Encoded Passwords
Encoding a password enables you to write SAS programs without having to specify a
password in plain text. The PWENCODE procedure uses encoding to disguise
passwords. With encoding, one character set is translated to another character set
through some form of table lookup. An encoded password is intended to prevent casual,
non-malicious viewing of passwords. You should not depend on encoded passwords for
all your data security needs; a determined and knowledgeable attacker can decode the
encoded passwords.
When an encoded password is used, the syntax parser decodes the password and
accesses the file. The encoded password is never written in plain text to the SAS log.
SAS does not accept passwords longer than eight characters. If an encoded password is
decoded and is longer than eight characters, SAS reads it as an incorrect password and
sends an error message to the SAS log. For more information, see “PWENCODE
Procedure” in Base SAS Procedures Guide.
Using Passwords with Views
Levels of Protection
The levels of protection for SAS views and stored programs are similar to the levels of
protection for other types of SAS files. However, with SAS views, passwords affect not
only the underlying data, but also the view’s definition (or source statements).
You can specify three levels of protection for SAS views: Read, Write, and Alter. The
following section describes how these data set options affect the underlying data as well
as the view’s descriptor information. Unless otherwise noted, the term “view” refers to
any type of SAS view and the term “underlying data” refers to the data that is accessed
by the SAS view:
Read
• protects against reading of the SAS view's underlying data
• prevents the display of source statements in the SAS log when using DESCRIBE
• allows replacement of the SAS view
Write
• protects the underlying data associated with a SAS view by insisting that a Write
password is given
• prevents the display of source statements in the SAS log when using DESCRIBE
• allows replacement of the SAS view
Alter
• prevents the display of source statements in the SAS log when using DESCRIBE
• protects against replacement of the SAS view
Like passwords for other SAS files, the Read, Write, and Alter passwords for views are
hierarchical. The Alter password is the most restrictive and the Read password is the
least restrictive. To DESCRIBE a password-protected view, you must specify its
Using Passwords with Views 735
password. If the view was created with more than one password, you must use its most
restrictive password to DESCRIBE the view.
For example, to DESCRIBE a view that has both Read and Write protection, you must
specify its Write password. Similarly, to DESCRIBE a view that has both Read and Alter
protection, you must specify its Alter password (since Alter is the more restrictive of the
two).
The following program shows how to use the DESCRIBE statement to view the
descriptor information for a Read-protected and Alter-protected view:
/*create a view with read and alter protection*/
data exam / view=exam(read=read alter=alter);
set grades;
run;
/*describe the view by specifying the most restrictive password */
data view=exam(alter=alter);
describe;
run;
Log 36.1 Password-protected View
NOTE: DATA step view WORK.EXAM is defined as:
data exam / view=exam(read=XXX alter=XXXXX);
set grades;
run;
NOTE: DATA statement used (Total process time):
real time 0.01 seconds
cpu time 0.01 seconds
For more information, see “DESCRIBE Statement” in SAS DATA Step Statements:
Reference and “DATA Statement” in SAS DATA Step Statements: Reference.
In most DATA and PROC steps, the way you use password-protected views is consistent
with how you use other types of password-protected SAS files. For example, the
following PROC PRINT prints a Read-protected view:
proc print data=mylib.grade(read=green);
run;
Note: You might experience unexpected results when you place protection on a SAS
view if some type of protection is already placed on the underlying data set.
PROC SQL Views
Typically, when you create a PROC SQL view from a password-protected SAS data set,
you specify the password in the FROM clause in the CREATE VIEW statement using a
data set option. In this way, you can access the underlying data without re-specifying the
password when you use the view later. For example, the following statements create a
PROC SQL view from a Read-protected SAS data set, and drop a sensitive variable:
proc sql;
create view mylib.emp as
select * from mylib.employee(pw=orange drop=salary);
quit;
Note: You can create a PROC SQL view from password-protected SAS data sets
without specifying their passwords. Use the view that you are prompted for the
736 Chapter 36 • File Protection
Get SAS 9.4 Language Reference, 6th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
