A metadata-bound library is a physical library that is tied to a corresponding metadata secured table object. Each physical table within a metadata-bound library has information in its header that points to a specific metadata object. The pointer creates a security binding between the physical table and the metadata object. The binding ensures that SAS universally enforces metadata-layer access requirements for the physical table—regardless of how a user requests access from SAS. For more information, see SAS Guide to Metadata-Bound Libraries.

A metadata-bound library has a single set of passwords stored in the secured library object, which are added to all data sets that are created in the metadata-bound library. These passwords are not used to authorize user access to the data, but rather to authorize administrator access to repair the binding of physical data to the secured library or table metadata objects. They are also validated in the process of authorizing a user’s access to a data set but do not determine the permissions that any user is authorized to have.

The metadata-bound library passwords are intended to be known only by the administrators of the metadata-bound library. Knowledge of these passwords is required to restore or re-create secured library and secured table objects in a SAS Metadata Server for data sets in a data library that have lost their previously recorded metadata objects and permissions. The metadata-bound library passwords also prevent a user from exporting the secured library and secured table objects from a SAS Metadata Server and then importing them to a SAS Metadata Server that an unauthorized user created and controls. This prevents the unauthorized user from using such objects where the user has modified the permissions.

The metadata-bound library passwords are always stored and transmitted in encrypted formats. The encrypted password is not usable to access the data if it is captured from a transmission and presented to SAS as a password value in the SAS language. Administrators might choose to use the PWENCODE procedure to encode the passwords for use in a PROC AUTHLIB statement. Using an encoded password prevents a casual observer from seeing the clear-text password in the PROC AUTHLIB statements that the administrator types.

There are three passwords in the metadata-bound library set that correspond to the Read, Write, and Alter passwords of SAS data sets. For greater simplicity in administration of metadata-bound libraries, it is recommended that you use the PW= option in PROC AUTHLIB statements to specify a single password value, rather than specifying different password values using READ=, WRITE=, and ALTER= options. In the context of metadata-bound libraries, the READ=, WRITE=, and ALTER= options do not create access distinctions. If you are concerned that a single eight character password does not meet your security requirements, you can choose to set three different password values (using READ=, WRITE=, and ALTER=). Setting different values for these three options can create a 24-character password. However, you must keep track of all password values that you have assigned to a metadata-bound library as you must specify them to unbind the library, modify the passwords, or repair any inconsistencies in the binding information between what is recorded in the physical files and the actual metadata objects.

It is possible to have physical data sets in a metadata-bound library that do not have the metadata-bound library passwords. This can occur if the data sets existed with passwords that differ from the metadata library passwords when the library was bound. See Binding a Physical Library That Contains Password-Protected Data Sets. It can also occur if data sets with different passwords are copied into the library by an operating system copy utility. These data sets are not considered to be part of the bound library for authorization purposes. If the data set was in an operating system copied from another metadata-bound library, the data set is still protected by the permissions users have in the secured table object to which it is bound in the original secured library. If the data set is not copied from a metadata-bound library, then metadata permissions do not apply, and you must supply the appropriate passwords to access the data. You can use the MODIFY statement of PROC AUTHLIB to modify the passwords to those of the metadata-bound library so that it will be bound to a secured table object in the secured library object to which the library is bound. See Changing Passwords on Data Sets .

Except for the REPORT statement, all statements within PROC AUTHLIB require that you must meet the following criteria:

The REPORT statement requirements are less restrictive and are documented with that statement.