Changing a Metadata-Bound Library Password

Overview

Before you change a library password, it is essential to understand when and how library passwords are used. See Passwords for Metadata-Bound Data.
You might change a library password for any of the following reasons:
  • You suspect the password has been compromised.
  • Your security policy mandates periodic changes to library passwords.
  • You want to bind tables that have been host-copied into the metadata-bound library (in order to maintain the best practice scenario where all tables within a metadata-bound library are bound to that library).
To change the password of a metadata-bound library, use either SAS Management Console or the AUTHLIB procedure.

Requirements

In order to change a library password, the following requirements must be met:
  • You must know the current password for the metadata-bound library.
  • The requesting workspace server (or SAS session) must run under an account that has host-layer control of the target physical library. For host-specific details, see Requirement for Host-Layer Control.
  • The requesting workspace server (or SAS session) must connect to the metadata server as an identity that has the ReadMetadata and WriteMetadata permissions to the corresponding secured library object and secured table objects.
    Note: On a secured library object, the WriteMemberMetadata permission (from the parent secured data folder) is inherited as the WriteMetadata permission. See WriteMetadata and WriteMemberMetadata in SAS Intelligence Platform: Security Administration Guide.

GUI Method

Introduction

In SAS Management Console, you change a library password by modifying its corresponding secured library object.

Instructions

  1. On the Folders tab in SAS Management Console, beneath a /System/Secured Libraries branch, locate the secured library object that corresponds to the metadata-bound library whose password you want to change.
  2. Right-click the object and select Modify.
    The Modify Secured Library dialog box appears:
    the modify secured library dialog box
    Refer to the entries in the preceding example as you complete steps 3 through 7.
  3. Select the application server that you want to use to update the binding information in the target directory.
    Note: The application server must include a standard workspace server that has host access to the target directory.
  4. Verify that the directory path of the target metadata-bound library is correct.
    Note: The directory path is pre-populated with the most recently referenced path. If any directories in the path have been renamed, be sure to modify the path.
  5. The Automatically purge old library credentials check box is selected by default. This option automatically removes all retained metadata-bound library credentials (passwords or encryption keys) if all tables in the library are successfully modified to use the newer credentials.
    If you want the replaced credentials to be retained in metadata, then clear the check box. The passwords are retained until you use the PURGE statement to remove them, or until you later modify the library with the check box selected. The following are reasons that you might want to retain credentials:
    • You created views, using the old passwords, to implement row and column level security on the library’s tables. SAS does not know which view files might contain the old passwords and does not have the ability to modify them in the view file. The old passwords need to be retained until you redefine the views to use the new passwords.
    • You want to be able to process data sets that are restored from backups taken before the passwords were modified.
  6. In the Password field, supply the current password for the target metadata-bound library.
    Note: If the target metadata-bound library currently has three distinct passwords, select the Specify multiple passwords check box and supply all three passwords in the Password row.
  7. Select the Change password values check box.
  8. In the New Password and Confirm Password fields, set and confirm a new password for the metadata-bound library. The password can be only eight characters long.
    CAUTION:
    If you lose the password for a metadata-bound library, you cannot unbind the library or change its password.
    Keep track of passwords that you assign.
    Tip
    To create a more complex password, select the Specify multiple passwords check box and supply three distinct passwords. If the target metadata-bound library currently has one password, supply the current password in all three of the fields in the Password row. Using three passwords for a metadata-bound library only increases security; the different passwords do not manage different types of access.
    Tip
    Users do not supply metadata-bound library passwords in order to access data, so they should neither know, nor have access to, the password values.
  9. Click OK.
  10. In the Modify Secured Library window, click Yes to view the log.
    modify secured library window
    It is strongly recommended that you always check the log for warnings after you perform an action on a secured library object. If the log indicates that some tables were not modified (perhaps because a user was accessing them), repeat the modification when the tables are not being used. When doing so, specify the new password in the Password field.

Scope

In general, all tables within a metadata-bound library are protected by the library and share the library’s password. The GUI method facilitates this simple, best practice approach by affecting the physical library and all of its eligible tables. A table is eligible if it is either unsecured or secured with the library password.
In the following selective scope situations, you cannot use the GUI method:
  • If you do not want to affect the library, use the code method and set the TABLESONLY option.
  • If you want to affect only some of the tables, use the code method and add a TABLES statement after the MODIFY statement.

Code Method

As an alternative to using SAS Management Console, you can use the AUTHLIB procedure to modify a library password. See MODIFY Statement.

Results

After you complete the preceding steps, the new password is recorded in the physical tables, replacing each instance of the old password.
The new password is also recorded in the metadata and associated with the corresponding secured library object.