AUTHLIB Procedure

CREATE Statement

Binds a physical library and data sets in the library to metadata by generating corresponding metadata objects in the SAS Metadata Repository and creating a record of the metadata objects in the physical directory and data sets.

Requirement: The AUTHLIB CREATE statement requires a connection to the target metadata server. For more requirements, see Requirements for Using the AUTHLIB Statements.
Tip: Each password and encryption key option must be coded on a separate line to ensure that they are properly blotted in the log.

Syntax

Required Arguments

SECUREDLIBRARY='secured-library-name'

names the secured library object in the SAS Metadata Server.

Alias SECLIB=
Restriction The total length of the secured library object pathname including the fully qualified secured folder path cannot exceed 256 characters.

PW=all-password-value </ new-all-password-value>

sets a single password for a metadata-bound library.

ALTER=alter-password-value </ new-alter-password-value>

sets one of a maximum of three password values for a metadata-bound library.

READ=read-password-value </ new-read-password-value>

sets one of a maximum of three password values for a metadata-bound library.

WRITE=write-password-value </ new-write-password-value>

sets one of a maximum of three password values for a metadata-bound library.

Tip
All password values must be valid SAS names with a maximum length of 8 characters.

Optional Arguments

SECUREDFOLDER='secured-folder-path'

is the name of the metadata folder within the /System/Secured Libraries folder tree where the secured library object is created.

If the SECUREDFOLDER= option is not specified, then the metadata-bound library is created directly in the /System/Secured Libraries folder of the Foundation repository. If the SECUREDFOLDER= option does not begin with a slash (/), then it is a relative path and the value is appended to /System/Secured Libraries/ to find the folder. If the SECUREDFOLDER= option begins with a slash (/), then it is an absolute path and the value must begin with /System/Secured Libraries or /<repository_name>/System/Secured Libraries.

Alias SECFLDR=
Restriction The total length of the secured library object pathname including the fully qualified secured folder path cannot exceed 256 characters.

ENCRYPT=YES | NO | AES

specifies the encryption type.

YES

specifies the SAS Proprietary algorithm.

NO

specifies no encryption.

AES

specifies Advanced Encryption Standard (AES) encryption and to record the key in metadata.

Requirement ENCRYPTKEY= option is required if the library has AES encryption.
See Encrypted Data Set Considerations

ENCRYPTKEY=key-value </ key-value>

specifies a key value for AES encryption.

Requirement ENCRYPTKEY= option is required if the library or a data file has AES encryption.
Note The encryption key value for all the data sets in a library can be stored in a metadata-bound library so that an authorized user does not have to supply the encryption key value every time a data set is opened. See Considerations for Data File Encryption.
Tip The ENCRYPTKEY= value is a passphrase that can be up to 64 characters long from which the actual AES encryption key is later derived, but it is referred to as the encryption key in most SAS documentation.
See Encrypted Data Set Considerations
ENCRYPTKEY= Data Set Option in SAS Data Set Options: Reference

LIBRARY=libref

name of the physical library for which the secured library object is created and the security information is stored.

If the LIBRARY= option is not specified, then the physical library from the AUTHLIB procedure is used.

Alias LIB=, DDNAME=, DD=
Restriction The physical library specified cannot be a concatenated library, temporary library, or accessed through a SAS/SHARE server and must be processed by an engine that supports metadata-bound libraries.

REQUIRE_ENCRYPTION=YES | NO

YES

specifies that all data sets in a metadata-bound library are automatically encrypted.

NO

specifies that data sets in a metadata-bound library are not automatically encrypted.

See Requiring Encryption for Metadata-Bound Data Sets

Details

Specifying Passwords

If your physical library does not contain password-protected data sets, then you need to specify the new metadata-bound library password(s) with either the PW= option or READ=,WRITE=, and ALTER= options in the CREATE statement. This is the most common case. For an example, see Binding a Physical Library That Contains Unprotected Data Sets.
If your physical library contains some password-protected data sets that all share the same current set of passwords, then you can specify the most restrictive password on the data sets before a slash (/) in the CREATE statement password option(s) and the new password(s) after the slash (/). For an example, see Binding a Library When Existing Data Sets Are Protected with the Same Passwords.
If your physical library contains password-protected data sets with different sets of passwords, then you can specify the data sets with each set of passwords on separate TABLES statements (see Binding a Library When Existing Data Sets Are Protected with Different Passwords) or you can subsequently use MODIFY and TABLES statements to change the passwords after the library has been bound with the CREATE statement (see Changing Passwords on Data Sets).

Specifying Encryption Keys

To create or access a metadata-bound library that is protected using AES algorithm requires an encryption key value. You must use ENCRYPT=AES and ENCRYPTKEY=key-value data set options.
If your physical library contains some AES-encrypted data sets that all share the same AES encryption key, then you can specify the key value following ENCRYPTKEY= in the CREATE statement. If you want to record the key in metadata, then specify ENCRYPT=AES. For an example, see Binding a Library with Required AES Encryption When Existing Data Sets Are Encrypted with the Same Encryption Key.
If your physical library contains AES-encrypted data sets with different encryption keys, then you can specify the data sets with each encryption key on separate TABLES statements. For an example, see Binding a Library with Existing Data Sets That Are AES-Encrypted with Different Encryption Keys.
For more information, see ENCRYPTKEY= Data Set Option in SAS Data Set Options: Reference and ENCRYPT= Data Set Option in SAS Data Set Options: Reference.
CAUTION:
If data sets using AES encryption have referential integrity constraints, then the encryption key for all data sets must be available when they are opened for Update access.
Normally, SAS requires that all data sets share the same encryption key. With a recorded optional or required encryption key in metadata, related data sets can have different keys. However, issues can arise if you change the encryption key on one library that has data sets related to data sets in a different library.
CAUTION:
For AES-encrypted data sets that are referentially related to one another, follow these best practices to ensure that the data does not become inaccessible:
Store the encryption key in the library’s metadata. You can modify the stored key, but do not remove the key from metadata and do not unbind the library.
CAUTION:
Even if you record the encryption key in metadata for the library, then you should also record the key elsewhere when using ENCRYPT=AES.
If you lose the metadata and forget the ENCRYPTKEY= key value, then you lose your data. SAS cannot assist you in recovering the ENCRYPTKEY= key value. The following note is written to the log:
NOTE: If you lose or forget the ENCRYPTKEY= value, 
there will be no way  to open the file or 
recover the data.