A metadata-bound library
has a single set of passwords stored in the secured library object,
which are added to all data sets that are created in the metadata-bound
library. These passwords are not used to authorize user access to
the data, but rather to authorize administrator access to repair the
binding of physical data to the secured library or table metadata
objects. They are also validated in the process of authorizing a user’s
access to a data set but do not determine the permissions that any
user is authorized to have.
The metadata-bound library
passwords are intended to be known only by the administrators of the
metadata-bound library. Knowledge of these passwords is required to
restore or re-create secured library and secured table objects in
a SAS Metadata Server for data sets in a data library that have lost
their previously recorded metadata objects and permissions. The metadata-bound
library passwords also prevent a user from exporting the secured library
and secured table objects from a SAS Metadata Server and then importing
them to a SAS Metadata Server that an unauthorized user created and
controls. This prevents the unauthorized user from using such objects
where the user has modified the permissions.
The metadata-bound library
passwords are always stored and transmitted in encrypted formats.
The encrypted password is not usable to access the data if it is captured
from a transmission and presented to SAS as a password value in the
SAS language. Administrators might choose to use the PWENCODE procedure
to encode the passwords for use in a PROC AUTHLIB statement. Using
an encoded password prevents a casual observer from seeing the clear-text
password in the PROC AUTHLIB statements that the administrator types.
There are three passwords
in the metadata-bound library set that correspond to the Read, Write,
and Alter passwords of SAS data sets. For greater simplicity in administration
of metadata-bound libraries, it is recommended that you use the PW=
option in PROC AUTHLIB statements to specify a single password value,
rather than specifying different password values using READ=, WRITE=,
and ALTER= options. In the context of metadata-bound libraries, the
READ=, WRITE=, and ALTER= options do not create access distinctions.
If you are concerned that a single eight character password does not
meet your security requirements, you can choose to set three different
password values (using READ=, WRITE=, and ALTER=). Setting different
values for these three options can create a 24-character password.
However, you must keep track of all password values that you have
assigned to a metadata-bound library as you must specify them to unbind
the library, modify the passwords, or repair any inconsistencies in
the binding information between what is recorded in the physical files
and the actual metadata objects.
CAUTION:
If you
lose the password (or passwords) for a metadata-bound library, you
cannot unbind the library or change its passwords.
Be sure to keep track
of passwords that you assign in the CREATE and MODIFY statements.