Glossary
- access control template
-
a reusable named authorization pattern that you
can apply to multiple resources. An access control template consists
of a list of users and groups and indicates, for each user or group,
whether permissions are granted or denied. Short form: ACT.
- authentication
-
the process of verifying the identity of a person
or process within the guidelines of a specific authorization policy.
- authentication
domain
-
a SAS internal category that pairs logins with
the servers for which they are valid. For example, an Oracle server
and the SAS copies of Oracle credentials might all be classified as
belonging to an OracleAuth authentication domain.
- authentication
provider
-
a software component that is used for identifying
and authenticating users. For example, an LDAP server or the host
operating system can provide authentication.
- authorization
-
the process of determining which users have which
permissions for which resources. The outcome of the authorization
process is an authorization decision that either permits or denies
a specific action on a specific resource, based on the requesting
user's identity and group memberships.
- capability
-
an application feature that is under role-based
management. Typically, a capability corresponds to a menu item or
button. For example, a Report Creation capability might correspond
to a New Report menu item in a reporting application. Capabilities
are assigned to roles.
- credentials
-
the user ID and password for an account that exists
in some authentication provider.
- external
identity
-
a synchronization key for a user, group, or role.
For example, employee IDs are often used as external identities for
users. This is an optional attribute that is needed only for identities
that you batch update using the user import macros.
- identity
-
a user, group, or role definition.
- internal
account
-
a SAS account that you can create as part of a
user definition. Internal accounts are intended for metadata administrators
and some service identities; these accounts are not intended for regular
users.
- internal
authentication
-
a process in which the metadata server verifies
a SAS internal account. Internal authentication is intended for only
metadata administrators and some service identities.
- login
-
a SAS copy of information about an external account.
Each login includes a user ID and belongs to one SAS user or group.
Most logins do not include a password.
- permission
condition
-
a control that defines access to data at a low
level, specifying who can access particular rows within a table or
particular members within an OLAP cube. Such controls are typically
used to subset data by a user characteristic such as employee ID or
organizational unit. For example, an OLAP cube that contains employee
information might have member-level controls that enable each manager
to see the salary history of only that manager's employees. Similarly,
a table that contains patient medical information might have row-level
controls that enable each doctor to see only those rows that contain
data about that doctor's patients.
- restricted
identity
-
a user or group that is subject to capability
requirements and permission denials in the metadata environment. Anyone
who isn't in the META: Unrestricted Users Role and isn't listed in
the adminUsers.txt file with a preceding asterisk is a restricted
identity.
- role
-
a set of capabilities. In some applications, certain
actions are available only to users or groups that have a particular
role.
- service
identity
-
an identity or account that exists only for the
purpose of supporting certain system activities and does not correspond
to a real person. For example, the SAS Trusted User is a service identity.
- unrestricted
identity
-
a user or group that has all capabilities and
permissions in the metadata environment due to membership in the META:
Unrestricted Users Role (or listing in the adminUsers.txt file with
a preceding asterisk).
- Web authentication
-
a configuration in which users of Web applications
are verified at the Web perimeter and the metadata server trusts that
verification.
- well-formed user definition
-
a user definition that includes a login with an
appropriate user ID. For a Windows account, the user ID in the login
must be qualified (for example, WIN\marcel or marcel@company.com).
The login does not have to include a password. For metadata administrators
and some service identities, it is appropriate to use an internal
account instead of a login.
Copyright © SAS Institute Inc. All rights reserved.