Chapter Contents


SAS Companion for the OpenVMS Operating Environment

Data Security

The SAS System protects data sets, catalogs, and external files by using the normal OpenVMS access-control measures: file protection and access control lists. These access-control measures apply equally to SAS data sets, catalogs, and external files. SAS data set security measures, such as data set "read" and "write" passwords, are also available.

File Protection

File protection is a generalized way of controlling access to files, based on the relationship of the file accessor to the file owner. File protection consists of four classes of users who may access a file:

refers to a user who has a system user identification code (UIC) or SYSPRV privilege. This class is typically reserved for the system manager and operations staff.

refers to a user who has the same UIC as the user who created the file. At most sites, each user has a unique UIC, so the OWNER is always the person who created the file.

refers to a user who has the same group number in his or her UIC as the creator of the file.

refers to any other user on the system.

A typical file protection is specified as a list of user classes and their permitted operations. Permitted operations are

READ access
is required in order to read a file. For example, you must have READ access to a file if you intend to browse, copy, or move it.

WRITE access
is required in order to change the attributes of a file, including its file protection, as well as to modify data in the file.

EXECUTE access
is required in order to execute files such as command procedures. It does not apply to OpenVMS data files such as SAS data sets, catalogs, or external files.

DELETE access
is required in order to delete or move a file.

A typical file-protection specification might be


This example permits a SYSTEM user to READ, WRITE, or EXECUTE the file. The OWNER is permitted any operation on the file. Members of the same GROUP as the user are permitted to READ or EXECUTE the file. All other users are denied access to the file.

Specifying File Protection for a Process

To specify file protection for the duration of your process (or until you change the specification), use the SET PROTECTION/DEFAULT DCL command. The /DEFAULT parameter tells OpenVMS to apply the specification to every file that you create during your OpenVMS process except those for which you explicitly specify file protection. For example, the following command specifies new protection values for files that you subsequently create:


Specifying File Protection for Individual Files

To specify file protection for a particular file or set of files, use the SET PROTECTION command without the /DEFAULT parameter. For example, the following SET PROTECTION command sets new protection values for the file MYDATA.SAS7BDAT:


For more information about file protection, refer to OpenVMS User's Guide and OpenVMS Security Manual.

Access Control Lists

Access control lists (ACLs) provide more specific control over who can perform operations on a file. ACLs allow each file to have a list of identifiers, which can be either UICs or keyword names that are assigned by the system manager. Only users with matching UICs or resource identifiers can perform operations on the file.

The description of ACLs is beyond the scope of this document. For more information, refer to OpenVMS Security Guide.

Chapter Contents



Top of Page

Copyright 1999 by SAS Institute Inc., Cary, NC, USA. All rights reserved.