The AUTHLIB data set
enables you to permit or restrict access to SAS library entities.
The default name for the AUTHLIB data set is SASHELP.AUTHLIB. It contains
INCLUDE and EXCLUDE rules that declare which data is available and
which data is unavailable to an Application Dispatcher program. The
enforcement of these rules is not automatic. An Application Dispatcher
program must call the AUTHLIB functions in order to participate in
this access control scheme. It is the responsibility of the programmer
to incorporate the AUTHLIB functions into a program.
The AUTHLIB data set
has a specific structure:
|
|
|
|
|
|
|
The access rule for
this record. Valid values are "INCLUDE" and "EXCLUDE".
|
|
|
|
The library name of
the entity to which this rule applies.
|
|
|
|
The member name of the
entity to which this rule applies.
|
|
|
|
The member type of the
entity to which this rule applies.
|
|
|
|
The catalog entry name
of the entity to which this rule applies.
|
|
|
|
The catalog entry type
of the entity to which this rule applies.
|
|
|
|
An optional comment
explaining this rule.
|
And here is a sample
AUTHLIB data set:
To customize the access
control for your Application Server, you can modify the SASHELP.AUTHLIB
data set that is shipped with
SAS/IntrNet software, or you can copy
this data set to a new name and modify that copy. If you use a data
set name other than SASHELP.AUTHLIB for your set of access rules,
you must use the APPSRV_AUTHDS function to set the new name.
Here is how the AUTHLIB
data set is interpreted. An entity is any SAS library, member, or
catalog entry.
-
An INCLUDE rule indicates that
access is allowed for matching entities.
-
An EXCLUDE rule indicates that
access is not allowed for matching entities.
-
All explicit EXCLUDE rules override
all INCLUDE rules.
-
If an entity does not match any
rules, then an implicit EXCLUDE rule is assumed.
-
Variable values are not case sensitive.
-
A single asterisk in a variable
value matches any entity or partial entity name.
Here are a few additional
guidelines:
-
Keep it simple. Avoid creating
an overly complex set of rules. This reduces the chance of unintentionally
allowing access to sensitive entities.
-
-
You cannot combine a text value
with an asterisk to create a pattern match. An asterisk is effective
only when used by itself.
-
Do not leave any variable values
blank. This does not evaluate properly. Place an asterisk in any columns
that you might expect to leave blank. For example, OBJNAME and OBJTYPE
do not make sense when the MEMTYPE is DATA. However, placing asterisks
in these columns is required.
-
Use a MEMTYPE value of CATALOG
when you supply a nonasterisk value for OBJNAME or OBJTYPE. For example,
suppose you want to exclude access to all catalog entries of type
SCL. That rule would look like
-
As stated above, the default rule
(if none match) is EXCLUDE. If you add an INCLUDE rule with asterisks
in all columns, this changes the default rule to INCLUDE, for example:
|
|
|
|
|
|
|
|
|
|
|
|
|
Now all entities are
included by default.
|
-
If you add an EXCLUDE rule with
asterisks in all columns, then no access is allowed to any entities,
for example:
|
|
|
|
|
|
|
|
|
|
|
|
|
Turn off all access
to SAS library data.
|