SAS Passwords for SAS/ACCESS Descriptors

Assigning Passwords for SAS/ACCESS Descriptors

ACCESS Procedure Method for Assigning Passwords

DATASETS Procedure Method for Assigning Passwords

Overview of SAS Passwords

SAS enables you to control access to SAS data sets and access descriptors by associating one or more SAS passwords with them.

When the VIEW file is being used to access the data in the underlying database tables, a Read password on the VIEW file protects the underlying data and it or a higher level password must be supplied to read the data. Similarly, a Write password on the VIEW file protects the underlying data and it or an Alter password must be supplied to write data through the VIEW to the database tables.

When the view descriptor or access descriptor is being accessed to either modify or describe the descriptor itself, the most restrictive password on the file must be provided.

An administrator who wants to prevent users from knowing information in the descriptors but still use them to access the underlying database data, should put an Alter password on the files that is required to modify or describe the descriptor contents. However, if only a Read password is placed on the descriptor file, then that password is required to both read the underlying data and describe or modify the descriptor. If a Write password without an Alter password is placed on the descriptor files, then that password is required to both write data to the underlying data and describe or modify the descriptor.

Assigning Passwords for SAS/ACCESS Descriptors

ACCESS Procedure Method for Assigning Passwords

You can assign a SAS password when you define a descriptor in the ACCESS procedure or after the descriptor file has been created by using PROC DATASETS.

Four password levels are available: READ=, WRITE=, ALTER=, and PW=. PW= assigns Read, Write, and Alter privileges to a descriptor.

You can assign multiple levels of protection to a descriptor. However, for more than one level of protection (for example, both Read and Alter), be sure to use a different password for each level. If you use the same password for each level, a user to whom you grant Read privileges only (in order to read the DBMS data) would also have privileges to alter your descriptor (which you do not want).

To assign a password in the ACCESS procedure, specify the password level and password as a data set option in the CREATE statement. The following example creates and assigns passwords to an access descriptor and a view descriptor in the same procedure execution:

proc access dbms=Datacom;
  create work.emps.access (alter=rouge);
  table=employees;
  user=demo;

  create work.emp.view (alter=ego);
  select 1 2 3 4;
run;

Users have to specify the Alter password EGO to browse or edit the view descriptor and the Alter password ROUGE to browse, edit, or define additional view descriptors from this access descriptor.

When creating a view descriptor from a password-protected access descriptor, specify the access descriptor password as a data set option after the ACCDESC= option. The following example specifies two data set options. The first specifies the access descriptor password and the second assigns a password to the view descriptor.

proc access dbms=Datacom ad=work.emps.access (alter=rouge);
  create work.emp2.view (alter=dumb);
  select 5 6 7 8;
run;

DATASETS Procedure Method for Assigning Passwords

You assign a SAS password to an existing descriptor by using the DATASETS procedure. The DATASETS procedure MODIFY statement enables you to assign, change, and delete SAS passwords.

Here is the basic syntax for using PROC DATASETS to assign a password to an access descriptor, a view descriptor, or a SAS data file:

PROC DATASETS LIBRARY=libref MEMTYPE=member-type;

MODIFY member-name (password-level = password-modification);

RUN;

In this syntax statement, the password-level argument can have one or more of the following values: READ=, WRITE=, ALTER=, or PW=. The password-modification argument enables you to assign a new password or to change or delete an existing password.

For example, this PROC DATASETS statement assigns the password MONEY with the alter level of protection to the access descriptor MYLIB.EMPLOYEE.

proc datasets library=mylib memtype=access;
   modify employee (alter=money);
run;

In this case, users are prompted for a password when they try to browse or edit the access descriptor or create view descriptors that are based on access descriptor MyLib.Employee.

In the next example, the PROC DATASETS statement assigns the passwords MYPW and MYDEPT with read and alter levels of protection to view descriptor Vlib.CusPhon:

proc datasets library=vlib memtype=view;
   modify cusphon (read=mypw alter=mydept);
run;

In this case, users are prompted for the SAS password when they try to read or update the DBMS data, or try to browse or edit the view descriptor Vlib.CusPhon. You need both levels to protect the data and descriptor. Assign a write level of protection to prevent data updates.

To delete a password on a descriptor file or any SAS data set, put a slash after the password:

proc datasets library=vlib memtype=view;
   modify cusphon (read=mypw/ alter=mydept/);
run;

See the Base SAS Procedures Guide for more examples of assigning, changing, deleting, and using SAS passwords with PROC DATASETS.