Adjust the Repository-Level Settings

Why Adjust the Repository-Level Settings?

CAUTION:
Altering the repository-level settings for service identities can prevent necessary access.
We recommend that you do not change these settings.
This list provides guidance for working with repository-level settings for a foundation repository:
  • All users need ReadMetadata and WriteMetadata access to the foundation repository. It is appropriate for the SASUSERS group to have these permissions on the repository ACT's Permission Pattern tab.
  • To provide default read access to all data, grant the Read permission at the repository level.
  • To experiment with changing repository-level access, create a new ACT and designate that ACT as the repository ACT (instead of modifying the original repository ACT).

Make Changes to the Repository ACT

To make changes to the repository ACT:
  1. On the Plug-ins tab in SAS Management Console, select Authorization Managerthen selectAccess Control Templates.
  2. In the display area, select the repository ACT repository ACT.
  3. Right-click and select Properties. Make changes on the Permission Pattern tab. Each restricted identity that you add gets a grant of the ReadMetadata permission in the pattern.
    For example, to give all registered users default read access to all data, select the SASUSERS group and then select the Grant check box for the Read permission.
    Note: Any gray check boxes are settings that come from the selected identity's group memberships.
    Note: Do not confuse the Permission Pattern tab with the Authorization tab. Settings on the Authorization tab affect who can access this ACT; settings on this Permission Pattern tab define access to the repository.
    Note: There is no reason to specify grants or denials of the WriteMemberMetadata permission as part of the repository-level settings. Unlike other permissions, the WriteMemberMetadata permission is never inherited from one item to another.
    Note: In the repository ACT's pattern, an identity that has a blank setting for a particular permission (neither a grant nor a denial) is denied that permission.

Designate a Different ACT to Serve as the Repository ACT

To designate a different repository ACT:
  1. Identify or create an ACT that has the repository-level settings that you want to use.
  2. On the Plug-ins tab in SAS Management Console, under Authorization Managerthen selectAccess Control Templates, select the ACT that you want to use to define repository-level access.
  3. Right-click and select Repository ACT. In the confirmation message box, click Yes.
    In the list of ACTs under Authorization Managerthen selectAccess Control Templates, the repository ACT repository ACT icon is now displayed next to the newly designated repository ACT. The ACT that originally served as the repository ACT still exists, but it is no longer in use.
Note: To revert to the original repository ACT, select that ACT and repeat step 3.