By default, newly created libraries
are not pre-assigned. When a library is not pre-assigned, the library
is accessed using the SAS engine that is most appropriate for the client application
and its intended user base. For example, if you do not pre-assign
the library, SAS Data Integration Studio creates a libref that uses
the native engine that is specified in metadata, such as BASE. This
approach is a best practice, because it is assumed that in most cases
SAS Data Integration Studio developers are building processes that
create or update tables. In this case, the native engine is the only
engine that should be used for data-populating tasks.
The following table
shows which SAS engine is used by many of the platform clients for
libraries that are not pre-assigned.
Platform Client Default Library Assignments
|
|
|
|
Minimum Metadata Authorizations
Required
|
SAS Add-In for Microsoft
Office
|
|
|
Table: ReadMetadata
and Read
|
|
|
|
|
Table: ReadMetadata
and Read
|
SAS Data Integration
Studio
|
|
|
|
|
|
|
|
|
SAS Information Map
Studio
|
|
|
|
When libraries are not pre-assigned,
each SAS platform client accesses data with the SAS engine that makes
the most sense for the client. Allowing each client to choose the
SAS engine that it deems appropriate for its user base results in
a security model that might match data access requirements. The clients
that are typically used for data building use the native engine. The
clients that are typically used for queries and reporting are designed
to use the metadata engine. An example of such an environment is one
with clients running at least SAS Enterprise Guide and SAS Data Integration
Studio. In this environment, SAS Data Integration Studio processes
update tables that are in turn used in ad hoc analysis within SAS
Enterprise Guide. The SAS Data Integration Studio processes need to
specify tables in the library as target tables (output), whereas the
SAS Enterprise Guide user's activities largely involve querying and
analyzing chunks of data (input).
Because SAS Data Integration
Studio processes typically update or create target tables, it is designed
to use the native engine instead of the metadata engine. It accesses
the tables using the engine that is specified in metadata for the
library. Because SAS Data Integration Studio works with tables that
are registered in the metadata repository, you can control access
to tables by granting ReadMetadata, WriteMetadata, and CheckInMetadata
permissions on the library and table metadata objects.
Note: The metadata authorization
layer supplements operating system and RDBMS security. It does not
replace it. Operating system and RDBMS authorization should always
be used as the first means of securing access to tables.
On the other hand, the
SAS Add-In for Microsoft Office and SAS Enterprise Guide use the metadata
engine by default. For these clients, the data-level authorizations
of Read, Write, Create, and Delete, which are specified in metadata,
are enforced.
If defining libraries
so that they are not pre-assigned seems like a potential option for
your environment, then you should also learn how to ensure that these
libraries are available to server processes that do not receive direct
requests from client applications. For example, you need to know
how to assign the library in server processes such as the stored process
server and DATA Step Batch Server (if present).
For more information,
see Considerations for SAS Stored Process and SAS Pooled Workspace Servers.