What’s New in Metadata-Bound Libraries in SAS 9.4

Overview

The following new features and enhancements affect metadata-bound libraries in SAS 9.4:
  • New SAS Management Console features simplify administration.
  • A new automatic process simplifies certain administrative interactions with encrypted tables.
  • Effective with the first maintenance release for SAS 9.4, you can require the tables in a library to be encrypted. You can also store the AES encryption key for a library’s data sets in the library’s metadata.
  • The REPAIR statement’s DELETE LOCATION action is now a production feature.
  • Effective with the third maintenance release for SAS 9.4, replaced metadata-bound library passwords and encryption keys are retained in metadata until all tables are successfully modified or the administrator explicitly purges them.

SAS Management Console

The following new features reduce the need to write SAS code to administer metadata-bound libraries. From within a /System/Secured Libraries branch on the Folders tab in SAS Management Console, you can perform the following tasks:
  • bind a physical library and its contents to metadata
  • change the password of a metadata-bound library
  • unbind a metadata-bound library and delete the corresponding metadata objects
  • require that the tables in a library be encrypted (available in the first maintenance release for SAS 9.4)
  • validate a library to identify any discrepancies related to metadata bindings (for example, missing or mismatched physical tables, security location information, or metadata objects)
  • store or modify an AES encryption key in a library’s metadata (available in the first maintenance release for SAS 9.4)
  • specify permission conditions that give users access to some but not all of the data within a physical table (available in the first maintenance release for SAS 9.4)
  • specify whether a library’s passwords and encryption keys are to be retained in metadata or automatically purged if all tables in the library are successfully modified to use the newer credentials (available in the third maintenance release for SAS 9.4)
Note: Unlike most actions in SAS Management Console, the actions that are described in the first four items in the preceding list affect not only metadata, but also the corresponding physical data. All of the actions build SAS code and execute it in a workspace server.

Encryption

  • The process for modifying passwords for a metadata-bound library that contains encrypted tables has been simplified. A copy-in-place approach is automatically used when necessary to accomplish a task. See Making Security-Related Changes to an Encrypted Table.
  • You can use the TABLES statement of the AUTHLIB procedure to supply a key to use in AES encryption of metadata-bound Base SAS libraries. See Using AES Encryption with Metadata-Bound Libraries.
  • Effective with the first maintenance release for SAS 9.4, you can force encryption by specifying REQUIRE_ENCRYPTION=YES when you create or modify a metadata-bound library. By requiring some form of encryption for all tables within a metadata-bound library, you increase security. See CREATE Statement and MODIFY Statement.
  • Effective with the first maintenance release for SAS 9.4, you can use ENCRYPTKEY= to store an AES encryption key in metadata when you create or modify a metadata-bound library. The stored key is used to attempt to open the library’s AES-encrypted tables when no key is supplied by the user. The stored key is used to encrypt data sets in the following cases: when encryption is required, and when AES encryption is specified in SAS code but no key is supplied.

REPAIR Statement

  • The REPAIR statement of the AUTHLIB procedure no longer supports password modification. See REPAIR Statement.
  • The REPAIR DELETE LOCATION action of the AUTHLIB procedure is now a production feature. See REPAIR Statement.

PURGE Statement and PURGE= Option

In the third maintenance release for SAS 9.4, a new statement and a new option for the MODIFY statement were added to the AUTHLIB procedure.
  • The PURGE statement removes any retained metadata-bound library credentials older than a given date of replacement.
  • The MODIFY statement has a PURGE= option that automatically removes all retained metadata-bound library credentials if all tables in the library are successfully modified to use the newer credentials.