cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
Criptic
Lapis Lazuli | Level 10 Criptic
Lapis Lazuli | Level 10
Go to Solution

Hide the code of a Stored Process

Posted 11-21-2017 03:49 AM (2892 views)

Hey everybody,

 

I have a STP in which there is sensible information in the code. The users are allowed to execute the STP but they shouldn't be able to view the code of the STP. I output the log to a different location so that the users can't view it but they are still able to view the code.

 

Just taking away WriteMetadata and modifying the role so that under content the users can't create or modify an STP doesn't work. Taking away ReadMetadata doesn't work as the users are now unable to use the STP.

 

Does anybody have an idea? Maybe there is a way to encrypt the coding which is then decrypted at runtime? Is something like that possible in SAS? Anyother suggestions?

 

Looking forward to your ideas and suggestions

David

0 Likes
1 ACCEPTED SOLUTION

Accepted Solutions
JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: Hide the code of a Stored Process

Posted 11-21-2017 05:07 AM (3291 views)  |   In reply to Criptic

Hello all,

 

unfortunately, none of that would work, if the (malicious)  user would enable a LOG/DEBUG parameter in the URL, all the code would show up in the logs.

 

BTW: on production systems, the SASStoredProcess web application should have the LOG/DEBUG option disabled in the SAS Management Console settings.

 

The only real way to hide the code is by including secured macros.

 

Sample 33559: How to Hide Code Used in SAS® Stored Processes That Are Associated with SAS® Information Maps (you can safely ignore the part of Information Maps, not relevant)

http://support.sas.com/kb/33/559.html

 

and

 

http://support.sas.com/documentation/cdl/en/mcrolref/61885/HTML/default/viewer.htm#macro-stmt.htm (see example 5)

 

View solution in original post

6 REPLIES 6
lethcons
Obsidian | Level 7 lethcons
Obsidian | Level 7

Re: Hide the code of a Stored Process

Posted 11-21-2017 04:03 AM (2883 views)  |   In reply to Criptic

Is the sensitive info some sort of data? Could it be put into a table that the STP can read but users cannot?

Or if code, can you put it into a separate .sas file and then %INCLUDE it? Again, only the STP can read from this location.

Or maybe you need to revisit what you are trying to do and who your audience is.

Criptic
Lapis Lazuli | Level 10 Criptic
Lapis Lazuli | Level 10

Re: Hide the code of a Stored Process

Posted 11-21-2017 04:10 AM (2878 views)  |   In reply to lethcons
The sensitive information is inside of the code aka the libname statements. I could put that libname statements into a table and load it from there that is a great idea. The include will not work for me because of the way our environment is configured.
Do you have anyother suggestions? 😄
0 Likes
Kurt_Bremser
Super User Kurt_Bremser
Super User

Re: Hide the code of a Stored Process

Posted 11-21-2017 04:59 AM (2865 views)  |   In reply to Criptic

The library name itself can't be the problem. What confidential data could be stored in 8 characters?

Put the libnames into the autoexec for the stored process server, that way they are only read when the STP servers start up (keep in mind that the STP server is a pooled resource).

Grant metadata access to the users, but restrict it to sassrv in the OS.

Maxims of Maximally Efficient SAS Programmers
How to convert datasets to data steps
The macro for direct download as ZIP
How to post code
Please vote for Provide Sequential Search Capability for Hash Objects
How to deal with locked files on UNIX
0 Likes
RW9
Diamond | Level 26 RW9
Diamond | Level 26

Re: Hide the code of a Stored Process

Posted 11-21-2017 04:25 AM (2870 views)  |   In reply to Criptic

The real question here is:
"The sensitive information is inside of the code aka the libname statements."
Why do you have data in libname statements, paths on your network should be kept small, have no special characters, and above all not contain "data". The fact that you have chosen to put sensitive information in paths is bad in several areas.

0 Likes
JuanS_OCS
Amethyst | Level 16 JuanS_OCS
Amethyst | Level 16

Re: Hide the code of a Stored Process

Posted 11-21-2017 05:07 AM (3292 views)  |   In reply to Criptic

Hello all,

 

unfortunately, none of that would work, if the (malicious)  user would enable a LOG/DEBUG parameter in the URL, all the code would show up in the logs.

 

BTW: on production systems, the SASStoredProcess web application should have the LOG/DEBUG option disabled in the SAS Management Console settings.

 

The only real way to hide the code is by including secured macros.

 

Sample 33559: How to Hide Code Used in SAS® Stored Processes That Are Associated with SAS® Information Maps (you can safely ignore the part of Information Maps, not relevant)

http://support.sas.com/kb/33/559.html

 

and

 

http://support.sas.com/documentation/cdl/en/mcrolref/61885/HTML/default/viewer.htm#macro-stmt.htm (see example 5)

 

AllanBowe
Barite | Level 11 AllanBowe
Barite | Level 11

Re: Hide the code of a Stored Process

Posted 11-21-2017 06:24 PM (2826 views)  |   In reply to Criptic

This question comes up quite often, usually because the code contains passwords or other sensitive information.

 

The solution is simple.  @KurtBremser is right - create a secure directory that can only be read by the STP account (eg sassrv) and the administrators group.

 

In your STP code, run the following two lines:

 

options nomprint nosource2; /* prevent log output */

%inc "/temp/mySecureDirectory/program.sas"; /* execute secured part of the code */

 

Afterwards you may wish to reinstate the options.  Job done!

/Allan
SAS Challenges - SASensei
MacroCore library for app developers
SAS networking events (BeLux, Germany, UK&I)
Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller
DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

How to Concatenate Values

Learn how use the CAT functions in SAS to join values from multiple variables into a single value.

Watch How to Concatenate Values on YouTube

Find more tutorials on the SAS Users YouTube channel.

SAS Training: Just a Click Away

 Ready to level-up your skills? Choose your own adventure.

Browse our catalog!

Discussion stats
  • 6 replies
  • ‎11-21-2017 03:49 AM
  • 2893 views
  • 4 likes
  • 6 in conversation