Solved: Re: SAS Dataset securization, row level

W1ndwaker · Posted 10-27-2023 06:27 AM

Hello,

We're trying to solve a problem related to the security of the data within a sas dataset (.sas7bdat file), we have a bunch of tables on a directory on a linux system, and we have different bussines segregation info in the datafiles, we would like to know if there is a solution to allow sas to restrict the access to this data for different users, for example: dataset clients, has information about clients from different geographies and i need to let user1 to get data from french clients and user2 spanish clients.

Data is segregated by a column with the nacionality of the client. without separating the dataset into 2 datasets, is there a way to restrict this dataset access?

thanks

SASKiwi · Posted 10-30-2023 03:00 PM

@W1ndwaker - I was thinking a DATA step view might be worth looking at. You can't do a DESCRIBE on those.

View solution in original post

AhmedAl_Attar · Posted 10-27-2023 07:12 AM

Hi @W1ndwaker

If you are using Base SAS, then this feature is not available out of box and you'll have to fudge it somehow. Here is a response from 2018 about the same request

code to implement row level security to data set using enterprise guide

Alternatively, you may want to try out SAS Federation Server if that's an option?

Hope this helps

W1ndwaker · Posted 10-27-2023 08:06 AM

Hi @AhmedAl_Attar

Federation server doesn't seems to be my best option, but reading on the post you gave me i found something that can work out, seems tricky but possible!

I'll work on it and see if i can get a solution on my own that fits the situation, in this case i'll try to post it here.

meanwhile will be hearing new comments.

Thanks!

LinusH · Posted 10-27-2023 10:20 AM

Do you have metadata server in your deployment?

If so, you could use meta-bound libraries to impose row level access.

However, this is not supported in Viya, so if you are planning to migrate soon you should look for other options.

Like, having data stored in a database that support row level security.

Data never sleeps

carl_sommer · Posted 10-27-2023 10:48 AM

Do you have metadata server in your deployment?

If so, you could use meta-bound libraries to impose row level access.

However, this is not supported in Viya, so if you are planning to migrate soon you should look for other options.

Like, having data stored in a database that support row level security.

FYI, if you are looking for information on metadata bound Libraries, here's the documentation link and a link to a 2018 SAS Global Forum paper:

SAS Help Center: SAS® 9.4 Guide to Metadata-Bound Libraries, Second Edition

A Programming Approach to Implementing SAS® Metadata-Bound Libraries for SAS® Data Set Encry...

Also, Viya supports Row Level Security for CAS tables.

Carl Sommer - SAS Technical Support

W1ndwaker · Posted 10-30-2023 03:28 AM

In this case we use plain files, maybe it's a good point to move to metadata server and try this method of access control.

SASKiwi · Posted 10-28-2023 07:54 PM

How are you identifying client nationality? As long as that data is available in SAS, one solution would be to create views of your datasets containing a WHERE condition for nationality. Allow clients to only use the views to access the data by password-protecting the underlying real datasets. The views can contain the password to read the real tables, but that would not be available to the clients so they can bypass the views.

W1ndwaker · Posted 10-30-2023 03:21 AM

That doesn't fully works, since you can describe de view, and if the user is advance ha can define it again without the where.

W1ndwaker · Posted 10-30-2023 03:30 AM

sorry didn't read your message full, yes that's maybe another solution, it can take a while to deploy since we need to redo all the programing arround views but can be good to investigate.

SASKiwi · Posted 10-30-2023 03:00 PM

@W1ndwaker - I was thinking a DATA step view might be worth looking at. You can't do a DESCRIBE on those.

W1ndwaker · Posted 10-31-2023 03:16 AM

I did the research on this, you can do it, with:

data view=view;
describe;
run;

but also, on data step view you cannot include the libname, so it has to be mapped previously, with this any user may take a look on the library and query the data by itself.

I know it's a tricky situation, and there is no correct answer, many of those or the convination are the solution