I was asked yesterday whether it was possible to use the SAS® Management Console BI Lineage plug-in to provide non-administrators with the ability to review BI Lineage scans (as previously run by administrators). The BI Lineage plug-in can be used to do impact analysis for BI content (reports, information maps etc.) in a similar way that SAS Data Integration Studio provides impact analysis for DI content (jobs, tables, etc).
I’d never needed to do this before, so I did a little research. It didn’t take long to find the Granting Users Permission to View Scan Results section of the Using the BI Lineage Plug-in page in the SAS® 9.4 Intelligence Platform: System Administration Guide, Second Edition. That page explains how to open up access to the BILineage custom repository so that normal non-administrative users can get access to the scans (which are otherwise only available to unrestricted users). The document doesn’t get into explaining how to provide normal users with access to the BI Lineage plug-in itself so in this blog post I’m going to outline the steps required, with screenshots, to show the entire process. The end result of this process will be a BI Lineage Users group. You can then add normal non-administrative users as members of this group to provide them with access to both the BI Lineage plug-in and the scans in the BILineage repository.
The first step is to create the BI Lineage Users group. I’ve added the SAS Demo User as candidate user for testing access.
The BI Lineage plug-in is not initially configured for role-based access. We need to configure it for role-based access so we can assign it as a capability to a new BI Lineage Role. This can be done by using the Plug-in Manager item in the SAS Management Console Tools menu.
Scroll though the list of plug-ins in the Plug-in Manager until you find the BI Lineage plug-in and tick the check box to enable it for role-based access.
The next step is to use the User Manager plug-in to create a new BI Lineage Role. On the role’s Members tab, add the previously created BI Lineage Users group as a member of the new role.
Switch to the Capabilities tab for the new role, navigate down through the Management Console application and the Plug-ins folder, then tick the check box to grant the new BI Lineage capability to the role’s members.
That’s all the required to make the BI Lineage plug-in available to members of the BI Lineage Users group. The next step is to ensure the BI Lineage Users group has access to the scans in the BILineage custom repository.
Use the SAS Management Console Repository selection combo box to switch to the BILineage repository, then use the Authorization Manager plug-in to access the Properties dialog for the Default ACT (this is the BILineage repositories repository ACT which controls access to that custom repository).
Add the BI Lineage Users group to the Permission Pattern tab of the BILineage repositories Default ACT. Check that the ReadMetadata permission is granted to the BI Lineage Users group.
That’s all that’s required to make the BILineage repository and its scans available to the BI Lineage Users group. You should now be able to login to SAS Management Console as one of the members of BI Lineage Users and use the BI Lineage plug-in to view previously generated scans. I tested it out with the SAS Demo User as shown below.
The scans will still need to be performed by an unrestricted user, but this technique allows normal non-administrative users to review those scans and investigate the interconnectivity between BI objects.