BookmarkSubscribeRSS Feed
🔒 This topic is solved and locked. Need further help from the community? Please sign in and ask a new question.
Criptic
Lapis Lazuli | Level 10

Hey everybody,

 

I have a STP in which there is sensible information in the code. The users are allowed to execute the STP but they shouldn't be able to view the code of the STP. I output the log to a different location so that the users can't view it but they are still able to view the code.

 

Just taking away WriteMetadata and modifying the role so that under content the users can't create or modify an STP doesn't work. Taking away ReadMetadata doesn't work as the users are now unable to use the STP.

 

Does anybody have an idea? Maybe there is a way to encrypt the coding which is then decrypted at runtime? Is something like that possible in SAS? Anyother suggestions?

 

Looking forward to your ideas and suggestions

David

1 ACCEPTED SOLUTION

Accepted Solutions
JuanS_OCS
Amethyst | Level 16

Hello all,

 

unfortunately, none of that would work, if the (malicious)  user would enable a LOG/DEBUG parameter in the URL, all the code would show up in the logs.

 

BTW: on production systems, the SASStoredProcess web application should have the LOG/DEBUG option disabled in the SAS Management Console settings.

 

The only real way to hide the code is by including secured macros.

 

Sample 33559: How to Hide Code Used in SAS® Stored Processes That Are Associated with SAS® Information Maps (you can safely ignore the part of Information Maps, not relevant)

http://support.sas.com/kb/33/559.html

 

and

 

http://support.sas.com/documentation/cdl/en/mcrolref/61885/HTML/default/viewer.htm#macro-stmt.htm (see example 5)

 

View solution in original post

6 REPLIES 6
lethcons
Obsidian | Level 7

Is the sensitive info some sort of data? Could it be put into a table that the STP can read but users cannot?

Or if code, can you put it into a separate .sas file and then %INCLUDE it? Again, only the STP can read from this location.

Or maybe you need to revisit what you are trying to do and who your audience is.

Criptic
Lapis Lazuli | Level 10
The sensitive information is inside of the code aka the libname statements. I could put that libname statements into a table and load it from there that is a great idea. The include will not work for me because of the way our environment is configured.
Do you have anyother suggestions? 😄
Kurt_Bremser
Super User

The library name itself can't be the problem. What confidential data could be stored in 8 characters?

Put the libnames into the autoexec for the stored process server, that way they are only read when the STP servers start up (keep in mind that the STP server is a pooled resource).

Grant metadata access to the users, but restrict it to sassrv in the OS.

RW9
Diamond | Level 26 RW9
Diamond | Level 26

The real question here is:
"The sensitive information is inside of the code aka the libname statements."
Why do you have data in libname statements, paths on your network should be kept small, have no special characters, and above all not contain "data". The fact that you have chosen to put sensitive information in paths is bad in several areas.

JuanS_OCS
Amethyst | Level 16

Hello all,

 

unfortunately, none of that would work, if the (malicious)  user would enable a LOG/DEBUG parameter in the URL, all the code would show up in the logs.

 

BTW: on production systems, the SASStoredProcess web application should have the LOG/DEBUG option disabled in the SAS Management Console settings.

 

The only real way to hide the code is by including secured macros.

 

Sample 33559: How to Hide Code Used in SAS® Stored Processes That Are Associated with SAS® Information Maps (you can safely ignore the part of Information Maps, not relevant)

http://support.sas.com/kb/33/559.html

 

and

 

http://support.sas.com/documentation/cdl/en/mcrolref/61885/HTML/default/viewer.htm#macro-stmt.htm (see example 5)

 

AllanBowe
Barite | Level 11

This question comes up quite often, usually because the code contains passwords or other sensitive information.

 

The solution is simple.  @KurtBremser is right - create a secure directory that can only be read by the STP account (eg sassrv) and the administrators group.

 

In your STP code, run the following two lines:

 

options nomprint nosource2; /* prevent log output */

%inc "/temp/mySecureDirectory/program.sas"; /* execute secured part of the code */

 

Afterwards you may wish to reinstate the options.  Job done!

/Allan
SAS Challenges - SASensei
MacroCore library for app developers
SAS networking events (BeLux, Germany, UK&I)

Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller
DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

How to Concatenate Values

Learn how use the CAT functions in SAS to join values from multiple variables into a single value.

Find more tutorials on the SAS Users YouTube channel.

SAS Training: Just a Click Away

 Ready to level-up your skills? Choose your own adventure.

Browse our catalog!

Discussion stats
  • 6 replies
  • 2892 views
  • 4 likes
  • 6 in conversation