Wednesday, 28 November 2012

NOTE: Metadata-Bound Libraries

Since the introduction of metadata-defined LIBNAMEs in the earliest days of version 9, it's been a frustration that the security that can be applied within SAS metadata to control who can access libraries can be completely undermined by users simply hand-coding an equivalent LIBNAME statement with a specific path to the data and thereby bypassing the SAS metadata security layer. It seems that V9.3 M2 introduced a solution to this, but it competely slipped under my radar - until now (my thanks to BS for alerting me to this).

The new SAS 9.3 Guide to Metadata-Bound Libraries tells us how data sets and views within metadata-bound libraries can only be accessed via the metadata-defined LIBNAME. The data sets are created with a special flag in their internal metadata which specifies their nature. Thus, access from SAS to data within a metadata-bound library is provided only if all of the following conditions are met:
  • The requesting user can connect to the metadata server in which the corresponding object is stored
  • The requesting user’s metadata identity has all required metadata-layer effective permissions for the requested action
  • The host identity with which the data is retrieved has all required host-layer access to the data.
In my view, this is a very significnt enhancement to the security of SAS data. SAS metadata has long provided powerful and flexible capabilities for protecting your data, but it has always been possible to completely bypass it and leave the OS-level security as the gatekeeper. Applying passwords to data has never been a great solution because of the weak encryption and the need to hard-code the passwords in SAS code.

The security provided by metadata-bound libraries is strong, even surviving when the physical table is recreated or replaced. The cornerstone of this approach is the fact that the physical table contains the flag to specify it's a metadata-bound table, so all elements of SAS are available to respect the need to check the access permissions via metadata.

Inevitably, it's not a panacea. For instance, you can only bind BASE SAS data sets and views, and you cannot bind concatenated libraries; and though the binding prevents unauthorised access from SAS, it does not prevent non-SAS access to the data (non-SAS access is limited only by the OS-level security), so it is still possible to delete or rename tables without authorisation via SAS metadata.

All of this is made possible by the new PROC AUTHLIB (there's no GUI interface for creating metadata-bound libraries yet). AUTHLIB's CREATE statement allows you to create the binding.

This is a hugely significant step forward for SAS security, and a major benefit to be derived for anybody considering an upgrade from any version of SAS prior to V9.3 M". And do note: It's the second maintenance release of V9.3; metadata-bound libraries are not available in earleir versions of V9.3.