In addition to being tied to a particular
metadata object, a
metadata-bound library also has a set of associated passwords. These passwords serve a secondary role, enabling
administrators to recover metadata (for example, in the event that they accidentally
delete a
secured library object from the metadata) and ensuring that authorization decisions come from only valid
sources.
Here are some details
about these passwords:
-
The passwords are recorded both
in the physical data and in metadata.
-
The passwords are always stored
and transmitted in encrypted formats. Even if an encrypted password
is captured, it can’t be submitted as a password value in SAS
code.
-
The passwords do not create access
distinctions. For simplicity, we recommend that you use PW= to set
a single password value, rather than specifying different password
values using READ=, WRITE=, and ALTER=.
However, each plain
text password value can be only eight characters long. You might choose
to set different password values (using READ=, WRITE=, and ALTER=)
for greater security. In effect, setting different values can create
a 24-character password.
-
Passwords that you supply in SAS
Management Console are encoded or encrypted in transit, in accordance
with your configuration.
-
You can use the PWENCODE
procedure to encode passwords for use in the AUTHLIB procedure. If you supply an encoded password,
enclose it in quotation marks. All other
encryption of the password (both in-transit and on-disk) occurs automatically. An encrypted
password that is captured in transmission cannot be used.
-
End users never have to supply
these passwords, so they should neither know, nor have access to,
the password values.
-
Use of metadata-bound libraries
doesn’t involve prompting end users for secured library passwords.
-
When it communicates authorization decisions, the
metadata server supplies passwords that match passwords that are stored with the physical data, in
order to prove that it is the valid source for those decisions.
-
In order to use SAS to copy a
metadata-bound table, you must have Read access (the Select permission) for the source table. The source
table’s password is not applied to the new (output) table. If the new table is added
to a metadata-bound library, that library’s password is applied to it. If the new
physical table is added to
a traditional library, the new table is not protected as a secured table or with passwords
retained from the source table.
-
In general, all metadata-bound tables within a particular metadata-bound library share
the same set of passwords. Each library’s passwords are automatically applied
to the tables within that library. However, the following exceptions exist:
-
Physical tables that existed in the operating system directory, with passwords, at
the time that their parent metadata-bound library was created retain their pre-existing
passwords. Such physical tables are not secured
by metadata unless you modify their passwords to match the parent library’s passwords.
-
Physical tables that you copy into a metadata-bound library using operating system
commands yield the following results:
-
If the original tables are metadata-bound tables, the copied tables are protected
by the same metadata-bound library that protected the original tables. The act of
copying the physical tables into another
metadata-bound library doesn’t cause a change to the protections.
-
If the original tables are not
metadata-bound tables, the copied tables are not secured by metadata
unless you explicitly apply the library passwords to them.