BookmarkSubscribeRSS Feed
stc2008969
Calcite | Level 5

This post has two parts:

1) Recently added a read/write/alter password to a data set (first data set below) but users are running code that calls the read password using the syntax "password =" (second data step below). When the second data step is run, it's as if the password= syntax isn't recognized and instead prompts the user for the "alter" password. If I change "password=" to "read=" using the correct read password, it works. The problem is that many users run code where "password=" syntax is used and it would be a pretty large task to ask them to go back and change that to "read=" in every instance.  Is there some type of workaround or syntax when assigning the passwords that would allow the "password=" to still work? 

/*data step assigning read/write/alter passwords to an existing data set*/
data test (read=red write=blue alter=purple);
set test;
run;

/*older version of SAS code using the "password=" syntax when attempting to read the data set*/
data test_table;
set test (password=red);
run;

2) I've done some digging on the password syntax options but I'm really having trouble with the whole read/write/alter password issue.  Essentially, I have a data set that I need to assign passwords to in order to protect the data so that 1) users can run queries against but not edit the actual data, and 2) still allow me or others with an "alter" password to make necessary edits on a frequent basis.  Once I assigned the read/write/alter permissions to the data set, every time I try to open the data set to read it or run a query against it, I'm prompted for the "alter" password only.  I've looked into the "pw=" syntax a little bit but since protects the entire data set with a singe password, I don't think it would work in my scenario. I'm hoping someone can help me find the right password syntax for what I'm trying to do.

5 REPLIES 5
AllanBowe
Barite | Level 11

One option is to avoid passwords entirely!

 

We've built a tool that allows end users to make _controlled_ changes using a system account.  It's zero code, and free for 5 users.  

Just make the file read-only to everyone, then configure the system account (eg `sassrv`) as the only account with write access.  In this way, all changes are handled with the tool, along with an audit history of all the changes, plus the ability to implement validation checks.

 

https://datacontroller.io

/Allan
SAS Challenges - SASensei
MacroCore library for app developers
SAS networking events (BeLux, Germany, UK&I)

Data Workflows, Data Contracts, Data Lineage, Drag & drop excel EUCs to SAS 9 & Viya - Data Controller
DevOps and AppDev on SAS 9 / Viya / Base SAS - SASjs
SASKiwi
PROC Star

Personally I'd avoid using SAS coding options for this as it adds a layer of coding effort and maintenance I'd rather not have. Using OS permissions is a lot less effort. With these you can set permissions at the folder level so a whole SAS library can be set to read-only for example. You can also set up groups of users, with one group having read-only access and another having write access.

 

EDIT: What is your actual business requirement here? Is it to protect just a few datasets, all datasets for an application,  or are you wanting to control access to all datasets in a SAS installation? The scope of your requirement should influence the chosen solution.  

stc2008969
Calcite | Level 5

Thanks for your response. I think the OS permissions will likely be the best option long term but it's not something that can be done in the short term due to limited resources.

 

The business requirement is to protect four datasets in a single folder/file path and keep users from being able to inadvertently edit or delete data (read-only permissions) when running queries in SAS. However, two users (one of those being myself) will need to still be able to modify the datasets on a monthly/quarterly basis. I'm familiar with OS permissions but only when an entire folder is protected. I don't remember a scenario I've encountered where I've needed to hit a dataset that had OS permissions so I'm not sure how it would look or work. 

 

If OS permissions for those four datasets were set to read-only to "everyone", would users just run their queries like usual without needing a password? And what would it look like if they tried to run a proc append, for example, to modify one of the datasets? Would it error out in SAS? 

SASKiwi
PROC Star

@stc2008969 wrote:

Thanks for your response. I think the OS permissions will likely be the best option long term but it's not something that can be done in the short term due to limited resources.

 

The business requirement is to protect four datasets in a single folder/file path and keep users from being able to inadvertently edit or delete data (read-only permissions) when running queries in SAS. However, two users (one of those being myself) will need to still be able to modify the datasets on a monthly/quarterly basis. I'm familiar with OS permissions but only when an entire folder is protected. I don't remember a scenario I've encountered where I've needed to hit a dataset that had OS permissions so I'm not sure how it would look or work. 

 

If OS permissions for those four datasets were set to read-only to "everyone", would users just run their queries like usual without needing a password? And what would it look like if they tried to run a proc append, for example, to modify one of the datasets? Would it error out in SAS? 


Setting OS permissions to read-only for everyone would prevent everyone modifying the datasets by any means at all, both in SAS or by any other means (OS delete for example). One approach would be to have a special user account (we call them service accounts) which has modify permissions. Anyone who wants to modify these datasets can use this account. This is a convenient solution if you are OK with doing all modifies using a batch job as this job can be run under the service account. BTW using SAS passwords only works in SAS. It doesn't prevent OS deletes or tampering using other software.

japelin
Rhodochrosite | Level 12

1) That's odd.
I could not identify any such problem with password and read.
The following code works fine.

data pw1(read=a write=b alter=c);
  a=1;
run;
data pw1_2;
  set pw1(pw=a);
run;

data pw2(pw=a);
  a=1;
run;
data pw2_2;
  set pw2(read=a);
run;

 

2)To what extent should the data be password protected?
If it is a normal password, it is easily accessible in python or R. It is protected only "on SAS".

However, I can see how a write and ALTER password would give you peace of mind that the original data set will not be edited. In such cases, data sets in an appropriate access environment may be provided with the read password removed.

In such a data set, both the read and password options can be accessed with or without the read option, even if the password specified is incorrect.

data class(write=abc alter=xyz);
  set sashelp.class;
run;
data read1;
  set class;
run;
data read2;
  set class(read=xxxxx);
run;
data read3;
  set class(pw=abcdefg);
run;

 

SAS Innovate 2025: Save the Date

 SAS Innovate 2025 is scheduled for May 6-9 in Orlando, FL. Sign up to be first to learn about the agenda and registration!

Save the date!

How to Concatenate Values

Learn how use the CAT functions in SAS to join values from multiple variables into a single value.

Find more tutorials on the SAS Users YouTube channel.

SAS Training: Just a Click Away

 Ready to level-up your skills? Choose your own adventure.

Browse our catalog!

Discussion stats
  • 5 replies
  • 1289 views
  • 2 likes
  • 4 in conversation