SAS/ACCESS Views

Search in book...
Toggle Font Controls
Create new playlist

Name your new playlist

Playlist description (optional)
Sign In

Email address

Password

Forgot Password?

or

Continue with Facebook

Continue with Google
Sign Up

Full Name

Email address

Confirm Email Address

Password

or

Continue with Facebook

Continue with Google

passwords of the SAS data sets named in the FROM clause. If you are running SAS

in batch or noninteractive mode, you receive an error message.

SAS/ACCESS Views

SAS/ACCESS software enables you to edit View descriptors and, in some interfaces, the

underlying data. To prevent someone from editing or reading (browsing) the View

descriptor, assign Alter protection to the view. To prevent someone from updating the

underlying data, assign Write protection to the view. For more information, see the

SAS/ACCESS documentation for your DBMS.

DATA Step Views

When you create a DATA step view using a password-protected SAS data set, specify

the password in the View definition. In this way, when you use the view, you can access

the underlying data without respecifying the password.

The following statements create a DATA step view using a password-protected SAS data

set, and drop a sensitive variable:

data mylib.emp / view=mylib.emp;

set mylib.employee(pw=orange drop=salary);

run;

Note that you can use the SAS view without a password, but access to the underlying

data requires a password. This is one way to protect a particular column of data. In the

above example, proc print data=mylib.emp; executes, but proc print

data=mylib.employee;

fails without the password.

SAS Data File Encryption

About Encryption on SAS Data Files

SAS passwords and metadata-bound data sets restrict access to SAS data sets within

SAS. But neither can prevent SAS data sets from being viewed at the operating

environment system level or from being read by an external program. Encryption

provides security of your SAS data outside of SAS by writing to disk the encrypted data

that represents the SAS data. The data is decrypted by the SAS system as it is read from

the disk, but is not decrypted when read at the operating system level or by external

programs.

Encryption does not affect file access. However, SAS honors all host security

mechanisms that control file access and can extend host security mechanisms by binding

the data sets to metadata. You can use encryption and those security mechanisms

together.

There are two types of algorithms that SAS uses for encrypting data files:

• SAS Proprietary Encryption on page 732 is implemented with the

ENCRYPT=YES data set option.

• AES (Advanced Encryption Standard) encryption on page 733 is implemented with

the ENCRYPT=AES data set option.

SAS Data File Encryption 731

Beginning with the first maintenance release of 9.4, a metadata-bound library

administrator can require that all data files in the bound library be encrypted with one of

the two algorithms. For more information, see “Requiring Encryption for Metadata-

Bound Data Sets” in Base SAS Procedures Guide and SAS Guide to Metadata-Bound

Libraries.

Table 34.1 Encryption Features

Features ENCRYPT=YES ENCRYPT=AES

License required No No

Encryption level Medium High

Algorithm supported SAS Proprietary (within

Base SAS software)

AES

Installation required No (part of Base SAS

software)

No SAS/SECURE

(delivered with Base SAS

software)

Operating environments supported UNIX

Windows

z/OS

UNIX

Windows

z/OS

SAS version support 8 and later 9.4 and later

See Also

“AUTHLIB” in Base SAS Procedures Guide

SAS Proprietary Encryption

SAS Proprietary Encryption is licensed with Base SAS software and is available in all

deployments. There are two types of SAS Proprietary Encryption.

• A 32-bit rolling-key encryption technique that is used for SAS data set encryption

with passwords.

This encryption technique for SAS data sets uses parts of the passwords that are

stored in the SAS data set as part of the 32-bit rolling key encoding of the data. This

encryption provides a medium level of security. Users must supply the appropriate

passwords to authorize their access to the data, but with the speed of today’s

computers, it could be subjected to a brute force attack on the 2,563,160,682,591

possible combinations of valid password values. Many of which must produce the

same 32-bit key. SAS/SECURE and data set support of AES, which is also shipped

with Base SAS software, provides a higher level of security.

• A 32-bit fixed-key encryption routine used for communications, such as passwords

for login objects, passwords in configuration files, login passwords, internal account

passwords, and so on.

