SAS Passwords for SAS/ACCESS Descriptors

SAS Password Levels

SAS enables you to control access to SAS data sets and access descriptors by associating one or more SAS passwords with them. You must first create the descriptor files before assigning SAS passwords to them.

The following table summarizes the levels of protection that SAS passwords have and their effects on access descriptors and view descriptors:

Password and Descriptor Interaction

	READ=	WRITE=	ALTER=
access descriptor	no effect on descriptor	no effect on descriptor	protects descriptor from being read or edited
view descriptor	protects DBMS data from being read or edited	protects DBMS data from being edited	protects descriptor from being read or edited

When you create view descriptors, you can use a data set option after the ACCDESC= option to specify the access descriptor's password (if one exists). In this case, you are not assigning a password to the view descriptor that is being created. Rather, using the password grants you permission to use the access descriptor to create the view descriptor. For example:

proc access dbms=adabas accdesc=adlib.customer
            (alter=rouge);
  create vlib.customer.view;
  select all;
run;

By specifying the ALTER-level password, you can read the ADLIB.CUSTOMER access descriptor and therefore create the VLIB.CUSTOMER view descriptor.

For detailed information about the levels of protection and the types of passwords that you can use, refer to the SAS Language Reference: Concepts. The following section describes how you assign SAS passwords to descriptors.

Assigning Passwords with the DATASETS Procedure

To assign, change, or delete a SAS password, use the DATASETS procedure's MODIFY statement in the PROGRAM EDITOR window. The following is the basic syntax for using PROC DATASETS to assign a password to an access descriptor, a view descriptor, or a SAS data file:

PROC DATASETS LIBRARY=libref MEMTYPE=member-type;

MODIFY member-name (password-level = password-modification);

RUN;

The password-level argument can have one or more of the following values: READ=, WRITE=, ALTER=, or PW=. PW= assigns read, write, and alter privileges to a descriptor or data file. The password-modification argument enables you to assign a new password or to change or delete an existing password.

For example, this PROC DATASETS statement assigns the password MONEY with the ALTER level of protection to the access descriptor ADLIB.SALARIES.

proc datasets library=adlib memtype=access;
   modify salaries (alter=money);
run;

In this case, users are prompted for the password whenever they try to browse or edit the access ADLIB.SALARIES or to create view descriptors that are based on ADLIB.SALARIES.

You can assign multiple levels of protection to a descriptor or SAS data file. However, for more than one level of protection (for example, both READ and ALTER), be sure to use a different password for each level. If you use the same password for each level, a user to whom you grant READ privileges only (in order to read the DBMS data) would also have privileges to alter your descriptor (which you do not want to happen).

In the next example, the PROC DATASETS statement assigns the passwords MYPW and MYDEPT with READ and ALTER levels of protection to the view descriptor VLIB.JOBC204:

proc datasets library=vlib memtype=view;
   modify jobc204 (read=mypw alter=mydept);
run;

In this case, users are prompted for the SAS password when they try to read the DBMS data, or try to browse or edit ADLIB.SALERIESVLIB.JOBC204 itself. You need both levels to protect the data and descriptor from being read. However, a user could still update the data accessed by VLIB.JOBC204, such as by using a PROC SQL UPDATE. Assign a WRITE level of protection to prevent data updates.

To delete a password on an access descriptor or any SAS data set, put a slash after the password:

proc datasets library=vlib memtype=view;
   modify jobc204 (read=mypw/ alter=mydept/);
run;