topic Re: Hide the code of a Stored Process in Developers

Hide the code of a Stored Process

Criptic — Tue, 21 Nov 2017 08:49:04 GMT

Hey everybody,

I have a STP in which there is sensible information in the code. The users are allowed to execute the STP but they shouldn't be able to view the code of the STP. I output the log to a different location so that the users can't view it but they are still able to view the code.

Just taking away WriteMetadata and modifying the role so that under content the users can't create or modify an STP doesn't work. Taking away ReadMetadata doesn't work as the users are now unable to use the STP.

Does anybody have an idea? Maybe there is a way to encrypt the coding which is then decrypted at runtime? Is something like that possible in SAS? Anyother suggestions?

Looking forward to your ideas and suggestions

David

Re: Hide the code of a Stored Process

lethcons — Tue, 21 Nov 2017 09:03:34 GMT

Is the sensitive info some sort of data? Could it be put into a table that the STP can read but users cannot?

Or if code, can you put it into a separate .sas file and then %INCLUDE it? Again, only the STP can read from this location.

Or maybe you need to revisit what you are trying to do and who your audience is.

Re: Hide the code of a Stored Process

Criptic — Tue, 21 Nov 2017 09:10:36 GMT

The sensitive information is inside of the code aka the libname statements. I could put that libname statements into a table and load it from there that is a great idea. The include will not work for me because of the way our environment is configured.
Do you have anyother suggestions? 😄

Re: Hide the code of a Stored Process

RW9 — Tue, 21 Nov 2017 09:25:09 GMT

The real question here is:
"The sensitive information is inside of the code aka the libname statements."
Why do you have data in libname statements, paths on your network should be kept small, have no special characters, and above all not contain "data". The fact that you have chosen to put sensitive information in paths is bad in several areas.

Re: Hide the code of a Stored Process

Kurt_Bremser — Tue, 21 Nov 2017 09:59:50 GMT

The library name itself can't be the problem. What confidential data could be stored in 8 characters?

Put the libnames into the autoexec for the stored process server, that way they are only read when the STP servers start up (keep in mind that the STP server is a pooled resource).

Grant metadata access to the users, but restrict it to sassrv in the OS.

Re: Hide the code of a Stored Process

JuanS_OCS — Tue, 21 Nov 2017 10:12:22 GMT

Hello all,

unfortunately, none of that would work, if the (malicious) user would enable a LOG/DEBUG parameter in the URL, all the code would show up in the logs.

BTW: on production systems, the SASStoredProcess web application should have the LOG/DEBUG option disabled in the SAS Management Console settings.

The only real way to hide the code is by including secured macros.

Sample 33559: How to Hide Code Used in SAS® Stored Processes That Are Associated with SAS® Information Maps (you can safely ignore the part of Information Maps, not relevant)

http://support.sas.com/kb/33/559.html

and

http://support.sas.com/documentation/cdl/en/mcrolref/61885/HTML/default/viewer.htm#macro-stmt.htm (see example 5)

Re: Hide the code of a Stored Process

AllanBowe — Tue, 21 Nov 2017 23:24:12 GMT

This question comes up quite often, usually because the code contains passwords or other sensitive information.

The solution is simple. @KurtBremser is right - create a secure directory that can only be read by the STP account (eg sassrv) and the administrators group.

In your STP code, run the following two lines:

options nomprint nosource2; /* prevent log output */

%inc "/temp/mySecureDirectory/program.sas"; /* execute secured part of the code */

Afterwards you may wish to reinstate the options. Job done!