As with any other security-related
decision, a decision about whether to use metadata-bound libraries
involves weighing the benefits of enhanced protection against increased
administrative effort and complexity. This topic is intended to help
you make a decision that is appropriate for your resources, environment,
and security goals.
If all of the following
circumstances exist, it makes sense to consider using metadata-bound
libraries:
-
You have SAS data sets that require
a high level of security, with access distinctions at the user or
group level.
-
You are running (or planning to
run) a SAS Metadata Server in which your users are registered.
-
You have not already met your security
requirements through a combination of physical layer (operating system)
separation and customized configuration of your SAS servers.
The following prerequisite
knowledge is essential for successful use of metadata-bound libraries:
-
You know how to write and submit
simple SAS code.
-
You have a basic understanding
of the SAS metadata environment, including its authorization system.
-
You know how to create folders
and set permissions in SAS Management Console.
-
You have read and understood at
least the first two chapters of this document.
The following additional
factors should be considered in a decision about whether to use metadata-bound
libraries:
-
If your metadata promotion strategy
does not maintain a separate set of physical data for each deployment
level (for example, development, test, and production), significant
additional administrative complexity is involved (compared to using
secured libraries against a single set of physical data).
-
As the first release of the secured
libraries feature, this release might not offer optimal usability
for the administrative tasks.
-
Recovering from actions that inadvertently
disrupt coordination between the physical data and its corresponding
metadata objects can be complex.
-
Any batch processing against metadata-bound
data requires that the metadata server is available and that the requesting
user can connect to it.