AUTHLIB Procedure

MODIFY Statement

Modifies password and encryption key values for a metadata-bound library.

Requirement: The AUTHLIB MODIFY statement requires a connection to the target metadata server. For more requirements, see Requirements for Using the AUTHLIB Statements.
Tip: Each password and encryption key option must be coded on a separate line to ensure that they are properly blotted in the log.

Syntax

Required Arguments

PW=all-password </ new-all-password>

modifies a single password for a metadata-bound library.

ALTER=alter-password </ new-alter-password>

modifies one of a maximum of three password values for a metadata-bound library.

READ=read-password </ new-read-password>

modifies one of a maximum of three password values for a metadata-bound library.

WRITE=write-password </ new-write-password>

modifies one of a maximum of three password values for a metadata-bound library.

Tip
All password values must be valid SAS names with a maximum length of 8 characters.

Optional Arguments

ENCRYPT=YES | NO | AES

specifies the encryption type.

YES

specifies the SAS Proprietary algorithm.

NO

specifies no encryption.

AES

specifies Advanced Encryption Standard (AES) encryption and to record the key in metadata.

Requirement ENCRYPTKEY= option is required if the library has AES encryption.
See Encrypted Data Set Considerations

ENCRYPTKEY=key-value </ key-value>

specifies a key value for AES encryption.

Requirement ENCRYPTKEY= option is required if the library or a data file has AES encryption.
Note The encryption key value for all the data sets in a library can be stored in a metadata-bound library so that an authorized user does not have to supply the encryption key value every time a data set is opened. See Considerations for Data File Encryption.
Tip The ENCRYPTKEY= value is a passphrase that can be up to 64 characters long from which the actual AES encryption key is later derived, but it is referred to as the encryption key in most SAS documentation.
See Encrypted Data Set Considerations
ENCRYPTKEY= Data Set Option in SAS Data Set Options: Reference

LIBRARY=libref

name of the physical library that is metadata-bound.

If the LIBRARY= option is not specified, then the physical library from the AUTHLIB procedure is used.

Alias LIB=, DDNAME=, DD=
Restriction The physical library specified cannot be a concatenated library, temporary library, or accessed through a SAS/SHARE server and must be processed by an engine that supports metadata-bound libraries.

PURGE=YES | NO

YES

removes all retained metadata-bound library credentials if all tables in the library are successfully modified to the newer credentials.

Default YES

NO

does not remove replaced metadata-bound library credentials even if all tables in the library were successfully modified.

See Retaining and Purging Metadata-Bound Library Credentials

REQUIRE_ENCRYPTION=YES | NO

YES

specifies that all data sets in a metadata-bound library are automatically encrypted.

NO

specifies that data sets in a metadata-bound library are not automatically encrypted.

See Requiring Encryption for Metadata-Bound Data Sets

TABLESONLY=YES | NO

specifies whether the MODIFY statement action is applied at the library level or just to the tables. If TABLESONLY=NO, then the action is applied to the library and data sets. If TABLESONLY=YES, then the action is applied only to the data sets.

Default NO
Tip If you specify TABLESONLY=YES and a new password or encryption key value in the CREATE, MODIFY, or REMOVE statement, then the new password value or encryption key value is ignored. The current password or encryption key value is still required if the library is metadata-bound.

Details

Using the MODIFY Statement

The MODIFY statement can modify the value of the required metadata-bound library passwords and encryption options. This statement can also modify passwords on data sets (tables) that do not have the required metadata-bound library password values. The TABLES statement follows the MODIFY statement to specify current passwords and encryption keys in the data sets.
If your physical library is currently bound to a metadata library with one set of passwords and you want to change the metadata-bound library passwords to another set, then specify the current and new values for the metadata-bound library passwords separated by a / in the MODIFY statement. For an example, see Changing Metadata-Bound Library Passwords.
If your physical library contains password-protected data sets with different sets of passwords from the metadata-bound library passwords, then you can modify the data set passwords to match the metadata-bound library required passwords using the MODIFY and TABLES statements. Specify the metadata-bound library passwords in the MODIFY statement. Specify the data sets with each set of passwords in separate TABLES statements. For more information, see Changing Passwords on Data Sets.
If you want to change encryption options for the library, then specify the new options in the MODIFY statement. If your physical library contains AES-encrypted data sets, then you must specify the ENCRYPTKEY= key value in the MODIFY or TABLES statements or have a recorded encryption key for the library to make any modifications to the encrypted data sets. For and example, see Changing a Metadata-Bound Library to Require AES Encryption When Existing Data Sets Are Encrypted with Different Encryption Keys.
For more information, see TABLES Statement.
CAUTION:
For AES-encrypted data sets that are referentially related to one another, follow these best practices to ensure that the data does not become inaccessible:
Store the encryption key in the library’s metadata. You can modify the stored key, but do not remove the key from metadata and do not unbind the library.
CAUTION:
Even if you record the encryption key in metadata for the library, you should also record the key elsewhere when using ENCRYPT=AES.
If you lose the metadata and forget the ENCRYPTKEY= key value, then you lose your data. SAS cannot assist you in recovering the ENCRYPTKEY= key value.
You might have a need to import a SecuredLibrary object from a backup package for one of the following reasons:
  • the SecuredLibrary object was inadvertently deleted
  • you are promoting the metadata-bound library to a new metadata server
Password values and encryption key values are not exported with the SecuredLibrary object. This prevents them from being imported to a rogue Metadata Server. In this case, the passwords and any recorded encryption key values need to be reset in the imported SecuredLibrary object. Until you do this, libname assignments that refers to the imported SecuredLibrary object will fail with the following messages:
ERROR: The secured library object information for library library-name 
could not be obtained from the metadata server or has invalid data.
ERROR: Association not found.
ERROR: Error in the LIBNAME statement.

For an example, see Resetting Credentials on Imported SecuredLibrary Objects.

Using the LIBRARY= Option

If you want to override the default library from the AUTHLIB procedure, then use LIBRARY=.
MODIFY <LIBRARY=library-name>
If you want to modify the passwords or encryption options for a secured library object that is no longer bound to a physical library, then specify LIBRARY=_NONE_ with the SECUREDLIBRARY= and SECUREDFOLDER= options to locate the secured library object.
MODIFY <LIBRARY=_NONE_ SECUREDLIBRARY=secured-library-name> 
                <SECUREDFOLDER=secured-folder-name>
CAUTION:
Do not use LIB=_none_ when the secured library object is bound to a physical library.
LIB=_none_ causes the action to operate only on the secured library object and has no effect on the physical data.

Using the PURGE Option

Passwords and encryption keys for a metadata-bound library are collectively referred to as metadata-bound library credentials. For information about retaining and purging credentials, see Retaining and Purging Metadata-Bound Library Credentials.