Architecting, installing and maintaining your SAS environment

Providing Readonly access to Base engine libraries

Posts: 27

Providing Readonly access to Base engine libraries

Hi Team

I am new to SAS administration. I have to create a base engine SAS library in SAS Management console with readonly access to SAS datasets located at a particular path.

How do make those SAS datasets readonly ?

Kindly advice.



Super User
Posts: 5,257

Re: Providing Readonly access to Base engine libraries

There are several options. Which to chose depends on your requirement.

If you just want to protect from accidental updates, just have the libraries not preassigned, or preassigned using Metadata library engine. This is by default a read only access.

But, if your fear that your users will try to bypass metadata engine by assigning the libname directly to the file system path, you might want to look at using Meta Bound libraries.

Data never sleeps
Valued Guide
Posts: 3,208

Re: Providing Readonly access to Base engine libraries

Define the location were the SAS library is stored as read-access at the OS level.
The datasets wil be set read-only internal by SAS automatically. As you are safe at he OS level there are no issues to solve with SAS settings. 
Even the bound libraries will not protect those from copy at the OS level. SAS(R) 9.4 Guide to Metadata-Bound Libraries, Second Edition

If all of the following circumstances exist, it makes sense to consider using metadata-bound  libraries:
- You have SAS data sets that require a high level of security, with access distinctions at the user or group level.
- You are running (or planning to run) a SAS Metadata Server in which your users are registered.
- You have not already met your security requirements through a combination of physical layer (operating system) separation and customized configuration of your SAS servers.
---->-- ja karman --<-----
SAS Employee
Posts: 11

Re: Providing Readonly access to Base engine libraries

Jaap's response, especially the item in bold, is a very good response.

I'll add one more trivially easy way to specify a library as read-only.  There's a Library access field in SAS Management Console that you can use to specify a library as READONLY (that's the menu choice).  See SAS(R) 9.4 Intelligence Platform: Data Administration Guide, Third Edition.

A word of caution. As easy as that setting is to configure, if that metadata setting is not also paired by restricting Write access in the operating system, a user can easily circumvent that setting by writing a program with a user-supplied LIBNAME statement to the data.

Valued Guide
Posts: 3,208

Re: Providing Readonly access to Base engine libraries

Mike and do not understand what is more trivial for restricting access to data using the OS layers.   I only copied that sentence from the SAS manual.

There is more of that:

SAS(R) 9.4 Intelligence Platform: Security Administration Guide, Second Edition  (cautions)

+ In the metadata authorization layer, not all permissions are enforced for all items.
It is essential to understand which actions are controlled by each permission. See Use and Enforcement of Each  Permission.
+ Some clients enable power users to create and run SAS programs that access data directly, bypassing metadata-layer controls.  (Eguide Amo etc)
It is essential  to manage physical layer access in addition to metadata-layer controls. See Access to SAS Data
If you do not the security approach at the OS layer you can eliminate Eguide and AMO usage (EMiner included) from start. 
This chapter once had mentioned some vague to get SAS aligned with common ICT governance policies (standard of good practice).  

Can you explain why SAS doesn't want to cooperate with existing ICT department policies and not according those of regulators but instead of that is obviously fighting those, bypassing them selling it as a solutions with no IT staff needed?
---->-- ja karman --<-----
Ask a Question
Discussion stats
  • 4 replies
  • 4 in conversation