SAS VA Administration: What’s in a SAS VA Role

Posted on 03/23/2015  

One part of the Zenguard service is helping customer setup their SAS security model, which involves determining which users need to do what in the SAS Visual Analytics system. Most customers have the same basic needs - some users to view reports and some to prepare the reports.  There can be a lot of variation after that point.  Some of the report builders also administer the system while others are only allowed to use the data given to them. 

What's in a Pre-Defined Role?

SAS Visual Analytics ships with five pre-defined roles. Each role is composed of a pre-defined set of capabilities for different things a user or set of users can do, such as consume reports, build reports, and administer the system.  The roles follow along what you might expect most organizations would desire for organizing their uses. The roles provide enough flexibility to allow quick changes.  

Notice as that as the role becomes more complex it inherits the capabilities of the roles before it. This is true for all roles except the Administrator role, which does not inherit the ability to use the Data Builder. I'm not sure why this was setup this way as the administrators could give assign the capability to their own role.

It is easier to understand how the capabilities are assigned when you look at this chart. It breaks down the roles by capability. [Here's a larger chart that shows everything available so you can see what is not assigned to a role.] 

Note: This information is valid for SAS Visual Analytics 7.1. Refer to the SAS VA Administrator Guide for more complete details.

Applying the SAS VA Security Model

When creating a security model, you can assign these roles to groups. This allows you to control what the users are allowed to do within the VA system. Notice I didn't say anything about permissions. Roles only say what abilities a user or group has. Permissions are set in ACEs (like folders) or with a ACT. Here's some examples of how roles were assigned to groups.

This is an example of a large complex organization where the roles are more defined. The team has the four groups that essentially align with the roles.


This is a smaller organization where the VA developers wear a lot of hats. They are responsible for building the data and administering the system.  They have assigned multiple roles to a single group called VA Developers. You may have noticed that the Basic role doesn't seem to be used. That role is intended for use with systems where the public is allowed to reach the reports. [Paul Homes had an interesting post where he tested VA public (anonymous access) with web authentication.]

Now here's some clever users - they hired the Zencos Zenguard team to help with administering their system and training their users to use SAS Visual Analytics team. Plus if you think about it - why would users who have the Analysis and Data Builder roles - Data Builder can do everything Analysis can?   

If you need with your SAS Visual Analytics security model, contact Zencos to learn more about implementing our Zenguard service at your company.

Our ZenGuard service provides cost-effective access to expert SAS administrative support professionals for a fraction of the cost of hiring resources internally. Our flexible service plans and contract terms let you tailor your savings with the right plan – now that’s the way it should be.  More info ... 

Share This Post


#1. Posted by Michelle Homes on March 25, 2015

Great post!

It highlights the importance of having an experienced SAS administrator to help manage Users & Groups and Roles & Capabilities in a SAS Visual Analytics environment.

We’ve found users and SAS Administrators would like to know who has a particular capability, particularly if a capability needs to be removed from a user. It can be challenging to find all the paths in which the user gets a particular capability. Metacoda Security Plug-ins Capability Reviewer can help find this very quickly and visually for all capabilities in a SAS environment

Leave us a comment




Notify me of follow-up comments?