Overview of Initial Roles, Groups, and Users

About User Roles for System Administration

Overview of System Administration User Roles

A user role is a set of capabilities. Some SAS applications make certain actions available only to users or groups that have a particular role. To enable a user or group to perform those actions, you add the user or group to the appropriate role.

During installation, the SAS Deployment Wizard creates metadata definitions for several user roles. The following initial roles are created for performing system administration tasks:

The SAS Deployment Wizard also creates some additional roles for users of specific client applications, including SAS Enterprise Guide, SAS Web Report Studio, and SAS Add-In for Microsoft Office.

Note:

To understand how role assignments affect a user's ability to perform the system administration tasks that are documented in this guide, see Who Can Do What: Credential Requirements for SAS Management Console Tasks.
For information about how to add users to roles or to define additional roles, see “Managing Users, Groups, and Roles” in the SAS Intelligence Platform: Security Administration Guide.

Metadata Server: Unrestricted Role

Note: The initial name of this role is META: Unrestricted Users Role, and the initial display name for this role is Metadata Server: Unrestricted.

The Metadata Server: Unrestricted role has access to all metadata regardless of SAS permissions settings. Users in this role, which are referred to as unrestricted users, can do the following:

perform all of the functions that users in the Metadata Server: User Administration and Metadata Server: Operation roles can perform
access all metadata except user passwords
continue to access metadata repositories and use features of SAS Management Console when the metadata server is paused to the Administration state

Follow these important guidelines when using an account that is in the Metadata Server: Unrestricted role:

This role is intended only for tasks that require unrestricted access to metadata (for example, adding other users to the Metadata Server: Unrestricted role, performing tasks when the metadata server is paused to the Administration state, and creating, deleting, formatting, and unregistering foundation repositories).
Use the accounts in this role only to log on to SAS Management Console. You should not use these accounts to log on to other client applications.

The SAS Deployment Wizard places one user in this role. This user, which is generally called the SAS Administrator, is specified in the file adminUsers.txt. For details, see About the Initial User Accounts.

Note: The Metadata Server: Unrestricted role provides access to the metadata server, not to other SAS servers. Some administration tasks require access to a SAS Application Server, which might require additional credentials. For details, see Who Can Do What: Credential Requirements for SAS Management Console Tasks.

Metadata Server: User Administration Role

Note: The initial name of this role is META: User and Group Administrators Role, and the initial display name for this role is Metadata Server: User Administration. The SAS Deployment Wizard assigns the SAS Administrators group to this role.

Users who are assigned to the Metadata Server: User Administration role can create and modify users, groups, and roles. Users in this role are authorized to update user passwords. They cannot read existing passwords, except the passwords for their own logins.

For details about the user administration tasks, see the SAS Intelligence Platform: Security Administration Guide.

Metadata Server: Operation Role

Note: The initial name of this role is META: Operators Role, and the initial display name for this role is Metadata Server: Operation. The SAS Deployment Wizard assigns the SAS Administrators group to this role.

Users who are assigned to the Metadata Server: Operation role can perform the following tasks:

stop, pause, resume, and reset (or refresh) the metadata server
add, delete, format, and unregister metadata repositories (except the foundation repository)
administer the metadata server backup and recovery facility

Users who perform these tasks must also be assigned to the SAS Management Console Advanced Role, which provides access to the Metadata Manager plug-in.

Management Console: Advanced Role

The Management Console: Advanced role is initially configured to allow access to all of the plug-ins in SAS Management Console. The SAS Deployment Wizard assigns the SAS Administrators group to this role.

You must make the following additional role assignments to enable certain functions:

the Metadata Server: User Administration role or the Metadata Server: Unrestricted role, to access functionality within the User Manager plug-in
the Metadata Server: Operation role or the Metadata Server: Unrestricted role, to access some functions within the Metadata Manager plug-in

Management Console: Content Management Role

The Management Console: Content Management role is initially configured to enable access to the following features of SAS Management Console:

the User Manager, Authorization Manager, and Library Manager plug-ins
the Folders tab

To have access to certain functionality within User Manager plug-in, the user must also be assigned to the Metadata Server: User Administration” role or the Metadata Server: Unrestricted role.

About the Initial User Groups

User Groups Initially Defined in the Operating System

On some of the machines in your configuration, the following operating system user groups might have been defined during installation:

sas (UNIX only)

This group is used to control access to the configuration directories on UNIX machines. The group includes the installer (the sas user). Typically, you will not add any other users to this group.

