O'Reilly logo

SAS 9.4 Language Reference, 6th Edition by SAS Institute

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

passwords of the SAS data sets named in the FROM clause. If you are running SAS
in batch or noninteractive mode, you receive an error message.
SAS/ACCESS Views
SAS/ACCESS software enables you to edit View descriptors and, in some interfaces, the
underlying data. To prevent someone from editing or reading (browsing) the View
descriptor, assign Alter protection to the view. To prevent someone from updating the
underlying data, assign Write protection to the view. For more information, see the
SAS/ACCESS documentation for your DBMS.
DATA Step Views
When you create a DATA step view using a password-protected SAS data set, specify
the password in the View definition. In this way, when you use the view, you can access
the underlying data without respecifying the password.
The following statements create a DATA step view using a password-protected SAS data
set, and drop a sensitive variable:
data mylib.emp / view=mylib.emp;
set mylib.employee(pw=orange drop=salary);
run;
Note that you can use the SAS view without a password, but access to the underlying
data requires a password. This is one way to protect a particular column of data. In the
above example, proc print data=mylib.emp; executes, but proc print
data=mylib.employee;
fails without the password.
SAS Data File Encryption
About Encryption on SAS Data Files
SAS passwords and metadata-bound data sets restrict access to SAS data sets within
SAS. But neither can prevent SAS data sets from being viewed at the operating
environment system level or from being read by an external program. Encryption
provides security of your SAS data outside of SAS by writing to disk the encrypted data
that represents the SAS data. The data is decrypted by the SAS system as it is read from
the disk, but is not decrypted when read at the operating system level or by external
programs.
Encryption does not affect file access. However, SAS honors all host security
mechanisms that control file access and can extend host security mechanisms by binding
the data sets to metadata. You can use encryption and those security mechanisms
together.
There are two types of algorithms that SAS uses for encrypting data files:
SAS Proprietary Encryption on page 732 is implemented with the
ENCRYPT=YES data set option.
AES (Advanced Encryption Standard) encryption on page 733 is implemented with
the ENCRYPT=AES data set option.
SAS Data File Encryption 731
Beginning with the first maintenance release of 9.4, a metadata-bound library
administrator can require that all data files in the bound library be encrypted with one of
the two algorithms. For more information, see “Requiring Encryption for Metadata-
Bound Data Sets” in Base SAS Procedures Guide and SAS Guide to Metadata-Bound
Libraries.
Table 34.1 Encryption Features
Features ENCRYPT=YES ENCRYPT=AES
License required No No
Encryption level Medium High
Algorithm supported SAS Proprietary (within
Base SAS software)
AES
Installation required No (part of Base SAS
software)
No SAS/SECURE
(delivered with Base SAS
software)
Operating environments supported UNIX
Windows
z/OS
UNIX
Windows
z/OS
SAS version support 8 and later 9.4 and later
See Also
“AUTHLIB” in Base SAS Procedures Guide
SAS Proprietary Encryption
SAS Proprietary Encryption is licensed with Base SAS software and is available in all
deployments. There are two types of SAS Proprietary Encryption.
A 32-bit rolling-key encryption technique that is used for SAS data set encryption
with passwords.
This encryption technique for SAS data sets uses parts of the passwords that are
stored in the SAS data set as part of the 32-bit rolling key encoding of the data. This
encryption provides a medium level of security. Users must supply the appropriate
passwords to authorize their access to the data, but with the speed of today’s
computers, it could be subjected to a brute force attack on the 2,563,160,682,591
possible combinations of valid password values. Many of which must produce the
same 32-bit key. SAS/SECURE and data set support of AES, which is also shipped
with Base SAS software, provides a higher level of security.
A 32-bit fixed-key encryption routine used for communications, such as passwords
for login objects, passwords in configuration files, login passwords, internal account
passwords, and so on.
SAS Proprietary Encryption for SAS data sets is implemented with the ENCRYPT= data
set option. You can use the ENCRYPT= data set option only when you are creating a
SAS data file. You must also assign a password when encrypting a data file with SAS
Proprietary Encryption. At a minimum, you must specify the READ= data set option or
732 Chapter 34 File Protection

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required