08-20-2012 02:41 PM
I have a couple of stored processes that use passwords. I'd like to put them out for others in my group but every time I execute one, the log shows all my prompt values including the password. If I leave the process in SAS Enterprise Guide where I created it, I can turn off EG generated wrapper code but I see no option for that in stored processes.
08-20-2012 02:45 PM
Sounds like you are passing the password as a parameter. Why not convert the logic so that instead a pointer to the password is passed? Perhaps you could store the password in a database or SAS dataset and pass the name of the dataset. Then the program logic of the stored password could mask the password when it uses it using NOMPRINT or similar settings.
08-20-2012 03:20 PM
Thanks for your reply!
I considered picking them from a file but the passwords change all the time for which I am not responsible. I can't encrypt them either because they go to platforms that can't understand the encryption routine. The way I've been handling it now is to open up the stored process from SAS EG, run it and then remove it from the project. What I really want is to turn off the wrapper code so my parms aren't visible.
08-20-2012 03:12 PM
I think that is what PWENCODE does.
The PWENCODE procedure enables you to encode passwords. Encoded passwords can be used in place of plaintext passwords in SAS programs that access relational database management systems (RDBMSs) and various servers, such as SAS/CONNECT servers, SAS/SHARE servers, and SAS Integrated Object Model (IOM) servers (such as the SAS Metadata Server).
08-20-2012 04:32 PM
From "SAS 9.3 Stored Processes Developer's Guide"
Hiding Passwords and Other Sensitive Data
If you are creating a prompt for a password and want the text to be masked as the user is typing, use a text type prompt, and then select Masked single line (for password entry) as the text type. For more information, see the prompt help in SAS Management Console.
Even if you decide not to use a masked prompt, the SAS log exposes programs and input parameters, which could pose a security issue. There are some actions that you can take to hide passwords and other sensitive data from the SAS log. Password values are hidden from the SAS log for any input parameters with the _PASSWORD suffix anywhere in the parameter name (for example, ABC_PASSWORD, _PASSWORDABC). You can disable the SAS log with the DebugMask Web application initialization parameter. For more information, see “Debugging in the SAS Stored Process Web Application ” on page 134. You can also use the prefix _NOLOG_ with macro variables to hide request variable values.
The _NOLOG_ prefix enables you to create special macro variables that can be sent to the stored process server without publishing the macro variable values in the SAS log. The special macro variables must start with the prefix _NOLOG_. The prefix is not case sensitive. Here is an example of an input parameter with the _NOLOG_ prefix:
If _NOLOG_SALARY is displayed in the SAS logs, the log shows the following:
_NOLOG_SALARY=XXXXXXXX;Note:The _NOLOG_ prefix and the _PASSWORD suffix are effective only if your stored process is running on a stored process server.
08-20-2012 06:07 PM
Well that makes a good argument for setting up a stored process server. We've only got a logical workspace server. But I still think we should be able to turn off that wrapper code just like you can in SAS EG.