SAS/ACCESS Interface to SYSTEM 2000 Data Management Software: Reference

Specifying Passwords for SAS/ACCESS Descriptors

The SAS/ACCESS interface requires both access descriptors and view descriptors to have a SYSTEM 2000 password to access the database. The password for the access descriptor determines the picture of the database used to create view descriptors. The password for the view descriptor determines the data you see, and your ability to subset and edit it through the descriptor.

You specify the password for the access descriptor as part of the DATABASE statement. For the view descriptor, you have the option to store the SYSTEM 2000 password in the view descriptor (S2KPW statement) or submit it as a SAS data set option. Storing the SYSTEM 2000 password in a view descriptor enables all who use it to have access to its data. Relying on the data set option means giving users access to database passwords.

To protect your database passwords, you may want to store the SYSTEM 2000 password in the view descriptor and assign one or more SAS passwords to control access to the descriptor file. You can also assign SAS passwords to control who can create view descriptors from an access descriptor. To access the descriptor files, you specify the SAS password as a data set option. For example, to create a view descriptor, you would specify the access descriptor password after the ACCDESC= option as follows:

  proc access dbms=s2k accdesc=mylib.employee
    (alter=reward);
     create vlib.customer.view;
     select all;
  run;

You must first create descriptor files before assigning SAS passwords to them.

Password and Descriptor Interaction summarizes the levels of protection that SAS System passwords have and their effects on descriptor files.

Password and Descriptor Interaction
READ= WRITE= ALTER=

access descriptor no effect on descriptor no effect on descriptor protects descriptor from being read or edited

view descriptor protects DBMS data from being read or updated protects DBMS data from being updated protects descriptor from being read or edited

***Password and Descriptor Interaction***
	READ=	WRITE=	ALTER=
access descriptor	no effect on descriptor	no effect on descriptor	protects descriptor from being read or edited
view descriptor	protects DBMS data from being read or updated	protects DBMS data from being updated	protects descriptor from being read or edited

For detailed information about the levels of protection and the types of SAS passwords you can use, refer to SAS Language Reference: Dictionary. For more information about protecting access and view descriptors, see Ensuring Data Security. The following section describes how you assign SAS System passwords to descriptors.

Assigning SAS System Passwords

You can assign, change, or clear a password for an access descriptor, a view descriptor, or another SAS file in the SAS System by using the DATASETS procedure's MODIFY statement. Here is the basic syntax for using PROC DATASETS to assign a password to an access descriptor, a view descriptor, or a SAS data file:

PROC DATASETS LIBRARY= libref MEMTYPE= member-type;

MODIFY member-name (password-level = password-modification);

RUN;

In this syntax statement, the password-level argument can have one or more of the following values: READ=, WRITE=, ALTER=, or PW=. PW= assigns read, write, and alter privileges to a descriptor or data file. The password-modification argument enables you to assign a new password or to change or delete an existing password.

For example, this PROC DATASETS statement assigns the password REWARD with the ALTER level of protection to the access descriptor MYLIB.EMPLOYE:

proc datasets library=mylib memtype=access;
   modify employe (alter=reward);
run;

In this case, users are prompted for the password whenever they try to browse or edit the access descriptor or to create view descriptors that are based on MYLIB.EMPLOYE.

In the next example, the PROC DATASETS statement assigns the passwords MYPW and MYDEPT with READ and ALTER levels of protection to the view descriptor VLIB.CUSTACCT:

proc datasets library=vlib memtype=view;
   modify custacct (read=mypw alter=mydept);
run;

In this case, users are prompted for the SAS password when they try to read the DBMS data, or try to browse or edit the view descriptor VLIB.CUSTACCT itself. You need both levels to protect the data and descriptor from being read. However, a user could still update the data accessed by VLIB.CUSTACCT, for example, by using a PROC SQL UPDATE. Assign a WRITE level of protection to prevent data updates.

To delete a password on an access descriptor or any SAS data set, put a slash after the password:

proc datasets library=vlib memtype=view;
   modify custacct (read=mypw/ alter=mydept/);
run;

In the following example, PROC DATASETS sets a READ and ALTER password for view descriptor VLIB.CUSTINFO. PROC PRINT tries to use the view descriptor with both an invalid and valid password.

/* Assign passwords */
proc datasets library=vlib memtype=view;
  modify custinfo (read=r2d2 alter=c3po);
run;

/* Invalid password given */
proc print data=vlib.custinfo (pw=r2dq);
  where ssn = '178-42-6534';
  title2 'Data for 178-42-6534';
run;

/* Valid password given */
proc print data=vlib.custinfo (pw=r2d2);
  where ssn = '178-42-6534';
  title2 'Data for 178-42-6534';
run;

Refer to SAS Language Reference: Dictionary for more examples of assigning, changing, deleting, and using SAS System passwords.

Chapter Contents
Previous
Next
Top of Page