Managing user privileges

In order to make access distinctions and track user activity, a security system must know who is making each request. In the platform, the primary user administration task is to store each user's external account ID in the SAS metadata. SAS uses its copy of these IDs to establish a unique SAS identity for each connecting user. All of a user's metadata-layer memberships, permissions, and capabilities are ultimately tied to the user's SAS identity.

Admininstrator privileges

Account admins manage your Autodesk BIM 360 account, and its projects, members, and company data.

Create and edit projects for use across all BIM 360 web services using account administration. An Account Admin is typically an employee such as an IT manager of the organization.

Account Admin and Project Admin have different access levels allowing them to carry out different tasks. Account Admins have responsibility for setting up projects and assigning Project Admins. Project Admins are responsible for inviting members to projects, and for editing and removing project members.

For more information, see BIM 360 Account Administration help.

Account Admin Privileges

  • Create or delete projects

  • Add or remove account members

  • Grant project admin rights to team members

  • Grant account admin rights to team members

  • Define which projects a project member can access

  • Enterprise account administrators can use Glue Web Access to view Activities and Members dashboards to monitor project activities and model updates. All account admins can view the member dashboard. Note: Only enterprise admins can view a monthly active members chart.

Managing Users, Groups, and Roles

In the initial configuration for a new deployment, the SAS Administrators group has the user administration role, so members of that group can perform almost all user management tasks. The following table outlines the distribution of user administration capabilities.

  • User Administration Capabilities

  • Metadata Server Role

  • Actions Supported

  • Unrestricted

  • Perform all identity management tasks.

  • User administration

  • Add, modify, and delete most identities.


For restricted user administrators (users who have the user administration role but are not unrestricted), the following constraints apply:

  • Restricted user administrators cannot update the unrestricted role.

  • To update or delete an identity, restricted user administrators must have the WriteMetadata permission for that identity. For example, you can prevent a restricted user administrator from updating UserA’s metadata definition by taking away his or her default grant of the WriteMetadata permission (on UserA’s Authorizationtab, explicitly deny the WriteMetadata permission to the restricted user administrator).

  • To change a role's capabilities, restricted user administrators must have the WriteMetadata permission for the associated software component.

  • To access user management features in SAS Management Console, restricted user administrators must have the User Manager capability.


Note: You can delegate administration of an existing identity to someone who is not a user administrator. In the target identity's metadata definition, explicitly grant the WriteMetadata permission to the delegated administrator.

Administrative tools

SAS Web Administration Console is a web-based interface that enables you to do the following:

  • monitor which users are logged on to SAS web applications

  • view audit reports of logon and logoff activity

  • manage notification templates and letterheads

  • manage web-layer authorization, including privileges, roles, and permissions

  • access the SAS Content Server Administration Console in order to manage folders and permissions for the SAS Content Server

  • view the current configuration of web applications

  • dynamically adjust logging levels for some web applications


For details, see Using the SAS Web Administration Console in SAS Intelligence Platform: Middle-Tier Administration Guide.

User administration


Metadata-layer user administration is performed as follows:

  • To manage identity information interactively, use SAS Management Console. See SAS Management Console: Guide to Users and Permissions.

  • To import identity information in bulk from an external user store (such as Active Directory) to the SAS metadata, write SAS code. See User Import Macros.

  • To copy identity metadata from one SAS repository to another, use the metadata promotion tools. See Promotion Tools Overview in SAS Intelligence Platform: System Administration Guide.

  • To audit changes to metadata identity definitions, use the Audit.Meta.Security.GrpAdm and Audit.Meta.Security.UserAdm log categories. See Auditing.

See Also

How SAS Identity Is Determined

PUBLIC Access and Anonymous Access

Contact a training representative for online or on location training.