SAS Passwords for SAS/ACCESS Descriptors

You can assign a SAS password when you define a descriptor in the ACCESS procedure or after the descriptor file has been created by using PROC DATASETS.

Four password levels are available: READ=, WRITE=, ALTER=, and PW=. PW= assigns read, write, and alter privileges to a descriptor.

You can assign multiple levels of protection to a descriptor. However, for more than one level of protection (for example, both READ and ALTER), be sure to use a different password for each level. If you use the same password for each level, a user to whom you grant READ privileges only (in order to read the DBMS data) would also have privileges to alter your descriptor (which you do not want).

To assign a password in the ACCESS procedure, specify the password level and password as a data set option in the CREATE statement. The following example creates and assigns passwords to an access descriptor and a view descriptor in the same procedure execution:

proc access dbms=Datacom;
  create work.emps.access (alter=rouge);
  table=employees;
  user=demo;

  create work.emp.view (alter=ego);
  select 1 2 3 4;
run;

Users have to specify the ALTER password EGO to browse or edit the view descriptor and the ALTER password ROUGE to browse, edit, or define additional view descriptors from this access descriptor.

When creating a view descriptor from a password-protected access descriptor, specify the access descriptor password as a data set option after the ACCDESC= option. The following example specifies two data set options. The first specifies the access descriptor password and the second assigns a password to the view descriptor.

proc access dbms=Datacom ad=work.emps.access (alter=rouge);
  create work.emp2.view (alter=dumb);
  select 5 6 7 8;
run;
 

You assign a SAS password to an existing descriptor by using the DATASETS procedure. The DATASETS procedure MODIFY statement enables you to assign, change, and delete SAS passwords.

Here is the basic syntax for using PROC DATASETS to assign a password to an access descriptor, a view descriptor, or a SAS data file:

In this syntax statement, the password-level argument can have one or more of the following values: READ=, WRITE=, ALTER=, or PW=. The password-modification argument enables you to assign a new password or to change or delete an existing password.

For example, this PROC DATASETS statement assigns the password MONEY with the ALTER level of protection to the access descriptor MYLIB.EMPLOYEE.

proc datasets library=mylib memtype=access;
   modify employee (alter=money);
run;

In this case, users are prompted for a password when they try to browse or edit the access descriptor or create view descriptors that are based on access descriptor MYLIB.EMPLOYEE.

In the next example, the PROC DATASETS statement assigns the passwords MYPW and MYDEPT with READ and ALTER levels of protection to view descriptor VLIB.CUSPHON:

proc datasets library=vlib memtype=view;
   modify cusphon (read=mypw alter=mydept);
run;

In this case, users are prompted for the SAS password when they try to read or update the DBMS data, or try to browse or edit the view descriptor VLIB.CUSPHON. You need both levels to protect the data and descriptor. Assign a WRITE level of protection to prevent data updates.

To delete a password on a descriptor file or any SAS data set, put a slash after the password:

proc datasets library=vlib memtype=view;
   modify cusphon (read=mypw/ alter=mydept/);
run;

See the Base SAS Procedures Guide for more examples of assigning, changing, deleting, and using SAS passwords with PROC DATASETS.