AUTHLIB Procedure

REMOVE Statement

Removes the physical security information and metadata objects that protect a metadata-bound library so that it is no longer a metadata-bound library.

Requirement: The AUTHLIB REMOVE statement requires a connection to the target metadata server. For more requirements, see Requirements for Using the AUTHLIB Statements.
Note: If any data set uses SAS Proprietary Encryption, then you cannot remove passwords unless you also specify ENCRYPT=NO to remove encryption.
Tips: Each password and encryption key option must be coded on a separate line to ensure that they are properly blotted in the log.
If you do not want the non-secured data sets altered, then move all non-secured data sets from the physical library before performing a REMOVE statement.
Before you use the REMOVE statement, consider running the REPORT statement. The output from the REPORT statement identifies any physical tables that do not have corresponding secured table objects in metadata. In the unusual circumstance that such physical tables exist, their security location information is unaffected by the REMOVE statement unless you specify AUTHADMIN=YES in the LIBNAME statement. You should use the AUTHADMIN=YES option in the LIBNAME statement in this circumstance.
Using the REMOVE Statement

Using the REMOVE Statement on a Metadata-Bound Library with Required AES Encryption

Syntax

Required Arguments

PW=all-password </ <new-all-password>>

specifies a single password for a metadata-bound library.

ALTER=alter-password </ <new-alter-password>>

specifies one of a maximum of three password values for a metadata-bound library.

READ=read-password </ <new-read-password>>

specifies one of a maximum of three password values for a metadata-bound library.

WRITE=write-password </ <new-write-password>>

specifies one of a maximum of three password values for a metadata-bound library.

Optional Arguments

ENCRYPT=YES | NO | AES

specifies the encryption type.

YES

specifies the SAS Proprietary algorithm.

NO

specifies no encryption.

AES

specifies Advanced Encryption Standard (AES) encryption and is required if specifying that data sets be encrypted with a new key value.

See Encrypted Data Set Considerations

ENCRYPTKEY=key-value </ key-value>

specifies a key value for AES encryption.

Tip The ENCRYPTKEY= value is a passphrase that can be up to 64 characters long from which the actual AES encryption key is later derived, but it is referred to as the encryption key in most SAS documentation.
See ENCRYPTKEY= Data Set Option in SAS Data Set Options: Reference

LIBRARY=libref

name of the physical library that is metadata-bound.

If the LIBRARY= option is not specified, then the physical library from the PROC AUTHLIB statement is used.

Alias LIB=, DDNAME=, DD=
Restriction The physical library specified cannot be a concatenated library, temporary library, or accessed through a SAS/SHARE server and must be processed by an engine that supports metadata-bound libraries.

TABLESONLY=YES | NO

specifies whether the REMOVE statement action is applied at the library level or just to the tables. If TABLESONLY=NO, then the action is applied to the library and data sets. If TABLESONLY=YES, then the action is applied only to the individual data sets listed.

Default NO
Tip If you specify TABLESONLY=YES and a new password or encryption options, then the new password or encryption options are ignored. The current password is still required if the library is metadata-bound.

Details

The REMOVE statement is used to unbind the metadata-bound library feature from a SAS library and the data sets within it. This statement also removes the secured library and secured table objects from the SAS Metadata Server. The data sets remain in the physical library protected by the metadata-bound library passwords unless the administrator specifies password modifications in the REMOVE statement. Since the metadata-bound library feature is being removed and there is no longer a requirement that the data set passwords match the metadata-bound library passwords, the data set passwords can be removed by using a slash (/) after the current password but not specifying a new password. If you choose to do this, then you are warned in the SAS log that the data sets no longer have any SAS protection. You can also modify the encryption key of data sets by specifying the new key following a slash (/) in ENCRYPTKEY= and specifying ENCRYPT=AES. You can change to SAS Proprietary Encryption by specifying ENCRYPT=YES. You can remove all encryption by specifying ENCRYPT=NO.
The REMOVE statement removes the location information from any data set if the passwords specified match the metadata-bound library passwords stored in the data set. Note also that if the data set is AES-encrypted, the encryption key must either be recorded in metadata or specified in the REMOVE or TABLES statements. However, it does not delete the referenced secured table object unless that secured table object is under the secured library object to which the operating system library is bound. If a data set has been copied into the bound library by a utility not written in SAS from another metadata-bound library, then this process prevents a REMOVE from deleting the secured table object that belongs to the other metadata-bound library.
Note: Ensure that all physical tables that are protected by a particular metadata-bound library remain within that library (directory). This best practice maximizes clarity and is essential in order for REMOVE statements to be fully effective. Special circumstances (for example, a table that is host copied to another directory) can prevent a REMOVE statement from unbinding the relocated data set.
CAUTION:
If you have to unbind a library that contains AES-encrypted data sets that are referentially related to other data sets, then either make sure that all related data sets are no longer AES-encrypted or make sure that all related data sets share the same encryption key.
If you preserve AES encryption, the data will be available only to those users who supply the key and have host-layer access.