Topics for Database Administrators |
Ensuring Data Security |
SAS preserves the data security provided by SYSTEM 2000 and SAS. The DBA controls who has SYSTEM 2000 authorities and who can create SYSTEM 2000 databases. Creators of the databases control who can access the data. Therefore, SAS users can access only SYSTEM 2000 databases that they created or databases for which they have specific password authorities.
To protect data from accidental update or deletion, you can use precautionary measures on both sides of the interface.
SYSTEM 2000 Security |
In SYSTEM 2000, the DBA gives users secondary passwords that enable only the authority they must have. For example, Jane needs to create a view descriptor that reads and selects only the personal information about each employee in the database EMPLOYEE, which is stored in the ENTRY record. To do this, Jane only needs to perform retrievals and where-clause selection on schema items C1 through C16. Use the following commands to assign her authorities:
valid password is jane; assign r,w to c1 through c16 for jane;
John needs to add new employees' names to the database, so he needs all authorities. Use the following commands to assign his authorities:
valid password is john; assign r, u, w to all components for john;
With retrieval, update, and where-clause authorities, John can create a view descriptor that reads the data records for the schema items and can use that view descriptor to add new logical entries to the database.
If SYSTEM 2000 detects a security violation while a SAS procedure or DATA step is running, it issues the return code 45 or 47 and an error message. If rollback is enabled for the database, partial updates will be rolled out (canceled).
SAS System Security |
set up all access descriptors and drop items that contain sensitive data.
set up all view descriptors and enable users access to them on a selective basis by storing the appropriate passwords in the descriptors, or requiring the user to supply a password.
give users read-only access to the SAS library in which the access descriptors are stored. Read-only access enables users to see only the items selected for each view descriptor and prevents them from editing access descriptors.
set up several access descriptors for multiple secondary passwords, or require the user to create the access descriptors.
Copyright © 2007 by SAS Institute Inc., Cary, NC, USA. All rights reserved.