Implementing Security for SAS BI Dashboard

Overview

You can use metadata layer permissions to manage access to dashboard objects such as dashboards, indicators, models, and ranges. This topic documents the requirements and describes the predefined groups that you can choose to use to manage access.

Predefined Administration Role for SAS BI Dashboard

SAS BI Dashboard includes a predefined role, BI Dashboard: Administration. In order to manage SAS BI Dashboard, administrators must meet the following criteria:
  • Administrators must be assigned to the BIDashboard:Administration role. When SAS Deployment Wizard completes installation, the BI Administration role is added to the SAS BI Dashboard administrators group by default. If you create a different group for administrators, the BI Administration role must be added to that group.
  • Administrators must explicitly have ReadMetadata, WriteMetadata, and WriteMemberMetadata permissions to folders. These permissions enable administrators to create, read, modify, and delete objects.

Manage Users in SAS BI Dashboard Groups

You enable users to log on to the SAS BI Dashboard by creating metadata identities for the users, and assigning them to the predefined BI Dashboard Users group.
By default, two groups are available for SAS BI Dashboard:
  • BI Dashboard Users
  • BI Dashboard Administrators
You can use dashboard groups to manage access to dashboard objects. You are not required to use the BI Dashboard Users or the BI Dashboard Administrator groups. You can create your own groups that meet your organizational needs. If you create your own group, that new group must belong to the BI Dashboard Users or the BI Dashboard Administrators group in order for the members to be able to log on to SAS BI Dashboard. If you do not want to use the predefined BI Dashboard Administrators group, and you want to create a new group for dashboard administrators, add the SAS Trusted User as a member of that new administrator group.
Typically, you grant access to data designers so that they can create the dashboards, indicators, data models, and ranges using the graphical interface. You typically limit access for other users who need only to see dashboards in the BI Dashboard Viewer or on the portal page. You can manage user access by creating metadata identities for users, adding users to the appropriate group, and then by assigning permissions to the groups on the BI Dashboard folder.
These default groups determine the dashboard objects that users can access and manipulate:
Predefined Default User Groups and Their Access to Dashboard Objects
Group
Type of Access
BI Dashboard Users
Members of this group can view dashboards in the BI Dashboard Viewer or in the portlet. If you create a different group for dashboard users, that new group should be added as a member of the BI Dashboard users group.
BI Dashboard Administrators
Members of this group can view dashboards in portlets and change the dashboard layout. Members also have access to a Manage Dashboards Application either by direct access to the BI Dashboard application or via the link in the portlet (if the value for the portlet ShowManageLink property is true). After they click this link, members can create, edit, and delete dashboard objects.
You implement authorization in order to control the types of permissions granted to users. You configure permissions for the users and groups that are defined in SAS metadata. You can add Dashboard users to groups that you define in SAS metadata, grant the necessary permissions to those groups, and then limit the permissions for the PUBLIC group.

Key Aspects of Security for SAS BI Dashboard

Here are some key points that apply to SAS BI Dashboard 4.31 security.
  • For SAS applications including SAS BI Dashboard and the SAS Information Delivery Portal, authentication is through the SAS Logon Manager.
  • The ability to render, create, edit, and delete dashboard objects is controlled by the permissions on the objects in the metadata. Dashboard objects inherit permissions from the folder to which the objects are saved.
  • SAS BI Dashboard 4.31 allows users to save their dashboards in any folder to which they have the WriteMemberMetadata permission.
  • When a user wants to view a dashboard, the user's permissions for the dashboard, indicators, ranges, and data models are verified. If a user has permission to view a dashboard, but is not granted permission to read any of the indicators in the dashboard, an empty dashboard is displayed. If a user has permission to read an indicator, but does not have permission to read the data point model, the indicator does not render for that user.
  • If data caching is not enabled, and a user does not have Read permissions on an underlying information map, cube, or data set, then the query fails and an error message is returned. If data caching is enabled, the queries are run by the SAS Trusted User for all users.
  • If an information map uses row-level permissions, then only the data that is readable by a particular user appears in a dashboard indicator when that user is logged on to the portal.

Enable the Display of Custom Repository Folders

Overview

When custom repository folders are created for SAS BI Dashboard 4.31, they are registered in the Foundation Services. For information about different repositories and administrative tasks associated with repositories, see “Creating, Registering, Moving, Copying, Renaming, and Deleting SAS Metadata Repositories” in the SAS Intelligence Platform: System Administration Guide.
To enable the display of custom repository folders in SAS BI Dashboard, specify the custom repository. See Specify the Custom Repository.

Specify the Custom Repository

To specify the custom repository, follow these steps:
  1. On the Plug-ins tab in SAS Management Console, navigate to Environment Managementthen selectFoundation Services Managerthen selectSAS BI Dashboard 4.3 Local Servicesthen selectInformation Service.
  2. Right-click and select Properties to display the Information Properties dialog box.
  3. Click the Service Configuration tab.
  4. Click Configuration.
  5. Click the Repositories tab, and select New.
  6. In the New Information Service Repository dialog box, follow the instructions on the wizard pages. As you answer the wizard's prompts, be sure to specify a unique name for the repository and select the check box for AutoConnect. Specify the values for the following required fields or retain the default values:
    1. Name: Nameofyourcustomrepository
    2. Host: MetadataServer
    3. Port: PortNumber
    4. Domain: DefaultAuth
    5. Base: Nameofyourcustomrepository
  7. Save your changes. The custom repository is registered with the SAS Foundation Services.

Configuration for Dashboard Portlets That Are Shared

About Shared Dashboard Portlets

Shared portlets are appropriate for users who need only to view dashboards. These users cannot manipulate portlet content in any way. Like other portlets, dashboard portlets can be shared with a group that is defined in metadata. To share a portlet, you must be a group content administrator or a sastrust user for the respective group. For more information about sharing portlets, see Sharing Content in the Portal .
When you share a SAS BI Portlet with a group, members of the group have Read-Only access to the portlet.
Copyright © SAS Institute Inc. All rights reserved.