Today I noticed a difference between SAS 9.1.3 and SAS 9.2 with respect to the use of roles in metadata security access controls.
In SAS 9.1.3 it was possible, though not recommended, to use roles in access controls such as Access Control Entries (ACEs) and Access Control Templates (ACTs). Here is a screenshot of SAS Management Console 9.1 where I am in the process of adding a group to an ACT. Notice that the SAS Web Report Studio roles are available for use (I have highlighted them with a red square).
I noticed today that SAS 9.2 prevents you, at least from within SAS Management Console, from using roles in access controls. Here is an equivalent screenshot of SAS Management Console 9.2, where I am also in the process of adding a group to an ACT. This time only the normal groups are available for use, none of the roles are available.
It was good to see this enhancement in SAS 9.2, as it helps promote good practices. Roles exist to provide a container for groups of users to gain access to application functionality. It is not recommended that they be used in access controls that secure general metadata objects such as folders, servers etc. SAS 9.1.3 introduced roles, with hard-coded or implicit capabilities, where they were used only by SAS Web Report Studio as far as I am aware. The use of roles was significantly expanded in SAS 9.2, with configurable/customizable capabilities to allow administrators to control the availability of application functionality in SAS Management Console, SAS Enterprise Guide, SAS Add-In for Microsoft Office, SAS Web Report Studio and SAS BI Dashboard.
I was surprised I hadn’t noticed this improvement until today, but then I guess I am not usually inclined to use roles in access controls ;)
If you want to find out more about roles and capabilities in SAS 9.2, I would definitely recommend reading Kathy Wisniewski‘s paper Be All That You Can Be: Best Practices in Using Roles to Control Functionality in SAS® 9.2 from SAS Global Forum 2010 available from http://support.sas.com/resources/papers/proceedings10/324-2010.pdf