Chapter Contents


SAS/ACCESS Software for Relational Databases: Reference

SAS System Passwords for SAS/ACCESS Descriptors

The SAS System enables you to control access to SAS data sets and access descriptors by associating one or more SAS System passwords with them. You must first create the descriptor files before you assign SAS passwords to them, as described in Assigning Passwords.

Password and Descriptor Interaction summarizes the levels of protection that SAS System passwords have and their effects on access descriptors and view descriptors:

Password and Descriptor Interaction

access descriptor no effect on descriptor no effect on descriptor protects descriptor from being read or edited
view descriptor protects DBMS data from being read or updated protects DBMS data from being updated protects descriptor from being read or edited

When you create or update view descriptors, you can use a SAS data set option after the ACCDESC= option to specify the access descriptor's password (if one exists). In this case, you are not assigning a password to the view descriptor that is being created or updated; rather, using the password grants you permission to use the access descriptor to create or update the view descriptor. For example:

proc access dbms=sybase accdesc=adlib.customer
  create vlib.customer.view;
  select all;

By specifying the ALTER level of password, you can read the ADLIB.CUSTOMER access descriptor and create the VLIB.CUSTOMER view descriptor.

Assigning Passwords

To assign, change, or delete a SAS password, you can also use the DATASETS procedure's MODIFY statement or the global SETPASSWORD command, which opens a dialog box. Here is the basic syntax for using PROC DATASETS to assign a password to an access descriptor, a view descriptor, or a SAS data file:

MODIFY member-name (password-level = password-modification);

In this syntax statement, the password-level argument can have one or more of the following values: READ=, WRITE=, ALTER=, or PW=. PW= assigns read, write, and alter privileges to a descriptor or data file. The password-modification argument enables you to assign a new password or to change or delete an existing password. For example, this PROC DATASETS statement assigns the password MONEY with the ALTER level of protection to the access descriptor ADLIB.SALARIES.

proc datasets library=adlib memtype=access;
   modify salaries (alter=money);

In this case, users are prompted for the password whenever they try to browse or update the access descriptor or to create view descriptors that are based on ADLIB.SALARIES.

You can assign multiple levels of protection to a descriptor or SAS data file. In the next example, the PROC DATASETS statement assigns the passwords MYPW and MYDEPT with READ and ALTER levels of protection to the view descriptor VLIB.JOBC204:

proc datasets library=vlib memtype=view;
   modify jobc204 (read=mypw alter=mydept);
In this case, users are prompted for the SAS password when they try to read the DBMS data, or try to browse or update the view descriptor VLIB.JOBC204. You need both levels to protect the data and descriptor from being read. However, a user could still update the data accessed by VLIB.JOBC204, for example, by using a PROC SQL UPDATE. Assign a WRITE level of protection to prevent data updates.

Note:   When you assign multiple levels of passwords, use a different password for each level to ensure that you grant only the access privileges that you intend.  [cautionend]

To delete a password on an access descriptor or any SAS data set, put a slash after the password:

proc datasets library=vlib memtype=view;
   modify jobc204 (read=mypw/ alter=mydept/);

Chapter Contents



Top of Page

Copyright 1999 by SAS Institute Inc., Cary, NC, USA. All rights reserved.