SAS Server Users (Windows only)

This group might have been created on Windows machines that have stored process servers, pooled workspace servers, or standard workspace servers installed. During the installation process, you should have assigned this group the right to Log on as a batch job, which is required in order to start processes for those servers.

If you are not using Integrated Windows authentication, then you can add users to this group to enable them to start workspace server processes.

SASGRP (z/OS only)

On z/OS systems, this RACF group is used to control access to the configuration directory. The group is defined with an OMVS segment and is set as the default group for the SAS Installer and SAS Spawned Servers accounts.

User Groups Initially Defined in Metadata

The SAS Deployment Wizard creates the following user groups in metadata. These groups are part of the SAS Intelligence Platform security infrastructure. For information about how they are used to implement security, see the SAS Intelligence Platform: Security Administration Guide.

PUBLIC

a standard group with implicit membership. This group includes everyone who can access the metadata server, either directly or through a trust relationship. A user who does not have an individual identity uses the PUBLIC group identity.

SASUSERS

a standard group with implicit membership. This group includes all users who have individual identities.

SAS Administrators

a standard group for metadata administrators. By default, this group is granted broad access to the metadata and has all roles other than the Metadata Server: Unrestricted role.

SAS System Services

a standard group for service identities that need to read server definitions or other system resources.

SAS General Servers

a standard group whose members can be used for launching stored process servers and pooled workspace servers.

LSF Services

a group whose members can schedule jobs in the LSF component of Platform Suite for SAS. This group is part of the standard configuration for sites that use Platform Suite for SAS to schedule SAS Web Report Studio reports. The LSF Services group is not needed if you use SAS In-Process Services to schedule reports.

About the Initial User Accounts

Overview of the Initial User Accounts

During installation, the SAS Deployment Wizard creates several initial user accounts. Some of these user accounts are created for all installations, some of the accounts are optional, and some of the accounts are created only if certain software components are installed. For each account, the following topics provide the default name and user ID, information about whether or when the account is required, the account's purpose and use, and the locations where the account is set up:

These user accounts might have been assigned different names at your site.

SAS Administrator

SAS Administrator Characteristics

Type of Installation	Default User Name	Default User ID	Required?	Location of Account
Default settings	SAS Administrator	sasadm@saspw	Yes	Metadata
External authentication selected	SAS Administrator	sasadm	Yes	Metadata and OS
Migrated from 9.1.3	SAS Administrator	sasadm	Yes	Metadata and OS

The SAS Administrator user account has privileges that are associated with the Metadata Server: Unrestricted role. See Metadata Server: Unrestricted Role. In addition, the SAS Administrator account is initially a member of the SAS Administrators group.

This user is defined in the following locations:

in the file adminUsers.txt, which is typically located in the following path:

SAS-configuration-directory/Lev1/SASMeta/MetadataServer

This file ensures that your site will always have at least one user with the privileges of an unrestricted user, regardless of what is specified in metadata. You cannot override this user's privileges by modifying the user definition in SAS Management Console.
in metadata.
in the operating system of the metadata server machine, only in the following situations:
- You selected the external authentication option for this user during a custom installation.
- You migrated your system from SAS 9.1.3 to SAS 9.3.

In default installations of SAS 9.3, the SAS Administrator is an internal user account that is known only to SAS and that is authenticated internally in metadata. When internal authentication is used, it is not necessary for this user to have a local or network account.

Note: We recommend that you establish individual metadata administrators rather than sharing the SAS Administrator account. See “Security Tasks” in the SAS Intelligence Platform: Security Administration Guide.

SAS Trusted User

SAS Trusted User Characteristics

Type of Installation	Default User Name	Default User ID	Required?	Location of Account
Default settings	SAS Trusted User	sastrust@saspw	Yes	Metadata
External authentication selected	SAS Trusted User	sastrust	Yes	Metadata and OS
Migrated from 9.1.3	SAS Trusted User	sastrust	Yes	Metadata and OS

The SAS Trusted User is a privileged service account that can act on behalf of other users on a connection to the metadata server. No user should log on directly as a trusted user, except to perform certain administrative tasks associated with the SAS Information Delivery Portal. For details about those tasks, see the SAS Intelligence Platform: Web Application Administration Guide.

The SAS Trusted User is defined in the following locations:

in metadata.
in the file trustedUsers.txt, which is typically located in the following path:

SAS-configuration-directory/Lev1/SASMeta/MetadataServer

A user is granted privileges as a trusted user only if the user is specified in this file.