SAS Proprietary Encryption for SAS data sets is implemented with the ENCRYPT= data

set option. You can use the ENCRYPT= data set option only when you are creating a

SAS data file. You must also assign a password when encrypting a data file with SAS

Proprietary Encryption. At a minimum, you must specify the READ= data set option or

732 Chapter 34 • File Protection

the PW= data set option at the same time you specify ENCRYPT=YES. Because

passwords are used in this encryption technique, you cannot change any password on an

encrypted data set without re-creating the data set.

The following rules apply to data file encryption:

• To copy an encrypted SAS data file, the output engine must support encryption.

Otherwise, the data file is not copied.

• Encrypted files work only in Release 6.11 or in later releases of SAS.

• You cannot encrypt SAS data views, because they contain no data.

• If the data file is encrypted, all associated indexes are also encrypted.

• Encryption requires approximately the same amount of CPU resources as

compression.

• You cannot use PROC CPORT on encrypted SAS data files.

The following example creates an SAS data set with SAS Proprietary Encryption:

data salary(encrypt=yes read=green);

input name $ yrsal bonuspct;

datalines;

Muriel 34567 3.2

Bjorn 74644 2.5

Freda 38755 4.1

Benny 29855 3.5

Agnetha 70998 4.1

;

To print this data set, specify the Read password:

proc print data=salary(read=green);

run;

quit;

T I P Each password option must be coded on a separate line to ensure that they are

properly blotted in the SAS log.

See Also

“AUTHLIB” in Base SAS Procedures Guide

AES Encryption

In SAS 9.4, AES encryption of data sets is available. AES produces a stronger

encryption by using a key value that can be up to 64 characters long. You specify

ENCRYPT=AES when creating a data set. Instead of passwords that are stored in the

data set (SAS Proprietary encryption), AES uses a key value that is not stored in the data

set. The key value is created using the ENCRYPTKEY= data set option when the data

set is created. You cannot change the ENCRYPTKEY= key value on an AES encrypted

data set without re-creating the data set.

The following rules apply to AES encryption of data sets:

• You use SAS/SECURE software, which is licensed with Base SAS software and is

available in all deployments.

• You must use the ENCRYPTKEY= data set option when creating or accessing an

AES encrypted data set unless the metadata-bound library administrator has securely

recorded the encryption key in metadata to which the data set is bound. For more

SAS Data File Encryption 733

information, see “AUTHLIB” in Base SAS Procedures Guide and SAS Guide to

Metadata-Bound Libraries.

• To copy an encrypted AES data file, the output engine must support AES encryption.

Otherwise, the data file is not copied.

• Releases before SAS 9.4 cannot use an encrypted AES data file.

• You cannot encrypt SAS views, because they contain no data.

• If two or more data files are referentially related and any of them are AES encrypted,

then all must be AES encrypted. The encryption key for all of the files must be the

same unless the files are bound to metadata with the key securely recorded in the

metadata. For more information about metadata-bound libraries, see “Metadata-

Bound Library” in Base SAS Procedures Guide.

• If the data file has AES encryption, all associated indexes have AES encryption.

• You cannot use PROC CPORT on AES encrypted data files.

The ENCRYPTKEY= data set option does not protect the AES encrypted file from

deletion or replacement. AES encrypted data sets can be deleted by using either of the

following scenarios without having to specify an encrypt key value:

• the KILL option in PROC DATASETS

• the DROP statement in PROC SQL

The encrypt key only prevents access to the contents of the file. To protect the file from

unauthorized deletion or replacement with the SAS system, the file must also contain an

ALTER= password or be bound to metadata.

The following example creates an encrypted data set using AES encryption:

data salary(encrypt=aes encryptkey=green);

input name $ yrsal bonuspct;

datalines;

Muriel 34567 3.2

Bjorn 74644 2.5

Freda 38755 4.1

Benny 29855 3.5

Agnetha 70998 4.1

;

To print this data set, specify the ENCRYPTKEY= key value:

proc print data=salary(encryptkey=green);

run;

quit;

T I P Each password and encryption key option must be coded on a separate line to

ensure that they are properly blotted in the SAS log.

If you omit the ENCRYPTKEY= key value when accessing an AES secured data set, a

dialog box appears and prompts you to add the ENCRYPTKEY= key value. If the data

set is metadata-bound and the key has been stored in the metadata for the library, the

dialog box does not appear.

734 Chapter 34 • File Protection

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.

Table of Contents for SAS/ACCESS Views

Create new playlist

Sign In

Sign Up

Table of Contents for
SAS/ACCESS Views