In this example, partial
access to a customer data table is provided by creating a view and
managing access to it. The view keeps the name and telephone number
columns from the underlying table, but excludes the credit card number
column.
options metauser="sasadm@saspw" metapass="********"
metaserver="machine.company.com";
libname cust 'path';
proc authlib library=cust;
create
securedlibrary='cust'
securedfolder='CustomerData'
pw=secret;
quit;
proc sql;
create view cust.PUBLIC as
select Name, Phone
from cust.PRIVATE(pw=secret);
quit;
The preceding code creates a new
secured library object (CustomerData) that contains two objects: a table object (called PRIVATE) and a view
object (called PUBLIC).
Note: The password that is supplied
to bind the library is also supplied when the PUBLIC view is defined
against the PRIVATE table. In order to create a view of a metadata-bound
table, you must know the password of that physical table’s
parent library, and provide that password in the view definition.
You can enable end users to access the view without giving them access
to the underlying table. In effect, this provides selective access
to the columns and rows within the underlying table.
Note: If you modify the password
for the metadata-bound library, you must also update the view definition
with the new password. Until
you have time to redefine all of the views to use the new password,
you can retain the old password in metadata by deselecting Automatically
purge old library credentials in the Modify
Secured Library dialog box. The old password is retained
until you use the PURGE statement to remove it, or until you later
modify the library with the Automatically purge old library
credentials check box selected.
To complete the protection,
use SAS Management Console to set metadata-layer permissions so that
restricted users can access the PUBLIC view but not the PRIVATE table.
For example, if only unrestricted users should access the PRIVATE
table, you might use the following approach:
-
On the Authorization tab
for the CustomerData
folder, verify
that the PUBLIC group is denied the ReadMetadata, WriteMetadata, WriteMemberMetadata,
and Select permissions. Verify that the PRIVATE table inherits these
denials.
-
On the Authorization tab
for the PUBLIC view object, explicitly grant the ReadMetadata and
Select permissions to SASUSERS.