Auditing for Metadata-Bound Libraries

Which Events Can Be Logged?

For metadata-bound libraries, certain events can be logged to a system-wide logging facility.
The following table summarizes the events that can be logged:
Logged Events for Metadata-Bound Data
Category (Logger)
Logged Events
Authorization failure records
(Audit.Data.MetaBoundLib.PermDenied)
A user attempts to access a metadata-bound table to which the user has insufficient effective permissions in the metadata layer. Access is not allowed.
Misalignment issue records1
(Audit.Data.MetaBoundLib.AuthAudit)
A user accesses a metadata-bound table that is located within a traditional (unbound) library.
A user accesses a traditional (unbound) table that is located within a metadata-bound library.2
A user accesses a metadata-bound table whose security location reference doesn’t match the security location reference of its parent library.
A user accesses a metadata-bound table whose security name reference doesn’t match the corresponding secured table object. In other words, there is a mismatch of names (the correspondence is determined by another identifier).
A user attempts to access a metadata-bound table whose passwords do not match the passwords of the corresponding secured library object. In other words, there is a mismatch of passwords. Even if the user’s metadata-layer permissions are sufficient, access is not allowed.
1The misalignment issue records do not specify who created the issue; these records just indicate that the issue exists at the time that access is requested.
2This is the most important event to audit, because it might indicate an earlier circumvention of security. See Detecting a Circumvention of Update Security.

Detecting a Circumvention of Update Security

A user who has only Read access to a metadata-bound table might be able to update the table by using the following process:
  1. Use SAS to copy the metadata-bound table to an unsecured library.
  2. Update the data.
  3. Use a host command to copy the table back to its original metadata-bound library.
Because the user used a host command to copy the table back to its original secured library location, the updated table is no longer bound to its corresponding secured table object.
Note: The preceding scenario can occur when you enable a user to update some, but not all, of the tables within a metadata-bound library. In order to perform that task, the user needs host-layer Write access to the entire library. This enables the user to perform step 3 in the preceding list, regardless of whether the user has metadata-layer Update access to the target metadata-bound table.
The audit record that is written when a user accesses a traditional (unbound) table that is located within a metadata-bound library provides an indication that someone might have used the preceding process to circumvent security.
Note: These audit records can also indicate that you have not followed the recommended practice of ensuring that all tables within a metadata-bound library are bound to that library.

Audit Record Content and Layout

Here is an example of an authorization failure record:
DateTime=2012-02-15T17:48:28,671, Userid=JOE@COMPANY, StepName=DATASTEP, Action=Read, LoginId=JOE@COMPANY, IdentityName=Joe, Libref=REVENUE , OSLibraryPath=\\machine.company.com\Data\Revenue, MemberName=CSV, MemberType=VIEW , DataSetInfoSecuredLibrary=/System/Secured Libraries/Data/, DataSetInfoSecuredLibraryGuid=5200B831-50A1-4E66-92CD-AD86ACDB43B7, DataSetInfoSecuredTableName=CSV.VIEW, DataSetInfoSecuredTableGuid=5BE37390-986F-45B4-8227-F3653C79768A, LibraryInfoSecuredLibrary=/System/Secured Libraries/Data, LibraryInfoSecuredLibraryGuid=5200B831-50A1-4E66-92CD-AD86ACDB43B7, RequiredPermission=Select, UserEffectivePermissions=None, Message=ERROR: JOE@COMPANY as Joe is not authorized to read data set REVENUE.CSV.VIEW. Select permission is required.
Here is an example of a misalignment issue record that indicates a possible security concern:
DateTime=2012-02-15T17:48:21,201, Userid=JOE@COMPANY, StepName=DATASTEP, RecType=201, LoginId=JOE@COMPANY, IdentityName=omitest, Libref=METAOMI , OSLibraryPath=\\machine.company.com\Data, MemberName=D, MemberType=DATA , DataSetInfoSecuredLibrary=, DataSetInfoSecuredLibraryGuid=, DataSetInfoSecuredTableName=, DataSetInfoSecuredTableGuid=, LibraryInfoSecuredLibrary=/System/Secured Libraries/Data, LibraryInfoSecuredLibraryGuid=ACFAF468-B77E-4DF2-BB64-D7342F2CB1CE, PasswordDifferences=, UserEffectivePermissions=, Message=WARNING: Data set METAOMI.D.DATA is not bound to a secured table object, but it resides in a directory that is bound to a secured library object. The data set might have existed in this directory before the library was bound, or the data set might have been copied to this directory with a host copy utility.
Tip
The layout of an audit record is determined by conversion patterns within your logging configuration file.

See Also

Administering Logging for SAS Servers in SAS Intelligence Platform: System Administration Guide
Audit Messages for Metadata-Bound Libraries in SAS Logging: Configuration and Programming Reference