To associate a stored process, OLAP schema, or library with an application server, you need WriteMetadata permission for that application server. Certain service identities need ReadMetadata permission to all server definitions. See “Permissions on Servers” on page 75.
Logical server
To use a logical server, you need ReadMetadata permission for at least one of that server's connections.
This is called server access security. Certain service identities need ReadMetadata permission to logical server definitions. See “Hide Server Definitions” on page 78.
Identity
User administration capabilities (from the Metadata Server: User Administration role) enable you to create, update, and delete users, groups, and roles. You can delegate management of an identity to someone who doesn't have user administration capabilities by adding explicit or ACT grants of
WriteMetadata permission in the identity's authorization properties. An identity's authorization properties have no effect on what that identity can do.
ACT
To create an ACT, you need repository-level WriteMetadata permission. Each predefined ACT is protected by direct access controls. ACTs that you create aren't automatically protected. It is essential to add protections (direct controls in the ACT’s authorization properties) to any ACTs that you create.
See Also
• “Permissions by Task” on page 50
• “Use and Enforcement of Each Permission” on page 62
Permissions by Task
Introduction
The following tables show required metadata layer permissions for selected tasks. For each task, a user must have the specified access to the specified metadata objects.
T I P For any change-managed areas or resources change-managed users should have CheckInMetadata (CM) permission (instead of WM or WMM). See “Setting up Change Management” in Chapter 5 of SAS Intelligence Platform: Desktop Application Adminstration Guide.
Working with Folders
Table 5.3 Working with Folders
Task Repository Parent Folder Folder Item
Add a folder RM, WM RM, WMM* -
-Delete a folder RM RM, WMM* RM, WM
-Rename a folder RM RM RM, WM
-Set folder permissions RM RM RM, WM
-Add an item to a folder RM, WM RM RM, WMM
-Delete an item from a folder RM RM RM, WMM RM, WM
Copy/export items RM RM RM RM
Paste/import items RM, WM RM RM, WMM
-* If the parent folder is the root folder , you need RM, WM on the root folder.
Working with Reports
Table 5.4 Working with Reports
Task Repository
Parent
Folder Report
Stored Process*
Information
Map* Data
Create and save a new report RM, WM RM, WMM
- RM RM, R RM, R**
Delete a report RM RM,
WMM
RM, WM - -
-View or refresh a report RM RM RM RM RM, R RM, R**
View a batch report RM RM RM - -
-Edit or rename a report RM RM RM, WM - -
-Set report permissions RM RM RM, WM - -
-* This is not a required element for a report.
** The Read permission is required for data that is accessed through the metadata LIBNAME engine or the OLAP server.
Permissions by Task 51
Working with Information Maps
Table 5.5 Working with Information Maps
Task Repository
Parent Folder
Information Map
Stored
Process* Data
Create and save a new information map RM, WM RM, WMM - RM RM, R**
Delete an information map RM RM, WMM RM, WM -
-Set information map permissions RM RM RM, WM -
-Edit or rename an information map RM RM RM, WM -
-Run queries in an information map RM RM RM, R RM RM, R**
* This is not a required element for an information map.
** The Read permission is required for data that is accessed through the metadata LIBNAME engine or the OLAP server.
Working with Stored Processes
Table 5.6 Working with Stored Processes
Task Repository
Parent Folder
Application Server
Stored
Process Data
Register a stored process RM, WM RM, WMM RM, WM -
-Delete a stored process RM RM, WMM RM, WM RM, WM
-Set stored process permissions RM RM RM RM, WM
-Run a stored process RM RM RM RM RM, R*
* The Read permission is required for data that is accessed through the metadata LIBNAME engine or the OLAP server.
Working with Publishing Channels
Table 5.7 Working with Publishing Channels
Task Repository Parent Folder Channel Subscriber
Add a channel or subscriber RM, WM RM, WMM -
-Delete a channel or subscriber RM RM, WMM RM, WM RM, WM
Edit a channel or subscriber RM RM RM, WM RM, WM
Task Repository Parent Folder Channel Subscriber
Publish content to a channel RM, WM* RM RM, W, WM* RM**
* WM is required if the channel has an archive persistent store.
** Content is published to only those subscribers for whom you have RM.
Working with Tables
Table 5.8 Working with Tables
Task Repository Server* Library
Parent
Folder Table Column
Register a table RM, WM RM RM, WM RM, WMM -
-Delete a table RM RM RM, WM RM, WMM RM, WM
-Set table permissions RM - RM RM RM, WM
-Access table data RM RM RM RM RM, R** RM
Register a library RM, WM RM, WM - RM, WMM -
-* SAS Application Server
** The Read permission is required for data that is accessed through the metadata LIBNAME engine.
Working with SAS OLAP Cubes
Table 5.9 Working with SAS OLAP Cubes
Task Repository Server* Schema
Parent
Folder Cube
Source Data
Register a cube RM, WM RM RM, WM RM, WMM - RM, R**
Delete a cube RM RM RM, WM RM, WMM RM, WM
-Rebuild a cube RM RM RM RM RM, WM RM, R**
Refresh a cube RM RM RM RM RM, R RM, R**
Access cube data RM RM RM RM RM, R
-Register a schema RM, WM RM, WM - RM, WMM -
-Set cube permissions RM - RM RM RM, WM
-Permissions by Task 53
Task Repository Server* Schema
** The Read permission is required for data that is accessed through the metadata LIBNAME engine.
Working with SAS OLAP Shared Dimensions
Table 5.10 Working with SAS OLAP Shared Dimensions
Task Repository Server* Schema
** The Read permission is required for data that is accessed through the metadata LIBNAME engine.
*** You cannot delete a shared dimension that has any associations to any cubes.
See Also
• “Permissions by Object Type” on page 46
• “Use and Enforcement of Each Permission” on page 62