I have a couple of stored processes that use passwords. I'd like to put them out for others in my group but every time I execute one, the log shows all my prompt values including the password. If I leave the process in SAS Enterprise Guide where I created it, I can turn off EG generated wrapper code but I see no option for that in stored processes.
Sounds like you are passing the password as a parameter. Why not convert the logic so that instead a pointer to the password is passed? Perhaps you could store the password in a database or SAS dataset and pass the name of the dataset. Then the program logic of the stored password could mask the password when it uses it using NOMPRINT or similar settings.
Thanks for your reply!
I considered picking them from a file but the passwords change all the time for which I am not responsible. I can't encrypt them either because they go to platforms that can't understand the encryption routine. The way I've been handling it now is to open up the stored process from SAS EG, run it and then remove it from the project. What I really want is to turn off the wrapper code so my parms aren't visible.
I think that is what PWENCODE does.
The PWENCODE procedure enables you to encode passwords. Encoded passwords can be used in place of plaintext passwords in SAS programs that access relational database management systems (RDBMSs) and various servers, such as SAS/CONNECT servers, SAS/SHARE servers, and SAS Integrated Object Model (IOM) servers (such as the SAS Metadata Server).
From "SAS 9.3 Stored Processes Developer's Guide"
Hiding Passwords and Other Sensitive Data
If you are creating a prompt for a password and want the text to be masked as the user is typing, use a text type prompt, and then select Masked single line (for password entry) as the text type. For more information, see the prompt help in SAS Management Console.
Even if you decide not to use a masked prompt, the SAS log exposes programs and input parameters, which could pose a security issue. There are some actions that you can take to hide passwords and other sensitive data from the SAS log. Password values are hidden from the SAS log for any input parameters with the _PASSWORD suffix anywhere in the parameter name (for example, ABC_PASSWORD, _PASSWORDABC). You can disable the SAS log with the DebugMask Web application initialization parameter. For more information, see “Debugging in the SAS Stored Process Web Application ” on page 134. You can also use the prefix _NOLOG_ with macro variables to hide request variable values.
The _NOLOG_ prefix enables you to create special macro variables that can be sent to the stored process server without publishing the macro variable values in the SAS log. The special macro variables must start with the prefix _NOLOG_. The prefix is not case sensitive. Here is an example of an input parameter with the _NOLOG_ prefix:
If _NOLOG_SALARY is displayed in the SAS logs, the log shows the following:
_NOLOG_SALARY=XXXXXXXX;Note:The _NOLOG_ prefix and the _PASSWORD suffix are effective only if your stored process is running on a stored process server.
Registration is open! SAS is returning to Vegas for an AI and analytics experience like no other! Whether you're an executive, manager, end user or SAS partner, SAS Innovate is designed for everyone on your team. Register for just $495 by 12/31/2023.
If you are interested in speaking, there is still time to submit a session idea. More details are posted on the website.
Learn how use the CAT functions in SAS to join values from multiple variables into a single value.
Find more tutorials on the SAS Users YouTube channel.