And another bystander weighs in...
I think this is one of those issues that doesn't have a black or white solution.
I've been both an advanced developer and a SAS administrator, and have therefore had the chance to see the issue from both sides.
I will agree that in theory making "x" commands available doesn't open a security hole. On the other hand, it does expose what is supposed to be a purpose-acquired SAS server to running whatever programs users might want to spin up on it (and yes, I have seen this happen.) This can have implications for performance and reliability.
On the other hand, I have seen very valid requirements AS PART OF SAS PROCESSING to occasionally invoke O/S commands, using a facility such as the "x" command.
The key word here is "occasional". 85 percent of the requests relate to file processing. Another 10 percent relate to "zip" type functionality, which is more and more met from within SAS.
My considered response is that people who need file processing capabilities can do it with the SAS functions that process O/S files. They are very rich, and easy to use. I have yet to see a request come up that they can't satisfy. Yes, they require learning something new, but this is a SAS server; you ARE expected to use SAS on it.
Your particular example shouldn't take more than half an hour to an hour to implement using SAS tools (and believe me, I've done this kind of thing and more). Therefore, my response as a SAS administrator would be that you can meet your needs without enablement of the "x" command, so request denied.
Tom
... View more