AUTHLIB Procedure

Concepts: AUTHLIB Procedure

What Is a Metadata-Bound Library?

A metadata-bound library is a physical library that is tied to a corresponding metadata secured table object. Each physical table within a metadata-bound library has information in its header that points to a specific metadata object. The pointer creates a security binding between the physical table and the metadata object. The binding ensures that SAS universally enforces metadata-layer access requirements for the physical table—regardless of how a user requests access from SAS. For more information, see SAS Guide to Metadata-Bound Libraries.

What Are Metadata-Bound Library Passwords?

A metadata-bound library has a single set of passwords stored in the secured library object, which are added to all data sets that are created in the metadata-bound library. These passwords are not used to authorize user access to the data, but rather to authorize administrator access to repair the binding of physical data to the secured library or table metadata objects. They are also validated in the process of authorizing a user’s access to a data set but do not determine the permissions that any user is authorized to have.
The metadata-bound library passwords are intended to be known only by the administrators of the metadata-bound library. Knowledge of these passwords is required to restore or re-create secured library and secured table objects in a SAS Metadata Server for data sets in a data library that have lost their previously recorded metadata objects and permissions. The metadata-bound library passwords also prevent a user from exporting the secured library and secured table objects from a SAS Metadata Server and then importing them to a SAS Metadata Server that an unauthorized user created and controls. This prevents the unauthorized user from using such objects where the user has modified the permissions.
The metadata-bound library passwords are always stored and transmitted in encrypted formats. The encrypted password is not usable to access the data if it is captured from a transmission and presented to SAS as a password value in the SAS language. Administrators might choose to use the PWENCODE procedure to encode the passwords for use in a PROC AUTHLIB statement. Using an encoded password prevents a casual observer from seeing the clear-text password in the PROC AUTHLIB statements that the administrator types.
There are three passwords in the metadata-bound library set that correspond to the Read, Write, and Alter passwords of SAS data sets. For greater simplicity in administration of metadata-bound libraries, it is recommended that you use the PW= option in PROC AUTHLIB statements to specify a single password value, rather than specifying different password values using READ=, WRITE=, and ALTER= options. In the context of metadata-bound libraries, the READ=, WRITE=, and ALTER= options do not create access distinctions. If you are concerned that a single eight character password does not meet your security requirements, you can choose to set three different password values (using READ=, WRITE=, and ALTER=). Setting different values for these three options can create a 24-character password. However, you must keep track of all password values that you have assigned to a metadata-bound library as you must specify them to unbind the library, modify the passwords, or repair any inconsistencies in the binding information between what is recorded in the physical files and the actual metadata objects.
CAUTION:
If you lose the password (or passwords) for a metadata-bound library, you cannot unbind the library or change its passwords.
Be sure to keep track of passwords that you assign in the CREATE and MODIFY statements.

Data Sets in a Metadata-Bound Library That Are Not Bound to Secured Table Objects

It is possible to have physical data sets in a metadata-bound library that do not have the metadata-bound library passwords. This can occur if the data sets existed with passwords that differ from the metadata library passwords when the library was bound. See Binding a Physical Library That Contains Password-Protected Data Sets. It can also occur if data sets with different passwords are copied into the library by an operating system copy utility. These data sets are not considered to be part of the bound library for authorization purposes. If the data set was in an operating system copied from another metadata-bound library, the data set is still protected by the permissions users have in the secured table object to which it is bound in the original secured library. If the data set is not copied from a metadata-bound library, then metadata permissions do not apply, and you must supply the appropriate passwords to access the data. You can use the MODIFY statement of PROC AUTHLIB to modify the passwords to those of the metadata-bound library so that it will be bound to a secured table object in the secured library object to which the library is bound. See Changing Passwords on Data Sets .

Requirements to Use PROC AUTHLIB Statements

Except for the REPORT statement, all statements within PROC AUTHLIB require that you must meet the following criteria:
  • The SAS session runs under an account that has host-layer control of the target physical library. To ensure that only users who have host control can bind a physical library to metadata, the SAS session must run under a privileged host account as follows:
    • On UNIX, the account must be the owner of the directory.
    • On Windows, the account must have full control of the directory.
    • On z/OS, for UNIX file system libraries, the account must be the owner of the directory.
    • On z/OS, for direct-access bound libraries, the account must have RACF ALTER access authority to the library data set.
  • The SAS session connects to the metadata server as an identity that has ReadMetadata and WriteMemberMetadata permissions to the target secured data folder.
  • You must supply the password(s) in CREATE, MODIFY, REPAIR, and REMOVE statements.
The REPORT statement requirements are less restrictive and are documented with that statement.