Note: Typically, there is no reason to add more IDs to this file. In particular, do not add regular users to this file.
in the operating system of the metadata server machine, only in the following situations:
- You selected the external authentication option for this user during a custom installation.
- You migrated your system from SAS 9.1.3 to SAS 9.2.

In default installations of SAS 9.3, the SAS Trusted User is an internal user account that is known only to SAS and that is authenticated internally in metadata. When internal authentication is used, it is not necessary for this user to have a local or network account.

For detailed information about this user, see the SAS Intelligence Platform: Security Administration Guide.

SAS Installer

SAS Installer Characteristics

Default User Name	Default User ID	Required?	Location of Account
SAS Installer	sas	Yes	OS

The SAS Installer is a user account that is used to install and configure SAS software. On UNIX and z/OS systems, this account is the owner of configuration directories and their contents and is the process owner for items such as the metadata server, the OLAP server, and the object spawner. The account should continue to be available after installation so that it can be used to apply maintenance.

The SAS Installer account must be defined in the operating systems of the following machines:

the metadata server machine
machines that host an OLAP server
machines where the object spawner is installed

This user is not defined in metadata.

SAS Spawned Servers Account

Default User Name	Default User ID	Required?	Location of Account
SAS Spawned Servers	sassrv	Yes	OS and metadata (as a login for the SAS General Servers group)

The SAS Spawned Servers account is the initially configured process owner for pooled workspace servers and stored process servers. An account for this user must be defined in the operating system of the following machines:

machines that host a stored process server
machines that host a pooled workspace server

During the installation process on Windows machines, this user should have been assigned the right to Log on as a batch job. This right can also be assigned by adding the user to the SAS Server Users group.

This user does not have an individual metadata identity. However, a login for this user is defined for the SAS General Servers group.

SAS First User

SAS First User Characteristics

Default User Name	Default User ID	Required?	Location of Account
SAS Demo User	sasdemo	No	Metadata and OS

The SAS First User is an optional account that can serve as a generic end user when you are testing any of the SAS client applications. During installation, the Software Deployment Wizard enables you to specify whether to create this user.

If you selected the option to create this user, then the user's account is defined in the following locations:

in metadata
in the operating system of the metadata server machine and workspace server machine

SAS Anonymous Web User

SAS Anonymous Web User Characteristics

Type of Installation	Default User Name	Default User ID	Required?	Location of Account
Default settings	SAS Anonymous Web User	webanon@saspw	No	Metadata
External authentication selected	SAS Anonymous Web User	webanon	No	Metadata and OS

The SAS Anonymous Web User is an optional account that is used to grant clients access to applicable SAS Web Infrastructure Platform components. When Web clients request access to Web services, they are not prompted for credentials but instead are granted access under this user account.

This user is defined in the following locations:

in metadata. In default installations, the SAS Anonymous Web User is an internal user account that is known only to SAS and that is authenticated internally in metadata. When internal authentication is used, it is not necessary for this user to have a local or network account.
in the operating system of the metadata server machine, only if you selected the external authentication option for this user during a custom installation.

LSF Administrator

LSF Administrator Characteristics

Default User ID	Required?	Location of Account
none	Yes, if Platform Suite for SAS is installed	OS

The LSF administrator is the primary administrator for the Platform scheduling server and the owner of the Process Manager server. This user is required only if you have installed Platform Suite for SAS in support of either scheduling or grid computing.

The LSF administrator account must be defined in the operating system of the machine where Platform Suite for SAS is installed. This user must have full control of the LSF and Process Manager directories. On Windows systems, this user must belong to the Administrators Group and must have rights to Act as part of the operating system and

Log
                        on as a batch job

This user is not defined in metadata.

lsfuser

Default User ID	Required?	Location of Account
lsfuser	Yes, if Platform Suite for SAS is installed and is used to schedule SAS Web Report Studio reports	OS, metadata (as a login for the LSF Services group), and password file in LSF

The lsfuser account is used by default when you schedule SAS Web Report Studio reports using the LSF component of Platform Suite for SAS. The lsfuser account must be defined in the operating system of the machine where Platform Suite for SAS is installed. On Windows machines, the account must also be added to the password file in the LSF software. For details, see “Enabling Report Scheduling With Platform Suite for SAS” in Scheduling in SAS.

This user does not have an individual metadata identity. However, a login for this user is defined for the LSF Services group.

The lsfuser account is not needed if you use SAS In-process Services to schedule reports.