passwords of the SAS data sets named in the FROM clause. If you are running SAS
in batch or noninteractive mode, you receive an error message.
SAS/ACCESS Views
SAS/ACCESS software enables you to edit View descriptors and, in some interfaces, the
underlying data. To prevent someone from editing or reading (browsing) the View
descriptor, assign Alter protection to the view. To prevent someone from updating the
underlying data, assign Write protection to the view. For more information, see the
SAS/ACCESS documentation for your DBMS.
DATA Step Views
When you create a DATA step view using a password-protected SAS data set, specify
the password in the View definition. In this way, when you use the view, you can access
the underlying data without respecifying the password.
The following statements create a DATA step view using a password-protected SAS data
set, and drop a sensitive variable:
data mylib.emp / view=mylib.emp;
set mylib.employee(pw=orange drop=salary);
run;
Note that you can use the SAS view without a password, but access to the underlying
data requires a password. This is one way to protect a particular column of data. In the
above example, proc print data=mylib.emp; executes, but proc print
data=mylib.employee;
fails without the password.
SAS Data File Encryption
About Encryption on SAS Data Files
SAS passwords and metadata-bound data sets restrict access to SAS data sets within
SAS. But neither can prevent SAS data sets from being viewed at the operating
environment system level or from being read by an external program. Encryption
provides security of your SAS data outside of SAS by writing to disk the encrypted data
that represents the SAS data. The data is decrypted by the SAS system as it is read from
the disk, but is not decrypted when read at the operating system level or by external
programs.
Encryption does not affect file access. However, SAS honors all host security
mechanisms that control file access and can extend host security mechanisms by binding
the data sets to metadata. You can use encryption and those security mechanisms
together.
There are three types of algorithms that SAS uses for encrypting data files:
• SAS Proprietary Encryption on page 738 is implemented with the ENCRYPT=YES
data set option.
• AES (Advanced Encryption Standard) encryption on page 739 is implemented with
the ENCRYPT=AES or ENCRYPT=AES2 data set option.
SAS Data File Encryption 737
Beginning in SAS 9.4M1, a metadata-bound library administrator can require that all
data files in the bound library be encrypted with one of the three algorithms. For more
information, see “Requiring Encryption for Metadata-Bound Data Sets” in Base SAS
Procedures Guide and SAS Guide to Metadata-Bound Libraries.
Table 36.1 Encryption Features
Features ENCRYPT=YES ENCRYPT=AES ENCRYPT=AES2
License required No No No
Encryption level Medium High Highest
Algorithm supported SAS Proprietary
(within Base SAS
software)
AES AES2
Installation required No (part of Base
SAS software)
No SAS/SECURE
(delivered with
Base SAS software)
No SAS/SECURE
(delivered with
Base SAS software)
Operating environments
supported
UNIX
Windows
z/OS
UNIX
Windows
z/OS
UNIX
Windows
z/OS
SAS version support 8 and later 9.4 and later 9.4m5 and later
See Also
“AUTHLIB Procedure” in Base SAS Procedures Guide
SAS Proprietary Encryption
SAS Proprietary Encryption is licensed with Base SAS software and is available in all
deployments. There are two types of SAS Proprietary Encryption.
• A 32-bit rolling-key encryption technique that is used for SAS data set encryption
with passwords.
This encryption technique for SAS data sets uses parts of the passwords that are
stored in the SAS data set as part of the 32-bit rolling key encoding of the data. This
encryption provides a medium level of security. Users must supply the appropriate
passwords to authorize their access to the data, but with the speed of today’s
computers, it could be subjected to a brute force attack on the 2,563,160,682,591
possible combinations of valid password values. Many of which must produce the
same 32-bit key. SAS/SECURE and data set support of AES, which is also shipped
with Base SAS software, provides a higher level of security.
• A 32-bit fixed-key encryption routine used for communications, such as passwords
for login objects, passwords in configuration files, login passwords, internal account
passwords, and so on.
SAS Proprietary Encryption for SAS data sets is implemented with the ENCRYPT= data
set option. You can use the ENCRYPT= data set option only when you are creating a
SAS data file. You must also assign a password when encrypting a data file with SAS
Proprietary Encryption. At a minimum, you must specify the READ= data set option or
738 Chapter 36 • File Protection
Get SAS 9.4 Language Reference, 6th Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
