Unbinding a Metadata-Bound Library :: SAS(R) 9.4 Guide to Metadata-Bound Libraries, Second Edition

Overview

You unbind a library in order to remove its metadata-based protections. When you perform this action, physical and metadata content are affected as follows:

Physical security information is deleted from the library directory and table headers.
Corresponding secured library and secured table objects are deleted from the SAS metadata.

You can use either SAS Management Console or the AUTHLIB procedure to unbind a library.

Tip

It is a good practice to validate a library before you unbind it. See Validating a Metadata-Bound Library.

Note: An unbind action affects only those physical tables that are located within the specified library. If a bound table is host-copied to another directory, that table’s security location information is unaffected by subsequent unbind actions against its parent metadata-bound library. In order to reestablish access to the table, corrective action against the table is necessary. See REPAIR Statement.

Requirements

In order to unbind a library, the following requirements must be met:

You must know the current password for the metadata-bound library.
The requesting workspace server (or SAS session) must run under an account that has host-layer control of the target physical library. For host-specific details, see Requirement for Host-Layer Control.
The requesting workspace server (or SAS session) must connect to the metadata server as an identity that has the necessary metadata-layer permissions for the target secured data folder, secured library object, and secured table objects. See Permissions for Metadata-Bound Data.

GUI Method

Introduction

When you delete a secured library object in SAS Management Console, access to the associated physical directory is affected as follows:

If you right-click a secured library object and select Delete, the associated physical directory and tables remain bound (to a no-longer existing secured library object), so the data is inaccessible.

CAUTION:

Use the Delete action only if you are certain that the associated physical directory no longer exists.
If you right-click a secured library object and select Delete and Unbind, the associated physical directory and tables are unbound from, and no longer protected by, metadata. This is the standard method for deleting a secured library object.

After you perform a Delete and Unbind action, the remaining protection for the library’s contents is as follows:
- If you do not supply new passwords, the current passwords are preserved on the affected tables.
  
  Tip
  If you do not want the current passwords to be preserved, select the Change passwords check box but leave the fields for new passwords blank. With this approach, the only remaining protection for the data is host-layer access controls.
- If you supply new passwords, the data is available to only those users who know the new passwords and have host-layer access.
- If you do not supply new encryption options, the current encryption is preserved in the affected tables.
  
  Tip
  If you do not want encryption to be preserved, select None as the encryption method.
- You can specify a different encryption method or a new AES encryption key to be applied to the physical data.
- If AES encryption is applied or preserved, or if you specify a new AES encryption key, the data is available to only those users who supply the key and have host-layer access.

Instructions

To unbind a physical library and delete its corresponding secured library and secured table objects:

On the Folders tab in SAS Management Console, beneath a /System/Secured Libraries branch, locate the secured library object that corresponds to the metadata-bound library that you want to unbind.
Right-click the object and select Delete and Unbind.

CAUTION:

The Delete action removes the secured library object and leaves any corresponding data bound.

Be sure to select the Delete and Unbind action, not the Delete action.

The Delete and Unbind Secured Library dialog box appears:

Refer to the entries in the preceding example as you complete steps 3 through 8.
Select the application server that you want to use to unbind the target directory.

Note: The application server must include a standard workspace server that has host access to the target directory.
Verify that the directory path of the target metadata-bound library is correct.

Note: The directory path is pre-populated with the most recently referenced path. If any directories in the path have been renamed, be sure to modify the path.
Supply the current password of the target metadata-bound library.

Note: If the target metadata-bound library has three distinct passwords, select the Specify multiple passwords check box, so there are three fields in the Password row. Supply all three passwords.
If you want to change or remove the current password, select the Change password values check box. Then take one of the following actions:
- To specify a new password for accessing the unbound data, enter new values in the New Password and Confirm Password fields.
- To make the target accessible without passwords, leave the New Password and Confirm Password fields blank.
If the data sets are currently encrypted using AES encryption and the key is not stored in the library’s metadata, enter the current key in the Encrypt Key field.
If you want to change the encryption options, select the Encryption Type check box. Then take one of the following actions:
- To apply AES encryption (or to specify a new AES encryption key), select the AES radio button. Then enter an encryption key in the New Encrypt Key and Confirm Encrypt Key fields.
  
  Tip
  Make sure that you have a record of the encryption key, as users will need to supply it when accessing the unbound data.
- To apply SAS Proprietary encryption, select the SAS Proprietary radio button. You cannot remove the library’s password if you use this encryption type.
- To remove all encryption from the library’s data sets, select the None radio button.
CAUTION:

If you have to unbind a library that contains AES-encrypted data sets that are referentially related to other data sets, then either make sure that all related data sets are no longer AES-encrypted or make sure that all related data sets share the same encryption key.

If you preserve AES encryption, the data will be available only to those users who supply the key and have host-layer access.
Click OK.
In the Delete and Unbind Secured Library window, click Yes to confirm your intent.
In the Delete and Unbind Secured Library window, click Yes to view the log.

It is strongly recommended that you always check the log for warnings after you perform an action on a secured library object.

Scope

In general, all tables within a metadata-bound library are protected by the library and share the library’s password. The GUI method facilitates this simple, best practice approach by affecting the physical library and all of its eligible tables. A table is eligible if it is either unsecured or secured with the library password.

The following list identifies selective scope situations, in which you cannot use the GUI method:

If you do not want to affect the library, use the code method and set the TABLESONLY option.
If you want to affect only some of the tables, use the code method and add a TABLES statement after the MODIFY statement.

Code Method

As an alternative to using SAS Management Console, you can use the AUTHLIB procedure to unbind a library. See REMOVE Statement.

Results

After you complete the preceding steps, the physical library remains intact, but is no longer bound to or protected by metadata.

In the host layer, the security location information is deleted from the target directory and files.

In the metadata layer, the corresponding secured library and table objects are deleted.

Tip

To update the display in SAS Management Console, right-click the Secured Libraries folder and select Refresh.