Controlling Access to Data Sources with the AUTHLIB Data Set

Overview of the AUTHLIB Data Set

The AUTHLIB data set enables you to permit or restrict access to SAS library entities. The default name for the AUTHLIB data set is SASHELP.AUTHLIB. It contains INCLUDE and EXCLUDE rules that declare which data is available and which data is unavailable to an Application Dispatcher program. The enforcement of these rules is not automatic. An Application Dispatcher program must call the AUTHLIB functions in order to participate in this access control scheme. It is the responsibility of the programmer to incorporate the AUTHLIB functions into a program.
The AUTHLIB data set has a specific structure:
Column Name
Type
Length
Description
Rule
character
7
The access rule for this record. Valid values are "INCLUDE" and "EXCLUDE".
Libname
character
8
The library name of the entity to which this rule applies.
Memname
character
32
The member name of the entity to which this rule applies.
Memtype
character
8
The member type of the entity to which this rule applies.
Objname
character
32
The catalog entry name of the entity to which this rule applies.
Objtype
character
8
The catalog entry type of the entity to which this rule applies.
Comment
character
128
An optional comment explaining this rule.
And here is a sample AUTHLIB data set:
Rule
Libname
Memname
Memtype
Objname
Objtype
Comment
INCLUDE
SASHELP
*
DATA
*
*
INCLUDE
SASHELP
*
VIEW
*
*
INCLUDE
SASHELP
*
MDDB
*
*
INCLUDE
SAMPDAT
*
*
*
*
EXCLUDE
SAMPDAT
MYCAT
CATALOG
*
*
To customize the access control for your Application Server, you can modify the SASHELP.AUTHLIB data set that is shipped with SAS/IntrNet software, or you can copy this data set to a new name and modify that copy. If you use a data set name other than SASHELP.AUTHLIB for your set of access rules, you must use the APPSRV_AUTHDS function to set the new name.
Here is how the AUTHLIB data set is interpreted. An entity is any SAS library, member, or catalog entry.
  • An INCLUDE rule indicates that access is allowed for matching entities.
  • An EXCLUDE rule indicates that access is not allowed for matching entities.
  • All explicit EXCLUDE rules override all INCLUDE rules.
  • If an entity does not match any rules, then an implicit EXCLUDE rule is assumed.
  • Variable values are not case sensitive.
  • A single asterisk in a variable value matches any entity or partial entity name.
Here are a few additional guidelines:
  • Keep it simple. Avoid creating an overly complex set of rules. This reduces the chance of unintentionally allowing access to sensitive entities.
  • Verify any changes you make to the AUTHLIB data set.
  • You cannot combine a text value with an asterisk to create a pattern match. An asterisk is effective only when used by itself.
  • Do not leave any variable values blank. This does not evaluate properly. Place an asterisk in any columns that you might expect to leave blank. For example, OBJNAME and OBJTYPE do not make sense when the MEMTYPE is DATA. However, placing asterisks in these columns is required.
  • Use a MEMTYPE value of CATALOG when you supply a nonasterisk value for OBJNAME or OBJTYPE. For example, suppose you want to exclude access to all catalog entries of type SCL. That rule would look like
    Rule
    Libname
    Memname
    Memtype
    Objname
    Objtype
    Comment
    EXCLUDE
    *
    *
    CATALOG
    *
    SCL
    Exclude all SCL entries.
  • As stated above, the default rule (if none match) is EXCLUDE. If you add an INCLUDE rule with asterisks in all columns, this changes the default rule to INCLUDE, for example:
    Rule
    Libname
    Memname
    Memtype
    Objname
    Objtype
    Comment
    INCLUDE
    *
    *
    *
    *
    *
    Now all entities are included by default.
  • If you add an EXCLUDE rule with asterisks in all columns, then no access is allowed to any entities, for example:
    Rule
    Libname
    Memname
    Memtype
    Objname
    Objtype
    Comment
    EXCLUDE
    *
    *
    *
    *
    *
    Turn off all access to SAS library data.

AUTHLIB Functions

The following functions enable you to use the AUTHLIB data set in your Application Dispatcher programs.
  • APPSRV_AUTHLIB checks whether access is allowed for a given entity. The arguments to this function are similar to the columns of the AUTHLIB data set. This function is efficient if you are checking either a single or just a few entities. If you want to check many entities it is more efficient to use the APPSRV_AUTHCLS function.
  • APPSRV_AUTHCLS produces various WHERE clauses. These clauses can be used to subset the entities in the current SAS session to only the entities that are authorized by the AUTHLIB data set. If your program needs to check the authorization for a large number of entities, or if your program needs to generate lists of authorized entities, then use this function. The returned WHERE clause can be combined with your own subsetting criteria and applied to the SQL dictionaries or various SASHELP views.
  • APPSRV_AUTHDS changes the name of the AUTHLIB data set that is used by the other two functions.

Verifying the AUTHLIB Data Set

It is a good idea to verify all changes that you make to the AUTHLIB data set. Fortunately, the APPSRV_AUTHCLS function makes this task easy. By using this function, you can generate lists of included and excluded entities that you can review for correctness. The following program produces a verification report for the AUTHLIB data set.
/*generate the different authlib WHERE clauses
   and store them as macro variables*/

data _null_;
   length clause $ 32767;

   clause = appsrv_authcls('LIBRARY');
   call symput('LIBCLS',clause);

   clause = appsrv_authcls('MEMBER');
   call symput('MEMCLS',clause);

   clause = appsrv_authcls('CATALOGENTRY');
   call symput('ENTRYCLS',clause);
run;


/*create a view of included libraries*/

proc sql;
create view work.inclib as select *
   from sashelp.vslib
   where &libcls;
quit;


/*create a view of the excluded libraries*/

proc sql;
create view work.exclib as select *
   from sashelp.vslib
   where not &libcls;
quit;


/*create a view of the included members*/

proc sql;
create view work.incmem as select *
   from sashelp.vmember
   where &memcls;
quit;


/*create a view of the excluded members*/

proc sql;
create view work.excmem as select *
   from sashelp.vmember
   where not &memcls;
quit;


/*NOTE: THE CATALOG ENTRY VIEWS CAN TAKE A LONG TIME TO RUN
YOU MIGHT WANT TO SUBSET BY ADDING SOMETHING TO
THE WHERE CLAUSE TO SPEED IT UP SUCH AS

and libname ne 'SASHELP'

THIS WILL PREVENT YOU FROM OPENING EVERY CATALOG
IN EVERY LIBRARY.*/


/*create a view of the included entries from selected catalogs*/

proc sql;
create view work.incentry as select *
   from sashelp.vcatalg
   where &entrycls;
quit;


/*create a view of the excluded entries from selected catalogs*/

proc sql;
create view work.excentry as select *
   from sashelp.vcatalg
   where not &entrycls;
quit;


/*Now print out the results of the SQL steps*/

proc print data=work.inclib;
proc print data=work.exclib;
proc print data=work.incmem;
proc print data=work.excmem;
proc print data=work.incentry;
proc print data=work.excentry;
run;