Can i block the export file feature to avoid data leak?
I think we need more details.
What type of export? PDF, Excel, SAS datasets?
What type of access to the data your users are having?
If they are responsible to have that data available, how would you prevent data-leaks by preventing some usage?
There are two mitigations:
- define your security controls in way that only
a/ personal keys are used by your users and
b/ those personal keys are limited to access just the data they are needing.
This is part of the RBAC process. It includes the whole path of the used stack. (OS layer . external DBM, SAS metadata)
- Make the activities of the users traceable and auditable by using logging
This is SIEM Security Information and Event Management.
part of the "standard of good practice" included with ISO27k hipaa sox-404 and many more.
I see little point in trying to block SAS's export capabilities as anyone with reasonable SAS knowledge can bypass them, for example using a DATA step with PUT statements to write external files.
If this is a data security issue, then it could be approached more from the who has access to what point of view - if you trust users to access the data, why can't you trust them to not export inappropriately?
Good points by all -- it can be a struggle to give users the tools they need to do their jobs, and then still try to lock down the capabilities that could potentially be abused.
SAS does have some options for this:
New superpowers for SAS administrators - SAS Users Groups
Even with these options, I wouldn't consider this a substitute for clear policies, diligent monitoring, and OS-level permissions that reflect who should be able to do what...
Chris
If you want additional info see: SIEM or Security information management - Wikipedia, the free encyclopedia . You need a BI tool for log - analyses. SAS is not mentioned in this world although they could do or. The name popping up is Splunk.
Any user who can see data can simply copy/paste it. Trust your users or not. If not, don't let them work with the data at all.
The only reasonable thing you can do is set logging to a level that lets you see all requests that were handled by the SAS system, so you can at least make a valid attempt to find out who accessed the relevant data at a given time, if something was leaked.
Are you ready for the spotlight? We're accepting content ideas for SAS Innovate 2025 to be held May 6-9 in Orlando, FL. The call is open until September 25. Read more here about why you should contribute and what is in it for you!
What’s the difference between SAS Enterprise Guide and SAS Studio? How are they similar? Just ask SAS’ Danny Modlin.
Find more tutorials on the SAS Users YouTube channel.