 |
|
| Assigning Libraries |
Using Libraries That Are Not Pre-assigned
| Default assignment for libraries |
By default, newly created libraries are not pre-assigned. When a library is not pre-assigned, the library is assigned by using the data-access engine that best suits the client application and its intended user base. Thus, the default assignments for applications such as SAS Data Integration Studio, SAS Add-In for Microsoft Office, SAS Enterprise Guide, SAS OLAP Cube Studio, SAS Enterprise Miner, and SAS Information Map Studio are used. For example, if you do not pre-assign the library, SAS Data Integration Studio assigns the library using the engine specified in metadata (such as BASE). This method avoids the data-level authorizations of Read, Write, Create, and Delete. This approach is a best practice, because it is assumed that in most cases SAS Data Integration Studio developers are building processes that create or update tables in the library and that the underlying engine is the only engine that should be used for data-populating tasks.
| How Do the Different Platform Clients Assign Libraries? |
When libraries are not pre-assigned, each SAS platform client assigns libraries. Allowing each application to assign libraries as it deems appropriate for its user base results in the optimal security model for environments where users have different data access requirements to a library and where you want to capitalize on using metadata decisions enforced by the SAS authorization facility on top of the operating system or RDBMS authorization layer. An example of such an environment would be one with clients running at least SAS Enterprise Guide and SAS Data Integration Studio. In this environment, SAS Data Integration Studio processes update tables that are in turn used in ad hoc analysis within SAS Enterprise Guide. The SAS Data Integration Studio processes need to specify tables in the library as target tables (output), whereas the SAS Enterprise Guide user's activities largely involve querying and analyzing chunks of data (input).
Because SAS Data Integration Studio processes typically update or create target tables, when SAS Data Integration Studio assigns the library it does not use the metadata engine. Instead, it assigns the library using the engine specified in the metadata. Because SAS Data Integration Studio only works with tables that are registered in the metadata repository, you can use the SAS authorization facility to control a client's access to tables by setting ReadMetadata, WriteMetadata, and CheckInMetadata permissions on the library and table metadata objects.
SAS Information Map Studio always assigns the library by using a LIBNAME statement and the engine specified in the metadata, unless the library is explicitly defined by a SAS administrator (or SAS Data Integration Studio administrator) to use the metadata engine.
Note: The metadata authorization
layer supplements operating system- and RDBMS-level security. It does not
replace it. Operating system and RDBMS authorization layers can and should
always be used as the first means of securing access to tables. ![[cautionend]](../../../../common/61991/HTML/default/images/cautend.gif)
| Application | Pre-assigned |
Library
Engine Used |
Minimum Metadata Authorizations
Required |
|---|---|---|---|
| SAS Add-In for Microsoft Office | No | META |
Library: ReadMetadata
Table: ReadMetadata and Read |
| SAS Enterprise Guide | No | META |
Library: ReadMetadata
Table: ReadMetadata and Read |
| SAS Data Integration Studio | No | Underlying data engine |
Library: ReadMetadata
Table: ReadMetadata |
| SAS OLAP Cube Studio | No | Underlying data engine |
Library: ReadMetadata
Table: ReadMetadata |
| SAS Information Map Studio | No | Underlying data engine |
Library: ReadMetadata
Table: ReadMetadata |
| Processing Stored Processes When the Library is Not Pre-assigned |
In the SAS Intelligence Platform, a stored process is a SAS program that is stored on a server and can be executed as requested by clients who have ReadMetadata access to the stored process program's metadata. SAS Stored Processes can be executed by either a SAS Workspace Server or a SAS Stored Process Server. If a library is not pre-assigned, it is the responsibility of the stored process program's author or the SAS administrator to ensure that the library is assigned to a specific location and physical path. This can be done either directly in each stored process program or from an external file that is linked to the stored process with an %INCLUDE statement.
These methods have the following advantages and disadvantages:
-
Method: Define a metadata engine library in the stored process program.
-
Advantage: Data-level authorizations specified for the library and table metadata objects are enforced by the SAS authorization facility. Note that these permissions are enforced for the server's identity (usually SAS General Servers), not the client's.
-
Disadvantage: Library and table metadata for any table called in the program must be registered in the metadata repository, thus preventing a stored process from accessing tables that might reside in the library but are not registered in metadata.
-
Disadvantage: Changes to the library metadata object's name or repository location would require that each stored process that references the library be updated.
-
Disadvantage: Metadata inconsistencies or corruptions can result if the stored process modifies a table's structure through the library. Examples of this modification include adding or removing columns.
-
-
Method: Define the library in the stored process program and use only the underlying data engine.
-
Advantage: A table does not have to be registered in the metadata repository in order for the stored process to access it.
-
Advantage: Tables in the library can be re-created or updated and new tables created without directly impacting the metadata. Note, however, that changes to the structure of a table that has been registered previously in the metadata repository can still cause synchronization issues between the table and the metadata.
-
Disadvantage: The metadata repository is no longer a single point of management, because library definitions are stored in multiple places.
-
Disadvantage: Changes to the library path or directory would require that each stored process that references the library be updated.
-
Disadvantage: The SAS authorization facility has no role in managing access to tables called by the stored process. Thus, the SAS General Server User can access data in any table in the library for which he has been granted Read access at the OS or RDBMS layer.
-
-
Method: Store the library assignments in an external file and then include the file in the stored process program.
-
Advantage: Library assignments are defined in one file or directory location that all stored process programs can reference.
-
Advantage: Multiple files that contain library assignments can be created and referenced as needed in the stored process so that things such as connections to databases are established only when absolutely required.
-
Advantage: Other advantages depend on how the library is defined in the file. See the two preceding methods.
-
Disadvantage: The files referenced in the stored process must be created and maintained by someone who has Write (and Modify) access to the file's location on the system.
-
Disadvantage: Stored processes created through point and click applications such as SAS Enterprise Guide must be modified manually to replace the library assignment with manually generated %INCLUDE syntax.
-
Disadvantage: Changes to the file's location or name requires updating all the stored processes that include the file.
-
|
|
Copyright © 2009 by SAS Institute Inc., Cary, NC, USA. All rights reserved.