User Manager) users to have access. It is recommended (after testing the entire install & before deploying to the business) that the security defined in the ‘Users & Permissions’ tab of the Default ACT is modified to the following layout:
Identity | RM | CIM | Admin | Create | WM | R | W | Delete |
SAS System Services (saswbadm, sastrust) | G | |||||||
SAS Administrator (sasadm) | G | G | G | G | G | G | G | G |
PUBLIC | D | D | D | D | D | D | D | D |
SASUSERS | G | G | G | |||||
Portal Admins | G | G | G | G | G | G |
Note – Denying all access to Public will then REQUIRE that all individuals are defined in the SAS User Manager.
*All defined users in the SAS User Manager fall into the ‘SASUSERS’ group. The above Default ACT settings will then allow defined users Read Metadata, Write Metadata and Read on all SAS Objects.
6 Comments
Hi Angela. Thanks for sharing this, its great info.
Question for you: The idea of adding Public as implicit group was to open SASMC/Metadata for the initial authentication of the first metadata user after an install & config.
Later on, the authentication process includes Public to verify whether the user has, or has not a metadata identity. If an identity is found, the Metadata Server looks for Sasusers, in a next step for groups and last but not least for the individual user.
if you remove public from the default ACT, the initial authentication wouldn't work successfully. Did you run into any problems when removing Public from the ACT? (given SASUsers got a grant at the same time)
Could you give me some more details/info on "what happens behind the scenes" if you remove public - clarify the authentication process for me?
Thanks!!
Anja
Anja,
I only recommended modifying the Public group in the ACT to Deny all, rather than remove it altogether.
Included is one of my favorite papers on the topic of ACT permissions. http://support.sas.com/resources/papers/proceedings11/376-2011.pdf
~ Angela
what 's groups should i add to "Default ACT" in case you want to denying SASUSERS and allowing RM WM only for specifics groups(Consumers,Content Administrators,Developers)?
I m referering to a SAS 93 BI.
Create these groups ('Consumers', 'Content Administrators', 'Developers') in the User Manager plugin in SAS Management Console. Then add these groups to the Default ACT.
Another & better way is to create a group (say 'MasterUsers') of groups (that includes 'Consumers', 'Content Admin', 'Developers' groups) and this 'MasterUsers' group would be added to the Default ACT in place of SASUSERS.
Of course, all other users of SAS will need some level of access defined in DefaultACT - otherwise they would not be able to do anything. The SASUSERS group is the catch all for everyone with defined identities not current covered in another group.
You can certainly remove the PUBLIC group altogether from the ACT. This is an implict group when the user isn't already defined in the system.
Is Denying Public 'All' the same as removing Public from the ACT?