 |
|
| ACCESS Procedure Reference |
SAS Passwords for SAS/ACCESS Descriptors
| Overview of SAS Passwords |
SAS enables you to control access to SAS data sets and access descriptors by associating one or more SAS passwords with them.
The following table summarizes the levels of protection that SAS passwords have and their effects on access descriptors and view descriptors.
| READ= | WRITE= | ALTER= | |
|---|---|---|---|
| access descriptor | no effect on descriptor | no effect on descriptor | protects descriptor from being read or edited |
| view descriptor | protects DBMS data from being read or edited | protects DBMS data from being edited | protects descriptor from being read or edited |
For detailed information about the levels of protection and the types of passwords you can use, refer to the SAS Language Reference: Dictionary. The following section describes how you assign SAS passwords to descriptors.
| Assigning Passwords for SAS/ACCESS Descriptors |
ACCESS Procedure Method for Assigning Passwords
You can assign a SAS password when you define a descriptor in the ACCESS procedure or after the descriptor file has been created by using PROC DATASETS.
Four password levels are available: READ=, WRITE=, ALTER=, and PW=. PW= assigns read, write, and alter privileges to a descriptor.
You can assign multiple levels of protection to a descriptor. However, for more than one level of protection (for example, both READ and ALTER), be sure to use a different password for each level. If you use the same password for each level, a user to whom you grant READ privileges only (in order to read the DBMS data) would also have privileges to alter your descriptor (which you do not want).
To assign a password in the ACCESS procedure, specify the password level and password as a data set option in the CREATE statement. The following example creates and assigns passwords to an access descriptor and a view descriptor in the same procedure execution:
proc access dbms=Datacom; create work.emps.access (alter=rouge); table=employees; user=demo; create work.emp.view (alter=ego); select 1 2 3 4; run;
Users will have to specify the ALTER password EGO to browse or edit the view descriptor and the ALTER password ROUGE to browse, edit, or define additional view descriptors from this access descriptor.
When creating a view descriptor from a password-protected access descriptor, specify the access descriptor password as a data set option after the ACCDESC= option. The following example specifies two data set options. The first specifies the access descriptor password and the second assigns a password to the view descriptor.
proc access dbms=Datacom ad=work.emps.access (alter=rouge); create work.emp2.view (alter=dumb); select 5 6 7 8; run;
DATASETS Procedure Method for Assigning Passwords
You assign a SAS password to an existing descriptor by using the DATASETS procedure. The DATASETS procedure MODIFY statement enables you to assign, change, and delete SAS passwords.
Here is the basic syntax for using PROC DATASETS to assign a password to an access descriptor, a view descriptor, or a SAS data file:
|
PROC DATASETS LIBRARY=libref MEMTYPE=member-type;
MODIFY member-name (password-level = password-modification); |
| RUN; |
In this syntax statement, the password-level argument can have one or more of the following values: READ=, WRITE=, ALTER=, or PW=. The password-modification argument enables you to assign a new password or to change or delete an existing password.
For example, this PROC DATASETS statement assigns the password MONEY with the ALTER level of protection to the access descriptor MYLIB.EMPLOYEE.
proc datasets library=mylib memtype=access; modify employee (alter=money); run;
In this case, users are prompted for a password whenever they try to browse or edit the access descriptor or create view descriptors that are based on access descriptor MYLIB.EMPLOYEE.
In the next example, the PROC DATASETS statement assigns the passwords MYPW and MYDEPT with READ and ALTER levels of protection to view descriptor VLIB.CUSPHON:
proc datasets library=vlib memtype=view; modify cusphon (read=mypw alter=mydept); run;
In this case, users are prompted for the SAS password when they try to read or update the DBMS data, or try to browse or edit the view descriptor VLIB.CUSPHON itself. You need both levels to protect the data and descriptor. Assign a WRITE level of protection to prevent data updates.
To delete a password on a descriptor file or any SAS data set, put a slash after the password:
proc datasets library=vlib memtype=view; modify cusphon (read=mypw/ alter=mydept/); run;
Refer to the SAS Language Reference: Dictionary for more examples of assigning, changing, deleting, and using SAS passwords with PROC DATASETS.
|
|
Copyright © 2007 by SAS Institute Inc., Cary, NC, USA. All rights reserved.