cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
RGarrido
Fluorite | Level 6 RGarrido
Fluorite | Level 6

Re: SAS/ACCESS to Snowflake's MFA Mandate: A Step-by-Step Guide to Mitigating Push Notification in S

Posted 11-26-2025 10:36 AM (1573 views)  |   In reply to RGarrido

Right clicking on the libraries (compare):

Using USER:

RGarrido_0-1764171285182.png

Using AUTHDOMAIN:

RGarrido_1-1764171333739.png

 

0 Likes
Reply
Victor_A
Fluorite | Level 6 Victor_A
Fluorite | Level 6

Re: SAS/ACCESS to Snowflake's MFA Mandate: A Step-by-Step Guide to Mitigating Push Notification in S

Posted 02-05-2026 02:12 PM (340 views)  |   In reply to RGarrido

I would avoid creating an Authentication Domain.  This stores an encoded password which can be easily decoded.  Moving on you might consider creating a restricted options file for the group or user.  You can store the Snowflake UID and password in this file.  These files are owned by the administrator and read by the SAS System.  (See the SAS documentation snippets below)

 

 SAS rstropts (restricted options) user configuration files, located at !SASROOT/misc/rstropts/users/<userid>_rsasv9.cfg on UNIX/Linux, are typically designed to be read and enforced by the SAS system. While they are text files, they are usually owned by an administrator, meaning regular users may not have permission to read or modify them.

 

SAS rstropts (restricted options) user files can technically contain non-SAS options, specifically operating system environment variables or other configuration settings that the SAS configuration file parser accepts during initialization.
While the primary purpose of !SASROOT/rstropts/users/userid_rsasv9.cfg is to restrict SAS system options (e.g., -NOXCMD, -SYSPARM), they act as configuration files, allowing administrators to define site-specific settings that may not strictly be SAS System Options.

 

I have not personally tested this approach.  Good Luck!

 

Reply
SASKiwi
PROC Star SASKiwi
PROC Star

Re: SAS/ACCESS to Snowflake's MFA Mandate: A Step-by-Step Guide to Mitigating Push Notification in S

Posted 02-08-2026 06:52 PM (311 views)  |   In reply to Victor_A

It's common practice to define Authentication Domains entirely in SAS 9.4 metadata, which is what we have done with our Snowflake connections. Access to SAS metadata is password-restricted and opening Auth Domain user credentials in SAS Management Console just gives you asterisks:

SASKiwi_0-1770594333968.png

IMHO this is at least as secure as the method you suggest as long as the metadata access password is kept secure.  

Reply
Victor_A
Fluorite | Level 6 Victor_A
Fluorite | Level 6

Re: SAS/ACCESS to Snowflake's MFA Mandate: A Step-by-Step Guide to Mitigating Push Notification in S

Posted 02-17-2026 06:41 AM (272 views)  |   In reply to SASKiwi

Since you are using SMC to return the encoded users passwords SAS intentionally obfuscate those passwords with eight asterisks.  That is the way SAS hides the encoded passwords.  A non-administrator can submit proc metadata to return their own encoded password which can be decoded.  Lastly there was a SAS note which mentioned the obfuscated passwords could be avoided if the proc metadata was called in a macro.  

0 Likes
Reply

suga badge.PNGThe SAS Users Group for Administrators (SUGA) is open to all SAS administrators and architects who install, update, manage or maintain a SAS deployment. 

Join SUGA 

Get Started with SAS Information Catalog in SAS Viya

Learn how to explore data assets, create new data discovery agents, schedule data discovery agents, and much more.

Watch Get Started with SAS Information Catalog in SAS Viya on YouTube

Find more tutorials on the SAS Users YouTube channel.

Discussion stats
  • 18 replies
  • ‎08-27-2025 03:57 PM
  • 5793 views
  • 18 likes
  • 6 in conversation