There has been a lot of good discussion on this topic thus far, but I've seen some possible confusion that I wanted to clarify. Metadata-bound libraries are a unique configuration that are different from libraries simply defined within the metadata. You can define libraries in the metadata for various types of data sources, such as SAS data sets or external database data. However, metadata-bound libraries (MBLs) are only applicable to SAS data sets and associated SAS indexes. When you define a metadata-bound library, you run PROC AUTHLIB code to password-protect and physically bind all data sets in a defined path to metadata. With this approach, the data set password gets stored in metadata and you effectively lock down direct access to SAS data via a BASE engine libname statement and enforce metadata permissions for access to the SAS data. Users don't need to supply the password for data access, they instead just require a metadata aware SAS session and metadata permission to access the data. If you want to encrypt the data at rest, then you would also use the REQUIRE_ENCRYPTION, ENCRYPT, and ENCRYPTKEY options on the PROC AUTHLIB statement to enforce encryption of the MBL data. See the SAS 9.4 Guide to Metadata-Bound Libraries for more information PROC AUTHLIB. SAS Management Console has a user interface for defining MBLs, which effectively just generates and executes PROC AUTHLIB code behind the scenes. However, I typically like to write the code myself and run it outside of SAS Management Console just to clearly define and document the code options used. As an FYI, I am a member of a SAS Consulting team that works with customers on architecture, administration, and security topics. In our experience, we have primarily only utilized Metadata-bound libraries for implementations which require encryption of SAS data. There is definite administration overhead in implementing MBLs, but they are the best way to seamlessly enforce encryption of SAS data. I always inform our customers that SAS data set encryption also requires defined user and administration processes in order to monitor and enforce the use of MBLs. Deepali Rai is another SAS consultant I work with and she will actually be presenting a SAS Global Forum 2018 paper on this topic based on best practices we have learned in working with MBLs and encrypted SAS data. Look for her in Denver in April! Regards, Angie Hedberg
... View more