topic Re: Providing Readonly access to Base engine libraries in Administration and Deployment

Providing Readonly access to Base engine libraries

RAmarapuram — Thu, 19 Mar 2015 16:14:12 GMT

Hi Team

I am new to SAS administration. I have to create a base engine SAS library in SAS Management console with readonly access to SAS datasets located at a particular path.

How do make those SAS datasets readonly ?

Kindly advice.

Thanks

Rajesh

Re: Providing Readonly access to Base engine libraries

LinusH — Thu, 19 Mar 2015 16:41:08 GMT

There are several options. Which to chose depends on your requirement.

If you just want to protect from accidental updates, just have the libraries not preassigned, or preassigned using Metadata library engine. This is by default a read only access.

But, if your fear that your users will try to bypass metadata engine by assigning the libname directly to the file system path, you might want to look at using Meta Bound libraries.

Re: Providing Readonly access to Base engine libraries

jakarman — Thu, 19 Mar 2015 22:25:44 GMT

Define the location were the SAS library is stored as read-access at the OS level.
The datasets wil be set read-only internal by SAS automatically. As you are safe at he OS level there are no issues to solve with SAS settings.
Even the bound libraries will not protect those from copy at the OS level. SAS(R) 9.4 Guide to Metadata-Bound Libraries, Second Edition

If all of the following circumstances exist, it makes sense to consider using metadata-bound libraries:
- You have SAS data sets that require a high level of security, with access distinctions at the user or group level.

- You are running (or planning to run) a SAS Metadata Server in which your users are registered.

- You have not already met your security requirements through a combination of physical layer (operating system) separation and customized configuration of your SAS servers.

Re: Providing Readonly access to Base engine libraries

MikeMcKiernan — Fri, 03 Apr 2015 12:44:42 GMT

Jaap's response, especially the item in bold, is a very good response.

I'll add one more trivially easy way to specify a library as read-only. There's a Library access field in SAS Management Console that you can use to specify a library as READONLY (that's the menu choice). See SAS(R) 9.4 Intelligence Platform: Data Administration Guide, Third Edition.

A word of caution. As easy as that setting is to configure, if that metadata setting is not also paired by restricting Write access in the operating system, a user can easily circumvent that setting by writing a program with a user-supplied LIBNAME statement to the data.

Re: Providing Readonly access to Base engine libraries

jakarman — Fri, 03 Apr 2015 13:24:27 GMT

Mike and do not understand what is more trivial for restricting access to data using the OS layers. I only copied that sentence from the SAS manual.

There is more of that:

SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition (cautions)

+ In the metadata authorization layer, not all permissions are enforced for all items.

It is essential to understand which actions are controlled by each permission. See Use and Enforcement of Each Permission.

+ Some clients enable power users to create and run SAS programs that access data directly, bypassing metadata-layer controls. (Eguide Amo etc)

It is essential to manage physical layer access in addition to metadata-layer controls. See Access to SAS Data.

If you do not the security approach at the OS layer you can eliminate Eguide and AMO usage (EMiner included) from start.

This chapter once had mentioned some vague to get SAS aligned with common ICT governance policies (standard of good practice).

SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition as coming from SAS(R) 9.4 Intelligence Platform: Installation and Configuration Guide (Ongoing System Administration Tasks - checklist for a more secure deployment)

Can you explain why SAS doesn't want to cooperate with existing ICT department policies and not according those of regulators but instead of that is obviously fighting those, bypassing them selling it as a solutions with no IT staff needed?