AUTHLIB Procedure

REPAIR Statement

Recovers security information (in physical data) or secured library and table objects (in metadata).

Requirement: The AUTHLIB REPAIR statement requires a connection to the target metadata server. For more requirements, see Requirements for Using the AUTHLIB Statements.
Tip: Each password and encryption key option must be coded on a separate line to ensure that they are properly blotted in the log.

Syntax

Required Arguments

ADD | UPDATE | DELETE

one of these actions must be specified.

LOCATION | METADATA

clarifies whether the action is to apply to the physical security information in the file system, to the metadata objects in the SAS Metadata Server, or to both.

PW=all-password

specifies a single password for a metadata-bound library.

ALTER=alter-password

assigns, changes, or removes an Alter password from the secured library object and from the data sets in the physical library.

READ=read-password

assigns, changes, or removes a Read password from the secured library object and from the data sets in the physical library.

WRITE=write-password

assigns, changes, or removes a Write password from the secured library object and from the data sets in the physical library.

Optional Arguments

ENCRYPTKEY=key-value

specifies a key value for AES encryption.

Requirement ENCRYPTKEY= data set option is required if the library or a data file has AES encryption and if the key is not recorded in the library metadata.
Note The encryption key value for all the data sets in a library can be stored in a metadata-bound library so that an authorized user does not have to supply the encryption key value every time a data set is opened. See Considerations for Data File Encryption.
Tip The ENCRYPTKEY= value is a passphrase that can be up to 64 characters long from which the actual AES encryption key is later derived, but it is referred to as the encryption key in most SAS documentation.
See ENCRYPTKEY= Data Set Option in SAS Data Set Options: Reference

LIBRARY=libref

name of the physical library where the security information is stored.

If the LIBRARY= option is not specified, then the physical library from the PROC AUTHLIB statement is used.

Alias LIB=, DDNAME=, DD=
Restriction The physical library specified cannot be a concatenated library, temporary library, or accessed through a SAS/SHARE server and must be processed by an engine that supports metadata-bound libraries.

SECUREDLIBRARY='secured-library-name'

names the secured library object in the SAS Metadata Server.

Alias SECLIB=
Restriction The total length of the secured library object pathname including the fully qualified secured folder path cannot exceed 256 characters.

SECUREDFOLDER='secured-folder-path'

name of the metadata folder within a /System/Secured Libraries folder tree where the secured library is repaired or re-created.

Alias SECFLDR=
Restriction The total length of the secured library object pathname including the fully qualified secured folder path cannot exceed 256 characters.

TABLESONLY=YES | NO

specifies whether the REPAIR statement action is applied at the library level or just to the tables. If TABLESONLY=NO, then the action is applied to the library and the tables. If TABLESONLY=YES, then the action is applied only to the tables. This is especially important for REPAIR because it gives the administrator a way to delete specific secured table objects without deleting the secured library and all secured tables.

Default NO

Details

The REPAIR statement feature that has been fully tested is REPAIR DELETE LOCATION. Use this combination of options when you need to delete the security information in a metadata-bound library and or data sets within the library without deleting the metadata objects.
It is possible for a system administrator to get in situations where a data set still has location information pointing to a secured table object that no longer exists. REPAIR DELETE LOCATION is required to remove that location information before the data set can be accessed in any other way.
When using the REPAIR statement, one of the ADD, UPDATE, or DELETE actions must be specified. LOCATION, METADATA, or both are used to clarify if the action is to apply to the metadata security information in the file system, to the metadata objects in the SAS Metadata Server, or to both. Other than DELETE LOCATION, these other actions have not been fully tested and are considered pre-production implementations. They are documented here but should be used only under advise and direction from Technical Support.
One or more TABLES statements can follow the REPAIR statement to perform the same action on the specified data sets. An implicit TABLES _ALL_ is used if no TABLES statement follows the REPAIR statement.
Inconsistencies between the metadata security information stored in the operating system files and the secured library object in the SAS Metadata Server that need repair can prevent the assignment of a LIBNAME statement to the physical library. The administrator that owns the physical library and knows the metadata-bound library passwords can perform a library assignment and repair the data by adding the AUTHADMIN=YES option to the LIBNAME statement. Best practice is to use the AUTHADMIN=YES option when performing any REPAIR actions.
CAUTION:
Repairing a metadata-bound library is an advanced task.
Make sure you have a current backup (of both metadata and physical data) before you use this statement.
Use the REPAIR statement to restore metadata-bound library security information or metadata objects that are inadvertently deleted. The administrator can carefully use the REPAIR statement to make some repairs to inconsistencies reported by the REPORT statement. If there are a significant number of groupings in the REPORT listing, then it might be more advisable to do the following:
  1. Create a new operating system directory and metadata-bound library, and then use SAS Management Console to set appropriate default library permissions for the new secured library object.
  2. Access the current library with the AUTHADMIN=YES, AUTHPW= or AUTHALTER=, AUTHWRITE=, and AUTHREAD= options in the LIBNAME statement.
  3. Use the SAS COPY procedure to copy the SAS data sets to the new library. Use CONSTRAINT=YES if any data sets have referential integrity constraints. Use SAS Management Console to set any permissions on the secured table objects that differ from those inherited from the secured library object. The following is an example of using the COPY procedure.
Metadata-bound library ABCDE also has data sets Employees, EmpInfo, and Product. The REPORT statement has shown some inconsistencies between the physical library contents and the corresponding metadata objects. This is an example of a way to resolve these differences.
libname klmno "SAS-library-2";

proc authlib lib=klmno;
 create securedfolder="Department XYZZY"    
        securedlibrary="KLMNOEmps"  
        pw=password;
run;    
quit;

libname abcde "SAS-library" 
   AUTHADMIN=yes 
   AUTHPW=password;

proc copy in=abcde out=klmno ;run;
Using PROC COPY to Resolve Differences
88   proc copy in=abcde out=klmno ;run;

