SAS enables you to control access to SAS data sets and
access descriptors by associating one or more SAS passwords with them.
You must first create the descriptor files before assigning SAS passwords
to them.
When the VIEW file is being used to access the data in the underlying database tables,
a Read password on the VIEW file protects the underlying data and it or a
higher-level password must be supplied to read the data. Similarly, a Write password
on the VIEW file protects the underlying data and it or an Alter password must be
supplied to write data through the VIEW to the database tables.
When the view descriptor or access descriptor is being accessed to either modify or
describe the descriptor itself, the most restrictive
password on the file must be provided.
An administrator who wants to prevent users from knowing information in the descriptors
but still use them to access the underlying database data, should put an Alter password
on the files that is required to modify or describe
the descriptor contents. However, if only a Read password is placed on the descriptor
file, then that password is required to both read the underlying data and describe
or modify the descriptor. If a Write password without an Alter password is placed
on the descriptor files, then that password is required to both write data to the
underlying data and describe or modify the descriptor.
When you create view descriptors, you can use a data set option after the ACCDESC=
option to specify the access descriptor's password (if one exists). In this case,
you are not assigning a password to the
view descriptor that is being created. Rather, using the password grants you permission
to use the
access descriptor to create the view descriptor. For example:
proc access dbms=ims accdesc=mylib.account(alter=rouge);
create vlib.customer.view;
select all;
run;
By specifying the ALTER-level password, you can read the MyLib.Account access descriptor
and therefore create the Vlib.Customer view descriptor.
For detailed information
about the levels of protection and the types of passwords that you
can use, see SAS Language Reference: Concepts. The following section describes how you assign SAS
passwords to descriptors.
You can assign, change, or clear a password for an access descriptor, a view descriptor,
or another
SAS file by using the DATASETS procedure's MODIFY statement. Here is the basic syntax for
using PROC DATASETS to assign a password to an access descriptor, a view descriptor,
or a SAS data file:
PROC DATASETS LIBRARY=
libref MEMTYPE=
member-type ;
MODIFY member-name (password-level = password-modification);
RUN;
The password-level argument
can have one or more of the following values: READ=, WRITE=, ALTER=,
or PW=. PW= assigns Read, Write, and Alter privileges to a descriptor
or data file. The password-modification argument
enables you to assign a new password or to change or delete an existing
password.
For example, this PROC DATASETS statement assigns the password REWARD with the Alter
level of protection to the access descriptor MyLib.Employee:
proc datasets library=mylib memtype=access;
modify employee (alter=reward);
run;
In this case, users are prompted for the password whenever they try to browse or edit
the access descriptor or to create view descriptors that are based on MyLib.Employee.
You can assign multiple levels of protection to a descriptor or SAS data file.
In the next example, the PROC DATASETS statement assigns the passwords MYPW and MYDEPT
with Read and Alter levels of protection to the view descriptor Vlib.CustAcct:
proc datasets library=vlib memtype=view;
modify custacct (read=mypw alter=mydept);
run;
In this case, users are prompted for the SAS password when they try to read the DBMS
data, or try to browse or edit the view descriptor Vlib.CustAcct itself. You need
both levels to protect the data and descriptor from
being read. However, a user could still update the data that is accessed by Vlib.CustAcct,
such as by using a PROC
SQL UPDATE. Assign a Write level of protection to prevent data updates.
To delete a password on an access descriptor or any
SAS data set, put a slash after the password:
proc datasets library=vlib memtype=view;
modify custacct (read=mypw/ alter=mydept/);
run;
In the following example, PROC DATASETS sets a Read and Alter password for view descriptor
Vlib.CustInfo. PROC PRINT tries to use the view descriptor with both an invalid and
valid password. PROC ACCESS tries to update the view descriptor with and without a
password.
/* Assign passwords */
proc datasets library=vlib memtype=view;
modify custinfo (read=r2d2 alter=c3po);
run;
/* Invalid password given */
proc print data=vlib.custinfo (pw=r2dq);
where soc_sec_number = '178-42-6534';
title2 'Data for 178-42-6534';
run;
/* Valid password given */
proc print data=vlib.custinfo (pw=r2d2);
where soc_sec_number = '178-42-6534';
title2 'Data for 178-42-6534';
run;
/* Missing password */
proc access dbms=ims;
update vlib.custinfo.view;
drop country;
list all;
run;
/* Valid password given */
proc access dbms=ims;
update vlib.custinfo.view (alter=c3po);
drop country;
list all;
run;
See SAS Language Reference: Concepts for more examples of assigning, changing, deleting,
and using SAS passwords.