Hi @JackHamilton 

Transferring the task to change her/his own password in metadata to the end user might be risky. As far as I know, SAS doesn't publicly document coding APIs to insert password string into the metadata repository. If you search thorougly this very forum archives, you might find interesting pieces of code (...) to guide you in that way, riskier still in my opinion.

In your case, a new approach could be useful : have you, for instance, considered setting up Single Sign On (SSO) authentication like IWA/Kerberos or SAML between Windows and the SAS servers ? Taking such a step removes the need to store Windows AD credentials in metadata, merely propagating a Windows personal token onto the SAS servers when a SAS session is launched. Sometimes this is not feasible, unfortunately. Then, instead of updating the password which spares ... retyping the password , you can also train your SAS users with Keepass (free) or any Digital vault that can safely store a login/password and type it *automatically* (that is, via a fixed keystroke) into the user/pwd field.

The same logic goes for DBMS user/logins : choosing SSO between SAS and the external Database or using a personal password manager to fill in the password when it is needed.

Storing a password copy in metadata is not recommended unless you have a viable method/tool to change it.

Sorry if these general considerations don't address your specific points, I think it's worth sometimes to reconsider old habits and usual processes. FYI, SAS does provide a Web UI that allows to change a login password. It's called SAS Web Environment Manager Administration : https://documentation.sas.com/doc/en/bicdc/9.4/evadmug/p1oo51oqq6tuchn1si35myscl4x4.htm

I won't elaborate further with its requirements, there are Roles in metadata to access the Web Environment Manager. But, like the SAS Management Console, its rather an administration powertool than a user-friendly utility.

HTH

Ronan

SAS provides and documents the SetPassword command line utility, which is in "C:\Program  Files\SASHome\SASPlatformObjectFramework\9.4" or its equivalent on your OS.  It was recommended to me by SAS Tech Support.

We're working on improved inter-system authentication, but by policy we will not have SSO on databases containing patient information.

Thank you for mentioning the environment manager.  I will look into it.

Hello @JackHamilton 
Here are my thoughts on your problem

1. "We're upgrading from 9.4m5 to 9.4m7 later this year, and hope that will make the problem go away."

     This version of SAS has the SAS EG 8.x and login manager is no more available in the SAS EG.. It is in the install directory
(https://go.documentation.sas.com/doc/en/pgmsascdc/9.4_3.5/whatsdiff/p14d505czxwgqnn14rji2345ersx.htm). 
2.For changing  login /Windows/AD passwords it is better to use the operating system utilities rather than SAS login manager.

  As a corollary for default auth password should not be stored in the metadata. SAS does not need any users login passwords to be stored in the  metadata.  

3.What remains is that user must be using login manager to store their database access passwords for various authdomains.

   A good practice is to assign privileges/ access /roles using groups. There would be no need to store password in the metadata.

  Following this practice there would be hardly any need to store passwords in the metadata.

4.Changing user behavior / practices is not easy. But you have a silvery lining. The move to a newer version of the SAS.

 Suggest that make use of this opportunity and try doing away user password storage in metadata.