Previous Page | Next Page

File Protection

Using Passwords with Views


How the Level of Protection Differs from SAS Views

The levels of protection for SAS views and stored programs differ slightly from other types of SAS files. Passwords affect the actual SAS view definition or view descriptor as well as the underlying data. Unless otherwise noted, the term "view" can refer to any type of SAS view. Also, the term "underlying data" refers to the data that is accessed by the SAS view:

read
  • protects against reading the SAS view's underlying data.

  • allows source statements to be written to the SAS log, using DESCRIBE.

  • allows replacement of the SAS view.

write

  • protects the underlying data associated with a SAS view by insisting that a write password is given.

  • allows source statements to be written to the SAS log using DESCRIBE

  • allows replacement of the SAS view

alter
  • protects against source statements being written to the SAS log, using DESCRIBE.

  • protects against replacement of the SAS view.

An important difference between SAS views and other types of SAS files is that you need alter access to DESCRIBE an alter-protected view. For example, to use an alter-protected PROC SQL view in a DESCRIBE VIEW statement, you must specify the alter password.

In most DATA and PROC steps, the way you use password-protected views is consistent with the way you use other types of password-protected SAS files. For example, the following PROC PRINT prints a read-protected view:

proc print data=mylib.grade(read=green);
run;

Note:   You might experience unexpected results when you place protection on a SAS view if some type of protection has already been placed on the underlying data set.  [cautionend]


PROC SQL Views

Typically, when you create a PROC SQL view from a password-protected SAS data set, you specify the password in the FROM clause in the CREATE VIEW statement using a data set option. In this way, when you use the view later, you can access the underlying data without re-specifying the password. For example, the following statements create a PROC SQL view from a read-protected SAS data set, and drop a sensitive variable:

proc sql;
   create view mylib.emp as
      select * from mylib.employee(pw=orange drop=salary);
quit;

Note:   If you create a PROC SQL view from password-protected SAS data sets without specifying their passwords, when you try to use the view you are prompted for the passwords of the SAS data sets named in the FROM clause. If you are running SAS in batch or noninteractive mode, you receive an error message.  [cautionend]


SAS/ACCESS Views

SAS/ACCESS software enables you to edit view descriptors and, in some interfaces, the underlying data. To prevent someone from editing or reading (browsing) the view descriptor, assign alter protection to the view. To prevent someone from updating the underlying data, assign write protection to the view. For more information, see the SAS/ACCESS documentation for your DBMS.


DATA Step Views

When you create a DATA step view using a password-protected SAS data set, specify the password in the view definition. In this way, when you use the view, you can access the underlying data without respecifying the password.

The following statements create a DATA step view using a password-protected SAS data set, and drop a sensitive variable:

data mylib.emp / view=mylib.emp;
   set mylib.employee(pw=orange drop=salary);
run;

Note that you can use the SAS view without a password, but access to the underlying data requires a password. This is one way to protect a particular column of data. In the above example, proc print data=mylib.emp; will execute, but proc print data=mylib.employee; will fail without the password.

Previous Page | Next Page | Top of Page