Who Can Manage Users, Groups, and Roles?

Requirements for Managing Identities

Task	Requirements
Create users, groups, and roles. Update or delete users, groups, and roles (other than the unrestricted role). Reset other user's passwords (in metadata).	User administration capabilities, the User Manager capability, and these permissions: WriteMetadata permission to the identities (to update or delete them) WriteMetadata permission to the software components that provide role capabilities (to change capability assignments) WriteMetadata permission to the repository (to add identities, logins, and related items). In the initial configuration, the SAS Administrators group meets all of these requirements.
Manage the unrestricted role	Unrestricted status. In the initial configuration, only one user (the SAS Administrator) meets this requirement.

Task

Requirements

Create users, groups, and roles.

Update or delete users, groups, and roles (other than the unrestricted role).

Reset other user's passwords (in metadata).

User administration capabilities, the User Manager capability, and these permissions:

WriteMetadata permission to the identities (to update or delete them)
WriteMetadata permission to the software components that provide role capabilities (to change capability assignments)
WriteMetadata permission to the repository (to add identities, logins, and related items).

In the initial configuration, the SAS Administrators group meets all of these requirements.

Manage the unrestricted role

Unrestricted status. In the initial configuration, only one user (the SAS Administrator) meets this requirement.

Note: Each user can manage their own personal logins in SAS Personal Login Manager.

Note: You can delegate management of an existing identity to someone who does not have user administration capabilities. See Delegate Management of a Group or Role.