AUTHLIB Procedure
- Syntax
- Overview
- Concepts
- Using
- Results
- Examples Binding a Physical Library That Contains Unprotected Data SetsBinding a Physical Library That Contains Password-Protected Data SetsBinding a Library When Existing Data Sets Are Protected with the Same PasswordsBinding a Library When Existing Data Sets Are Protected with Different PasswordsChanging Passwords on Data SetsChanging Metadata-Bound Library PasswordsUsing the REMOVE StatementUsing the REPORT StatementUsing the TABLES StatementBinding a Library When Existing Data Sets Are SAS Proprietary EncryptedBinding a Library When Existing Data Sets Are AES-EncryptedBinding a Library with an Optional Recorded Encryption Key When Existing AES-Encrypted Data Sets Have Different Encryption Keys Binding a Library with Required AES Encryption When Existing Data Sets Are Encrypted with the Same Encryption KeyChanging the Encryption Key on a Metadata-Bound Library That Requires AES EncryptionBinding a Library with Existing Data Sets That Are AES-Encrypted with Different Encryption KeysChanging a Metadata-Bound Library to Require AES Encryption When Existing Data Sets Are Encrypted with Different Encryption KeysUsing the REMOVE Statement on a Metadata-Bound Library with Required AES EncryptionResetting Credentials on Imported SecuredLibrary Objects
Using the AUTHLIB Procedure
Requirements for Using the AUTHLIB Statements
Except for the REPORT statement, all statements within the AUTHLIB procedure require that you must meet the following criteria:
-
The SAS session runs under an account that has host-layer control of the target physical library. To ensure that only users who have host control can bind a physical library to metadata, the SAS session must run under a privileged host account as follows:
-
On UNIX, the account must be the owner of the directory.
-
On Windows, the account must have full control of the directory.
-
On z/OS, for UNIX file system libraries, the account must be the owner of the directory.
-
On z/OS, for direct-access bound libraries, the account must have RACF ALTER access authority to the library data set.
-
-
The SAS session connects to the SAS Metadata Server as an identity that has ReadMetadata and WriteMemberMetadata permissions to the target secured data folder.
-
You must supply the password(s) in CREATE, MODIFY, REPAIR, and REMOVE statements.
The REPORT statement requirements are less restrictive and are documented with that
statement.
Copy-In-Place Operation
In the SAS 9.4 release,
the copy-in-place operation is used to re-encrypt data sets.
Prior to the second
maintenance release of SAS 9.4, metadata-bound data sets in different
representations other than the host environment executing the AUTHLIB
code fails in CREATE, MODIFY, REPAIR, and REMOVE actions. In the second
maintenance release of SAS 9.4, the copy-in-place operation is used
to bind or alter bindings of most metadata-bound data files and view
files that are accessed through CEDA (Cross-Environment Data Access).
However, metadata-bound data sets accessed through CEDA that contain
indexes, extended attributes, and integrity constraints are detected
and the copy-in-place operation is not attempted as it would still
fail.
The following steps
are performed in the copy-in-place operation:
-
The data set is renamed to _TEMP_ENCRYPT_FILE_NAME_.
-
The data set is copied back to the original data set name, which re-encrypts the data in the process.
-
The _TEMP_ENCRYPT_FILE_NAME_ file is deleted.
See the following SAS
log examples of the copy-in-place operation:
Copyright © SAS Institute Inc. All rights reserved.