Posted by Shane Gibson on September 30, 2009
Researching definitions for each of the WRS default roles as part of the Advanced Metadata Security course.
The roles are documented in the SAS 9.1.3 Intelligence Platform: Web Application Administration Guide, Second Edition on page 130. What it says is:
“By default, everyone who can log on to SAS Web Report Studio can view, edit, and create new reports.
To implement security, each user of SAS Web Report Studio can be assigned to one or more standard roles. A user’s role assignments determine which SAS Web Report Studio menu items are available to that user.
-
By default, all SAS Web Report Studio users implicitly have the role. However, if you explicitly assign any members to the role, then only the explicitly-assigned members will have the role. This enables you to start using SAS Web Report Studio immediately after installation, yet still have the ability to restrict user access when locking down your deployment.
-
Each role is a superset of the preceding role. For example, members of the “WRS Report Author” role have all the permissions that apply to the “WRS Report Consumer”.
-
Once you explicitly assign members to a role, you must explicitly assign membersto each superset role. For example, if you assign members to the “WRS ReportAuthor” role, then all of the subsequent superset roles (in this example, “WRSAdvanced User”) also become explicitly-assigned roles. The reason is that WRSAdvanced User is a superset of WRS Report Author.
-
Once you explicitly assign members to a role, then any user who is not assigned to a role, or who has no metadata identity, can only view reports and manipulate reports (for example, select new data items to view in report objects).
| WRS Report Consumer |
Users who have this role can view reports and manipulate report data in the View Report view. Users can copy, move, save, rename, or delete reports. Users cannot create new reports with the report builder or report wizard.
|
| WRS Report Author * |
In addition to the abilities assigned to WRS Report Consumers, users who have this role can create reports with the report builder or report wizard. Users can also schedule reports.
|
| WRS Advanced User |
In addition to the abilities assigned to WRS Report Authors, users who have this role can distribute reports. Users cannot create or delete recipient lists that are used for report distribution.
|
| WRS Administrator |
Users who have this role can perform all tasks that are associated with SAS Web Report Studio, including the ability to create and delete recipient lists that are used for report distribution.
This role provides full permissions to SAS Web Report Studio and should be safeguarded accordingly. This role provides application level administrator functionality. However, this role has no effect on metadata access (authorization) rights to report data.
|
| WRS Prohibited |
Users who have this role cannot log on to SAS Web Report Studio. Regardless of the user’s membership in any of the previous roles, if the user attempts to log on, the logon page displays the following error message: “This user is not allowed to access SAS Web Report Studio. Please contact your administrator.”
Some organizations might apply this role for users who are allowed to access some SAS applications but not SAS Web Report Studio. Alternatively, if an organization has multiple Web Report Studio installations, this role can be used to restrict some users from specific instances.
The corresponding metadata group entity is not created during installation. You must manually create the group in metadata if you want to use this user role.
|
*By default, WRS Report Authors can schedule reports, though you can change the default behavior and limit the scheduling feature to WRS Advanced Users. To do this, in your LocalProperties.xml file, specify true for the schedulingRequiresAdvancedUserRole property.
|
Posted by Shane Gibson on September 30, 2009
I posted earlier about the removal of the Public Kiosk in SAS 9.2 / Portal 4.2.
All the feedback I got stated that they turned off the Public Kiosk in SAS 9.1.3 / Portal 2.x as a matter of course.
Just noticed a SAS Tech support notice “Enabling unchallenged access to content in SAS® Information Delivery Portal 4.2” which outlines how to allow access to the portal without the need to login.
So obviously a few people still wanted it.
Posted by Shane Gibson on September 29, 2009
So i’m attending the advanced metadata security course for SAS 9.1.3 at the moment.
It is a complex area and really does my head in. But here is a way that (I think) I understand how it works.
There are two different rules that are applied to any metadata object:
1) Direct – When security is applied directly to an object (i.e in Management Console you HAVE ticked a metadata security box for the object, so its white or green)
2) Inherited – When security is not applied to an object, it is inherited (i.e in Management Console you have NOT ticked a metadata security box for the object, so its grey)
So here is how I think the rules for each of these works:
1) Direct – when Security is directly applied to an object.
The identity hierarchy model applies. This means it looks at the levels permissions have been applied to the object and whether it is applied as an ACT or ACE.
- Permissions closest to user wins
- A deny always wins over a grant, if at the same level (and type)
- ACE’s always win over ACT’s
Or in something I can understand:
- If you ask your mother and she says yes, then you ask your father and he says no, the answer is no (deny at same level)
- If you ask your mother and she says yes, then you ask your grandfather and he says no, the answer is yes (permission closest to user)
- If you ask you mother (ACE) and she says yes, then you ask your teacher (ACT) and she says no, then the answer is yes (ACE always wins)
2) Inherited – When security is not applied to an object
The inheritance model applies. This means every permission is placed in a bucket and if a grant is found anywhere, you have got it.
- Levels don’t count
- A single grant always wins over any and all denies
- ACE’s vs ACT’s have no impact
Or using the same analogy:
- You are at a family reunion, you yell out a question, somebody yells yes, the answer is yes
And the last thing I learnt was if somebody said no (i.e you can’t see something as a user) then if you ask why, the only answer you will get is “because I said so”.
Which means it is very very hard to find out what stopped you seeing it. Although I believe Paul at metacoda.com has some cool tools in the pipeline to help with this.
* Thanks to Adam Player for a great course and even better analogy's!
Posted by Shane Gibson on September 29, 2009
NZ had the pleasure of day light savings on the weekend, where we were all lucky enough to lose an hours sleep.
A couple of sites reported their LSF schedules went a bit funny (good technical term that).
So if the clock on the servers automatically change at 3am and you have a job flow scheduled for 3am what happens?
Haven’t had time to test this but interested in anybody else’s experience.
Posted by Shane Gibson on September 28, 2009
Great Gotham Cities, Batman!
Got a real interesting situation with SAS EG 4.1.
A lot of our DI developers and SAS Analysts use EG like demons.
They all have dual monitors as well, so they can work twice as hard (or keep a track on the latest SAS blogs while working 
One issue we are having is that every now and again EG just disappears on them, kapow, no errors, no warnings, no pop ups just gone. And of course it normally happens when they are in the middle of an important project and they havent saved the EG project for ages.
We think we have tracked it down to the use of Dual Monitors but arent completely sure that is it.
Anybody else expereinced this?
Posted by Shane Gibson on September 28, 2009
Chris blogged about a new article on the SAS support website: Installation Note 36616: SAS® 9.1.3 Service Pack 4 and SAS® 9.2 support for Microsoft Windows Server 2008
One of the projects I am working on the IT roadmap is to move everything to Windows 2008, whihc was always a problem for the current SAS 9.1.3 environment we are using.
Not any more I thought, wahoo, until I read the fine print that SAS Solutions are not covered, oh well back to waiting for SAS 9.2 Solutions.
Interesting that Windows 2008 support is announced for SAS 9.1.3 before it is announced for SAS 9.2
Im guessing SAS 9.1.3 has always worked with Windows 2008 but just never been tested and therefore could not be certified by SAS as an approved operating system.
If you upgarde to Windows 2008 let me know how it goes.
Posted by Shane Gibson on September 14, 2009
Angela’s post on the changes in SAS Portal 4.2 (9.2) called Favorite things about SAS Information Delivery Portal 4.2 highlights the fact that the public kiosk is no longer available in the 9.2 SAS Portal.
A lot of the customers we have worked with have disabled the Public Kiosk page in 9.1.3
So I am wondering how much of an issue it disappearing is going to be?
So tell me do you use the public kiosk page and do you really need it?
