SAS Data Integration Studio, DataFlux Data Management Studio, SAS/ACCESS, SAS Data Loader for Hadoop and others

having one SAS library vs Many

Reply
Regular Contributor
Posts: 163

having one SAS library vs Many

Hello,
Currently we have most presentation data marts in different locations whose metadata data sources ( like dimensions) are sufaced via different SAS libraries. For example, a finance subject area would have a Finance Library containing finance dimensions etc.
Since 9.2 is going to use folders a lot, can I just have one library containing anything about the presentation part ( dimensions ( or conformed) and facts ) in one SAS library and have folders logically 'organize them' as well as use security on folders as well. example.
One library to hold all dimensions, facts ( sas data sets views, index) and folders to separated them logically as well as apply security if needed at the folder level.
What would be the trade off here ( using folders to organize and secure and library just to surface in any application/tool)?
Super User
Posts: 5,260

Re: having one SAS library vs Many

If you want to apply security on folders, you have to make sure that all client connections are done via meta libname,
or else OS security will be used (for non-pooled workspace server sessions).

/Linus
Data never sleeps
SAS Employee
Posts: 51

Re: having one SAS library vs Many

Hello,

You can, in fact, take the approach you discussed below (meaning that you can separate tables into folders as you require for logical organization and security purposes).

You most likely already understand this, but as was mentioned below, folder permissions in Metadata only secure the table metadata, not the underlying physical data. You still need to properly secure data at either the OS level (for SAS datasets) or RDBMS level. You could access the data through the Metadata Libname Engine, which honors the Read, Write, Update and Delete permissions listed in metadata. However, there is no way to force users to access the data with this method. If they have permission to the underlying physical data (file system permissions or DBMS password), they can always get to the data by issuing a regular libname statement rather than MLE. So, whether you can use MLE depends on your application, the way you configure security and the other access your users may have to the data.

There are some other approaches you can take in 9.2 with the introduction of Token Based Authentication, where you can have all Workspace Server sessions for a particular application run as a privileged user, which might provide a solution. If this is of interest, I could post some more on this topic.

Thanks,

Tim Stearn
Regular Contributor
Posts: 163

Re: having one SAS library vs Many

Thank you Linus and Tim.
We currently don't have anyone defined in the system , except admins or power developers. We also use LDAP and going to AD. We also are using the MLE as you mentioned, and if we use the regular libname, only a system user like sassrv uses it ( or a developer).

One of the main reasons ( when we switch to 9.2) to keep less libraries is because we experienced some needed manegeability (example, sometimes we have views that use dimensions from different libraries) . Besides security , we used libraries for organization purposes too. But it looks like folders could accomplish this and we can have less libraries to manage.


It looks like also the Token Based Authentication could be something we can also use to leverage so please illustrate.

jp
Ask a Question
Discussion stats
  • 3 replies
  • 202 views
  • 0 likes
  • 3 in conversation