Passwords for Metadata-Bound Data

In addition to being tied to a particular metadata object, a metadata-bound library also has a set of associated passwords. These passwords serve a secondary role, enabling administrators to recover metadata (for example, in the event that they accidentally delete a secured library object from the metadata) and ensuring that authorization decisions come from only valid sources.
Here are some details about these passwords:
  • The passwords are recorded both in the physical data and in metadata.
  • The passwords are always stored and transmitted in encrypted formats. Even if an encrypted password is captured, it can’t be submitted as a password value in SAS code.
  • The passwords do not create access distinctions. For simplicity, we recommend that you use PW= to set a single password value, rather than specifying different password values using READ=, WRITE=, and ALTER=.
    However, each plain text password value can be only eight characters long. You might choose to set different password values (using READ=, WRITE=, and ALTER=) for greater security. In effect, setting different values can create a 24-character password.
  • You can use the PWENCODE procedure to encode passwords for use in the AUTHLIB procedure. If you supply an encoded password, enclose it in quotation marks. All other encryption of the password (both in-transit and on-disk) occurs automatically. An encrypted password that is captured in transmission cannot be used.
  • End users never have to supply these passwords, so they should neither know, nor have access to, the password values.
  • In general, all metadata-bound tables within a particular metadata-bound library share the same set of passwords. Each library’s passwords are automatically applied to the tables within that library. However, the following exceptions exist:
    • Physical tables that existed in the operating system directory, with passwords, at the time that their parent metadata-bound library was created retain their pre-existing passwords. Such physical tables are not secured by metadata unless you modify their passwords to match the parent library’s passwords (using the AUTHLIB MODIFY statement).
    • Physical tables that you copy into a metadata-bound library using operating system commands yield the following results:
      • If the original tables are metadata-bound tables, the copied tables are protected by the same metadata-bound library that protected the original tables. The act of copying the physical tables into another metadata-bound library doesn’t cause a change to the protections.
      • If the original tables are not metadata-bound tables, the copied tables are not secured by metadata unless you explicitly apply the library passwords to them (using the AUTHLIB MODIFY statement).
  • Use of metadata-bound libraries doesn’t involve prompting end users for secured library passwords.
  • When it communicates authorization decisions, the metadata server supplies passwords that match passwords that are stored with the physical data, in order to prove that it is the valid source for those decisions.
  • In order to use SAS to copy a metadata-bound table, you must have Read access (the Select permission) for the source table. The source table’s password is not applied to the new (output) table. If the new table is added to a metadata-bound library, that library’s password is applied to it. If the new physical table is added to a traditional library, the new table is not protected as a secured table or with passwords retained from the source table.

See Also

Security Impact of Moving Tables
Copyright © SAS Institute Inc. All rights reserved.