By
using SAS passwords, you can protect SQL views, SAS data sets, and
descriptor files from unauthorized access. The following table summarizes
the levels of protection that SAS passwords provide. Note that you
can assign multiple levels of protection.
Password Protection Levels and Their Effects
|
|
|
|
PROC SQL view of DBMS
data
|
Protects the underlying
data from being read or updated through the view; does not protect
against replacement of the view
|
Protects the underlying
data from being updated through the view; does not protect against
replacement of the view
|
Protects the view from
being modified, deleted, or replaced
|
|
|
|
Protects the descriptor
from being read or edited
|
|
Protects the underlying
data from being read or updated through the view
|
Protects the underlying
data from being updated through the view
|
Protects the descriptor
from being read or edited
|
You can use these methods
to assign, change, or delete a SAS password:
-
the global SETPASSWORD command,
which opens a dialog box
-
the DATASETS procedure's MODIFY
statement
Here is the syntax for using PROC
DATASETS to assign a password to an access descriptor, a view descriptor,
or a SAS data file.
PROC DATASETS LIBRARY=libref MEMTYPE=member-type;
MODIFY member-name (password-level = password-modification);
RUN;
The
password-level argument
can have one or more of these values: READ=, WRITE=, ALTER=, or PW=.
PW= assigns read, write, and alter privileges to a descriptor or data
file. The
password-modification argument
enables you to assign a new password or to change or delete an existing
password. For example, this PROC DATASETS statement assigns the password
MONEY with the ALTER level of protection to the access descriptor
ADLIB.SALARIES:
proc datasets library=adlib memtype=access;
modify salaries (alter=money);
run;
In this case, users
are prompted for the password whenever they try to browse or update
the access descriptor or try to create view descriptors that are based
on ADLIB.SALARIES.
In the next example,
the PROC DATASETS statement assigns the passwords MYPW and MYDEPT
with READ and ALTER levels of protection to the view descriptor VLIB.JOBC204:
proc datasets library=vlib memtype=view;
modify jobc204 (read=mypw alter=mydept);
run;
In this case, users
are prompted for the SAS password when they try to read the DBMS data
or try to browse or update the view descriptor VLIB.JOBC204. You
need both levels to protect the data and descriptor from being read.
However, a user could still update the data that VLIB.JOBC204 accesses—for
example, by using a PROC SQL UPDATE. Assign a WRITE level of protection
to prevent data updates.
When you assign multiple
levels of passwords, use a different password for each level to ensure
that you grant only the access privileges that you intend.
To delete a password,
put a slash after the password:
proc datasets library=vlib memtype=view;
modify jobc204 (read=mypw/ alter=mydept/);
run;