03-16-2015 02:37 AM
Can we set up configuration for SAS datasets encryption without code option for ENCRYPT=YES?
What options are available in SAS 9.4 can be configured to automatically encrypt datasets?
Users do not want to have to use the (ENCRYPT=Yes) in their code, any datasets that are created to be automatically encrypted.
This includes creating datasets in Libraries that are NOT registered in SAS metadata.
What are the limitation with encryption process? can we really avoid users reading data who not permitted? How actual can access and read encrypted dataset data?
03-16-2015 02:46 AM
What is so complicated about using encrypt=yes?
But if you want to keep users from accessing certain data, use the operating system's tools for that. If you grant read/execute permission for a directory only to a certain group, users who are not members of that group cannot assign a libname to that directory. Or read any datasets in it.
This also prevents any mishaps coming from forgotten passwords.
03-17-2015 02:24 AM
Agree with Kurt. Follow the approach:
- The SAS manuals on the security topic the are filled with cautions that you should bring your OS controls to a appropriate level.
Even the metadata bound libraries: SAS(R) 9.4 Guide to Metadata-Bound Libraries, Second Edition Who Should Use Metadata-Bound Libraries?
"You have not already met your security requirements through a combination of physical layer (operating system) separation and customized configuration of your SAS servers."
OS security is not that technically difficult to implement, the difficulty is getting it aligned with your business policies (RBAC). With this SAS institute (TLM) is commonly failing as they do not want to get aligned to your business policies. The reason is that is cost them too much of time with an implementation.
Are you going to use the encrypt= dataset option that is rather easy to do with SAS coding (program code). If you using Eguide or an other GUI interface you are into big trouble when that one is used adding/writing some records. At that moment not only the read password (essentially the salt) but recreating writing is needed alter access. Those GUI interfaces are failing because missing those options I their interfaces. The session/dataset will get corrupted.