The limitations of metadata-bound
libraries are as follows:
-
Only Base SAS data—SAS tables
(data sets) and SAS views—can be bound to metadata. In the
current release, you can create metadata-bound libraries for only
data that is processed by the BASE engine.
-
Concatenated libraries or temporary
libraries cannot be bound to metadata. However, metadata-bound libraries
can participate in a library concatenation.
-
Binding data to metadata does not
prevent the use of operating system commands against files and directories.
For example, a user who has Write access to an operating system directory
(in order to create physical tables) can use host commands to delete
and replace files within that directory. Such commands operate independently
of any metadata binding. However, replacement of files through operating
system commands is detected and audited.
See Auditing for Metadata-Bound Libraries.
-
-
In the current release, metadata-bound
libraries don’t support column-level permissions or metadata-based
permission conditions. However, you can create views that subset data
by columns or rows, and then set permissions to specify who can access
each view. Dynamic row-level filtering based on each requesting user’s
authenticated user ID is supported.
See Set Up Fine-Grained Access.
-
Clients that use metadata to locate
data can’t use secured library objects or secured table objects
for that purpose. To support access from such clients, each metadata-bound
library must also be registered in metadata as a traditional library
object.
Note: The metadata objects that
serve as bind targets for physical data are distinct from and independent
of the metadata objects that are used to register physical data. For
example, a physical library can be bound to a secured library object,
but can’t be bound to a traditional library object. Similarly,
tables within a metadata-bound library are bound to corresponding
secured table objects, not to traditional table objects. There are
no associations in metadata between secured library objects and traditional
library objects.
See Object Creation, Location, and Inheritance.
Note: In
the SAS metadata, a secured library object is functional only if it
exists within the
/System/Secured Libraries branch
of a repository. You can’t bind physical libraries to secured
library objects that are in other metadata locations. You can create
subfolders within a
/System/Secured Libraries branch.
In the SAS metadata, a secured table object can exist only within
a secured library object.
The following additional
limitations affect the availability of metadata-bound data:
-
Access to metadata-bound tables
is not supported in any release prior to the second maintenance release
of SAS 9.3.
Note: For a
z/OS direct-access
bound library that is bound to metadata, this constraint is slightly
broader: neither the library nor any of its members can be accessed
by earlier releases of SAS.
Note: An exception is that access
to metadata-bound tables through a
SAS/SHARE server is available to
earlier clients, if SQL statements are passed to the server and the
server is in the second maintenance release of SAS 9.3 (or later).
-
For the SAS OLE DB Local Data Provider,
access to metadata-bound tables is not supported. The SAS OLE DB Local
Data Provider uses a specialized standalone engine that provides access
to data sets from external programs without running SAS.
-
For the
SAS/SHARE Data Provider,
access to metadata-bound tables through a
SAS/SHARE server is available
only if SQL statements are passed to the server. The
SAS/SHARE Data
Provider is one of the SAS Providers for OLE DB.
-
For the
SAS/IntrNet Application
Dispatcher, access to metadata-bound tables is supported only if the
application server runs with AUTH=HOST.