NOTE: Copying ABCDE.EMPINFO to KLMNO.EMPINFO (memtype=DATA).
NOTE: Data set ABCDE.EMPINFO.DATA has secured table object location information, but the
      secured library object location information that it contains:
           SecuredFolder:      /System/Secured Libraries/Department XYZZY
           SecuredLibrary:     ABCDEEmps
           SecuredLibraryGUID: 38C24AF4-9CF5-458B-8389-52092307007E
      is different from the registered location for the library ABCDE:
           SecuredFolder:
           SecuredLibrary:
           SecuredLibraryGUID:
      The data set might have been copied to this directory with a host copy utility.
NOTE: Permissions are obtained from the secured table and the secured library objects that are
      referenced in the header of the metadata-bound table.
NOTE: Metadata-bound library permissions are used for KLMNO.EMPINFO.DATA.
NOTE: Successfully added new secured table object "EMPINFO.DATA" to the secured library object
      at path "/System/Secured Libraries/Department XYZZY/KLMNOEmps" for data set
      KLMNO.EMPINFO.DATA.
NOTE: There were 5 observations read from the data set ABCDE.EMPINFO.
NOTE: The data set KLMNO.EMPINFO has 5 observations and 6 variables.
NOTE: Copying ABCDE.EMPLOYEES to KLMNO.EMPLOYEES (memtype=DATA).
NOTE: Data set ABCDE.EMPLOYEES.DATA has secured table object location information, but the
      secured library object location information that it contains:
           SecuredFolder:      /System/Secured Libraries/Department XYZZY
           SecuredLibrary:     ABCDEEmps
           SecuredLibraryGUID: 38C24AF4-9CF5-458B-8389-52092307007E
      is different from the registered location for the library ABCDE:
           SecuredFolder:
           SecuredLibrary:
           SecuredLibraryGUID:
      The data set might have been copied to this directory with a host copy utility.
NOTE: Permissions are obtained from the secured table and the secured library objects that are
      referenced in the header of the metadata-bound table.
NOTE: Metadata-bound library permissions are used for KLMNO.EMPLOYEES.DATA.
NOTE: Successfully added new secured table object "EMPLOYEES.DATA" to the secured library
      object at path "/System/Secured Libraries/Department XYZZY/KLMNOEmps" for data set
      KLMNO.EMPLOYEES.DATA.
NOTE: There were 5 observations read from the data set ABCDE.EMPLOYEES.
NOTE: The data set KLMNO.EMPLOYEES has 5 observations and 6 variables.
NOTE: Copying ABCDE.PRODUCT to KLMNO.PRODUCT (memtype=DATA).
NOTE: Data set ABCDE.PRODUCT.DATA has secured table object location information, but the
      secured library object location information that it contains:
           SecuredFolder:      /System/Secured Libraries/Department XYZZY
           SecuredLibrary:     ABCDEEmps
           SecuredLibraryGUID: 38C24AF4-9CF5-458B-8389-52092307007E
      is different from the registered location for the library ABCDE:
           SecuredFolder:
           SecuredLibrary:
           SecuredLibraryGUID:
      The data set might have been copied to this directory with a host copy utility.
NOTE: Permissions are obtained from the secured table and the secured library objects that are
      referenced in the header of the metadata-bound table.
NOTE: Metadata-bound library permissions are used for KLMNO.PRODUCT.DATA.
NOTE: Successfully added new secured table object "PRODUCT.DATA" to the secured library object
      at path "/System/Secured Libraries/Department XYZZY/KLMNOEmps" for data set
      KLMNO.PRODUCT.DATA.
NOTE: There were 5 observations read from the data set ABCDE.PRODUCT.
NOTE: The data set KLMNO.PRODUCT has 5 observations and 2 variables.
NOTE: PROCEDURE COPY used (Total process time):
      real time           0.14 seconds
      cpu time            0.04 seconds
The following REPAIR statement combination of options are preproduction and have not been fully tested. Preproduction means that this feature is a preliminary release of software that has not completed full development and testing. Because it has not been fully tested, preproduction software should be used with care. After final testing is completed, preproduction software is likely to be offered in a future release as a production-quality component or product.
REPAIR ADD LOCATION
Use this combination of options when metadata-bound library and secured table security information is missing in the metadata-bound library or data sets within the metadata-bound library. The secured library and secured tables objects must exist in the SAS Metadata Server.
REPAIR UPDATE LOCATION
Use this combination of options when metadata-bound library and secured table security information exists in the metadata-bound library or data sets within the metadata-bound library but points to incorrect or non-existent metadata objects. The secured library and secured tables objects to which you update the location information must exist in the SAS Metadata Server.
REPAIR ADD METADATA LOCATION
Use this combination of options when secured library and secured table objects have been deleted from the SAS Metadata Server and their security information is no longer registered in the metadata-bound library and data sets within the metadata-bound library. The metadata objects are created in the SAS Metadata Server, and the security information for these objects are registered in the metadata-bound library and data sets.
REPAIR DELETE METADATA
Use this combination of options when you need to delete the secured library, the secured table metadata objects, or both without deleting the security information in a metadata-bound library or in the data sets within that library.
REPAIR DELETE METADATA LOCATION
Use this combination of options when you need to delete the secured library, the secured table metadata objects, or both and the security information in a metadata-bound library or in the data sets within that library.
REPAIR UPDATE LOCATION
Use this combination of options when you need to update the security information in a metadata-bound library, in the data sets, or both to point to different existing secured library and secured table metadata objects.
Note: The METADATA option is not supported with a REPAIR UPDATE action.