Binding an Individual Table to Metadata

About Binding Tables to Metadata

Binding data to metadata is a library-level feature. In general, all tables within a metadata-bound library are protected by that library (and its secured table objects) and share the library’s password (or passwords). If an inconsistency arises, you can use the MODIFY statement of the AUTHLIB procedure to perform the following tasks:
  • Apply the library’s password (or passwords) to any unbound tables.
  • Update any mismatched table passwords, so they match the library passwords.
For example, if someone uses a host copy command to add physical tables to a metadata-bound library, the added tables are not automatically bound. In order to create corresponding metadata objects, you must apply the password (or passwords) of the metadata-bound library to the added physical tables.

Who Uses the MODIFY Statement?

Administrators use the MODIFY statement of the AUTHLIB procedure to add or update physical tables so that they contain the same password (or passwords) as their parent metadata-bound library.
In order to use the MODIFY statement, you must meet the following criteria:
  • Your SAS session runs under an account that has host-layer control of the target physical library. To ensure that only users who have host control can change passwords, your SAS session must run under a privileged host account as follows:
    • On UNIX, the account must be the owner of the directory.
    • On Windows, the account must have Full Control of the directory.
    • On z/OS, for UNIX file system libraries, the account must be the owner of the directory.
    • On z/OS, for direct-access bound libraries, the account must have RACF ALTER access authority to the library data set.
  • You know the current password (or passwords) for the metadata-bound library.
  • Your SAS session connects to the metadata server as an identity that has Read and Write access (the ReadMetadata and WriteMetadata permissions) to the corresponding secured library object and secured table objects.
    Note: On a secured library object, the WriteMemberMetadata permission (from the parent secured data folder) is inherited as the WriteMetadata permission. See “WriteMetadata and WriteMemberMetadata” in Chapter 3 of SAS Intelligence Platform: Security Administration Guide.

Example

In this example, you use the MODIFY statement to apply passwords to physical tables that were added to the library through a host copy command. The following code applies passwords to any unsecured physical tables in the secdemo library and binds those tables to metadata (creating corresponding secured table objects).
libname secdemo 'path';

proc authlib library=secdemo;
   modify pw=secret;
run;    
Here are some details about the preceding code:
  • The preceding code does not include the SECUREDFOLDER and SECUREDLIBRARY parameters. It is not necessary to use these parameters, because the physical directory of the specified library (secdemo) contains information that references a particular metadata folder and secured library object.
  • The preceding code affects the physical library and all of the tables that it contains. If you don’t want to affect the library, set the TABLESONLY option. If you want to affect only some of the tables, add a TABLES statement after the MODIFY statement. If you use one or more TABLES statements after a MODIFY statement, only the specified tables are processed.
    Note: In this example, all of the copied tables are initially unsecured. If any of the copied tables were already secured, with a different password, those tables would not be affected by the preceding code.
  • The preceding code does not explicitly supply connection information for the metadata server. This example assumes that your SAS session already knows how to connect to the target metadata server.
CAUTION:
If you lose the password (or passwords) for a metadata-bound library, you can't unbind the library or change its passwords.
Be sure to keep track of passwords that you assign in the CREATE and MODIFY statements of the AUTHLIB procedure.
Tip
This code creates a new secured table object in metadata. Whenever you create new secured library or secured table objects, you should review the permissions on those objects in SAS Management Console. You can adjust access if needed. For example, you can add users or groups to a secured table’s Authorization tab, and grant (or deny) the Select permission (to manage Read access to the data).