Chapter Contents

Previous

Next
SAS/SHARE User's Guide

Version 8 Method to Secure the SAS/SHARE Server

[IMAGE]Version 8 introduces a new method to secure the SAS/SHARE server by means of the USER= and PASSWORD= options to these SAS/SHARE statements:
PROC OPERATE
LIBNAME
Remote SQL Pass-Through

These security options can be set on any Version 8 SAS/SHARE client accessing a SAS/SHARE server that runs any version of SAS. The USER= and PASSWORD= options to these statements take precedence over the security options that vary according to the client host and the communications access method used.

Security Options Supported by Communications Access Method and Host
Client Host Communications Access Methods
APPC TCP/IP DecNET NetBIOS
Security Options

APPCSEC or APPC_SECURE* TCPSEC SASSECUR SASSECUR
CMS [bull] [bull]

OS/390 [bull] [bull]

OpenVMS
[bull] [bull]
OS/2 [bull] [bull]

UNIX [bull] [bull]

Windows [bull] [bull] [bull] [bull]
*APPCSEC applies to CMS and OS/390 hosts. APPC_SECURE is used for OS/2, UNIX, and Windows hosts.

To establish SAS/SHARE security in Version 8, you specify the USER= and PASSWORD= options in the appropriate statement on the client. On the server, you assign _SECURE_ to the security option that is appropriate for the access method that you use; for example, TCPSEC=_SECURE_.

If a Version 7 security option remains set on the client, the Version 8 specification of USER= and PASSWORD= in a SAS/SHARE statement overrides the previously set security option on the client. For example, the Version 8 USER= and PASSWORD= options in the LIBNAME statement will override the TCPSEC= _PROMPT_ option set on a UNIX client.

If a Version 8 client does not set USER= and PASSWORD= options, the Version 7 TCPSEC option, if set, would remain in effect in Version 8 because Version 8 maintains backward compatibility with Version 7.

Syntax and definitions are:

USER | USERNAME | USERID | UID= username | _PROMPT_
PASSWORD | PASSWD | PWD | PW= password | _PROMPT_

You must specify a username and password in order to access data by means of a secure SAS/SHARE server. Specifying these options allows clients whose usernames and passwords have been verified to access the server.

Username specifies the username of the remote host host on which the server runs. For a username on a Windows NT remote host only, the username can also include the domain name, which locates the specified username in a domain.

Password specifies the password of the remote host on which the server runs.

Supplying a userid and password by using the USER= and PASSWORD= options is more secure than assigning them by means of a security option (such as TCPSEC), which can be inadvertently publicized in a configuration file or in a log that contains an expanded security macro.

_PROMPT_ specifies that the SAS System prompts the client for userid and password. Hardcoding a username and password value to the USER= and PASSWORD= options limits the assignment to a single user whereas prompting permits any user to supply a username and password that are valid.

The values supplied for the USER= and PASSWORD= options are valid for the duration of the server connection. Subsequent client connections to the same server or to a different server require you to specify these options again. By contrast, as an example, the values assigned to TCPSEC in a client configuration file endure for subsequent connections to the same server and to different servers.

Here is a Version 8 example:

libname test user=joeblack password=born2run; # client side
%let tcpsec=_secure_; # server side

In this example, the values for USER= and PASSWORD= endure for the current server connection. Subsequent connections to the same server or to a different server require that you supply a username and password again. The _SECURE_ value assigned to the TCPSEC macro variable on the server persists for the duration of the current server session.

As a security precaution, USER= and PASSWORD= field entries in the client log are replaced with Xs.

If _PROMPT_ were specified, when presented with a prompt for password during a server connection, the client's entry would not be displayed on the screen.

If a Version 8 client on a Windows host set _PROMPT_ in a LIBNAME statement for connection to a server by using the TCP/IP access method, then the Version 8 behavior will override a conflicting setting in the client's configuration file. For example, the Version 8 USER=joeblack and PASSWORD=born2run settings take precedence over the following TCPSEC option set to _PROMPT_ in a client's configuration file.

-set tcpsec _prompt_;


Chapter Contents

Previous

Next

Top of Page

Copyright 1999 by SAS Institute Inc., Cary, NC, USA. All rights reserved.