BookmarkSubscribeRSS Feed
danfavero
Calcite | Level 5

Dear all,

I created a view to a table and would like to restrict the user access only to the view blocking the access to the table. Can anybody give me

a hint of how to do it?

8 REPLIES 8
ChrisHemedinger
Community Manager

The new-fangled methods to achieve this might be to use metadata-bound libraries or a SAS information map, both of which require SAS Metadata Server and some administration activities.

If you're looking to simply provide the VIEW and obscure the access to the underlying table, you could encode the LIBNAME statement/access inside the VIEW with the USING LIBNAME syntax.  However, that doesn't prevent your end user from spelunking into the VIEW definition and finding a direct line to your table.

Chris

It's time to register for SAS Innovate! Join your SAS user peers in Las Vegas on April 16-19 2024.
danfavero
Calcite | Level 5

Unfortunately I dont have the access to SAS Metadata Server and "Using Libname Sintax" goes exactly to the spelunking issue that you mentioned. I'm trying to find a solution to hide sensitive data from the users and the best thing I could think was creating views displaying only the allowed data, it is simple and would save space. Anyways thank you very much. If anybody can give me any other suggestion I would really appreciate!

AndreasMenrath
Pyrite | Level 9

SAS is not like a database. What you intend to do is typical for databases.

For SAS a view is just a query saved in the file system. When you execute the view the query is executed and your users will need access privileges to the underlying table. So it is not possible to do that with SAS datasets.

RW9
Diamond | Level 26 RW9
Diamond | Level 26

Actually, you can do most things with SAS, have a secured autoexec.sas for instance which sets up permissions, creates things based on username etc.  You could for instance put in autoexec the statements:

If user="aaa" then do;

     libname aaa_data "...\..." access=read;

     libname aaa_workspace "...\...";

     proc datasets ... copy datasets from core to aaa_data;

end;

etc.

However you would also need IT to protect things on a storage level as obviously knowing the network path to core would allow access.

RW9
Diamond | Level 26 RW9
Diamond | Level 26

Could you mean some kind of access control to a large dataset.  I know what OC does is create a view with a subclause for access:

So

Table ACCESS:

User     Priv     Area

aaaa     write     Dom1

aaaa     write     Dom2

bbb       read     Dom1

Proc sql;

     create view TEST as

     select     *

     from        DATA_TABLE

     where     AREA in (select THIS.AREA from ACCESS THIS where THIS.USER="&USER.");

quit;

jakarman
Barite | Level 11

You must block all kind of features of SAS to achieve your question.
What you are describing to achieve is the same as once COBOL programmers did. Build the program test it and deploy.

Let  the users only user your program in the given ordering of clicks/enters .

I was assuming we are going for use with the goal: BI users, Agile, self service analytics. That is implying a lot of freedom for the users.
I you need to protect sensitive data think about that on the OS level.

---->-- ja karman --<-----
danfavero
Calcite | Level 5

Yes Jaap, I really need to protect sensitive data, I would like to not have to create separate files with sensitive and non-sensitive information. However I couldnt find anything efficient to do that.

jakarman
Barite | Level 11

It does matter what kind of OS you are using and how comfortable you are organizing security at that level.

OS categories:
- With the common used Windows using the Active directory, you have very advanced options that are well known and fit into common management

  The most easiest approach is defining data accordingly in those kind of locations.

- Mainframes are well managed, just find the RACF people and you can solve it.

- Unix/Linux is the exception as often very bad managed and blaming all other tools for complexity.
  This is not needed as also in Unix/Linux security can easily managed when all technical prereq are known.

- An external DBMS often has very advanced authentication and security. When the libname to an external RDBM is able to set up with different setting according to you requirements you can solve this at that level.

All this is needing cooperation with those guys. They have the tools to do it.

If all data is in one table and several persons may see just some part you are having an issue.
This is a common issue with OLAP there row-level access has been introduced. It is requiring only mediated access by predefined programs executed.     

There is not anything within SAS solving your question to views to isolating those partial datasets.
If SAS with some coding is an option for your users, they always can find a way to access all data.  It is becoming like a kids hiding game (obscure = hiding).         

---->-- ja karman --<-----

sas-innovate-2024.png

Join us for SAS Innovate April 16-19 at the Aria in Las Vegas. Bring the team and save big with our group pricing for a limited time only.

Pre-conference courses and tutorials are filling up fast and are always a sellout. Register today to reserve your seat.

 

Register now!

SAS Enterprise Guide vs. SAS Studio

What’s the difference between SAS Enterprise Guide and SAS Studio? How are they similar? Just ask SAS’ Danny Modlin.

Find more tutorials on the SAS Users YouTube channel.

Click image to register for webinarClick image to register for webinar

Classroom Training Available!

Select SAS Training centers are offering in-person courses. View upcoming courses for:

View all other training opportunities.

Discussion stats
  • 8 replies
  • 2179 views
  • 5 likes
  • 5 in conversation