One option is to avoid passwords entirely!

We've built a tool that allows end users to make _controlled_ changes using a system account.  It's zero code, and free for 5 users.  

Just make the file read-only to everyone, then configure the system account (eg `sassrv`) as the only account with write access.  In this way, all changes are handled with the tool, along with an audit history of all the changes, plus the ability to implement validation checks.

https://datacontroller.io

Personally I'd avoid using SAS coding options for this as it adds a layer of coding effort and maintenance I'd rather not have. Using OS permissions is a lot less effort. With these you can set permissions at the folder level so a whole SAS library can be set to read-only for example. You can also set up groups of users, with one group having read-only access and another having write access.

EDIT: What is your actual business requirement here? Is it to protect just a few datasets, all datasets for an application,  or are you wanting to control access to all datasets in a SAS installation? The scope of your requirement should influence the chosen solution.  

Thanks for your response. I think the OS permissions will likely be the best option long term but it's not something that can be done in the short term due to limited resources.

The business requirement is to protect four datasets in a single folder/file path and keep users from being able to inadvertently edit or delete data (read-only permissions) when running queries in SAS. However, two users (one of those being myself) will need to still be able to modify the datasets on a monthly/quarterly basis. I'm familiar with OS permissions but only when an entire folder is protected. I don't remember a scenario I've encountered where I've needed to hit a dataset that had OS permissions so I'm not sure how it would look or work. 

If OS permissions for those four datasets were set to read-only to "everyone", would users just run their queries like usual without needing a password? And what would it look like if they tried to run a proc append, for example, to modify one of the datasets? Would it error out in SAS? 

---

@stc2008969 wrote:

Thanks for your response. I think the OS permissions will likely be the best option long term but it's not something that can be done in the short term due to limited resources.

 

The business requirement is to protect four datasets in a single folder/file path and keep users from being able to inadvertently edit or delete data (read-only permissions) when running queries in SAS. However, two users (one of those being myself) will need to still be able to modify the datasets on a monthly/quarterly basis. I'm familiar with OS permissions but only when an entire folder is protected. I don't remember a scenario I've encountered where I've needed to hit a dataset that had OS permissions so I'm not sure how it would look or work. 

 

If OS permissions for those four datasets were set to read-only to "everyone", would users just run their queries like usual without needing a password? And what would it look like if they tried to run a proc append, for example, to modify one of the datasets? Would it error out in SAS? 

---

Setting OS permissions to read-only for everyone would prevent everyone modifying the datasets by any means at all, both in SAS or by any other means (OS delete for example). One approach would be to have a special user account (we call them service accounts) which has modify permissions. Anyone who wants to modify these datasets can use this account. This is a convenient solution if you are OK with doing all modifies using a batch job as this job can be run under the service account. BTW using SAS passwords only works in SAS. It doesn't prevent OS deletes or tampering using other software.

1) That's odd.
I could not identify any such problem with password and read.
The following code works fine.

data pw1(read=a write=b alter=c);
  a=1;
run;
data pw1_2;
  set pw1(pw=a);
run;

data pw2(pw=a);
  a=1;
run;
data pw2_2;
  set pw2(read=a);
run;

2)To what extent should the data be password protected?
If it is a normal password, it is easily accessible in python or R. It is protected only "on SAS".

However, I can see how a write and ALTER password would give you peace of mind that the original data set will not be edited. In such cases, data sets in an appropriate access environment may be provided with the read password removed.

In such a data set, both the read and password options can be accessed with or without the read option, even if the password specified is incorrect.

data class(write=abc alter=xyz);
  set sashelp.class;
run;
data read1;
  set class;
run;
data read2;
  set class(read=xxxxx);
run;
data read3;
  set class(pw=abcdefg);
run;