Date: Fri, 14 Nov 2003 18:22:23 -0500
Reply-To: Dwight Buffum <Dwight.Buffum@TARGET.COM>
Sender: "SAS(r) Discussion" <SAS-L@LISTSERV.UGA.EDU>
From: Dwight Buffum <Dwight.Buffum@TARGET.COM>
Subject: Securing passwords in SAS code
We are running SAS V8.2 and SPD Server V3.0 on Solaris. Our table-driven
autoexec.sas startup routine assigns all of a user's normal SPDS librefs,
which require SPDS passwords. Some of the passwords are for read-write
SPDS IDs and should be concealed. The SAS log shows the LIBNAME statements
with X's replacing the passwords. The problem is how to let a user's
Solaris ID run our autoexec.sas routine without any of the following
1. reveal a password in the SAS log (ECHOAUTO, SOURCE2, SYMBOLGEN, MPRINT).
2. user browse or read passwords used as input to autoexec.sas routine.
We think we can minimize the risk of revealing a password in the SAS log
by having a subroutine of the autoexec.sas routine generate Solaris
environment variables which appear in the generated LIBNAME statements
like: LIBNAME lib_spds SASSPDS 'domain' PASSWD="%SYSGET(PW_SPDS_RW)" ...;.
We request assistance in solving the remaining problem of securely
generating the environment variables for the passwords under the control
of the autoexec.sas routine being run by any user. We would also
appreciate any additional insights and guidelines on this subject.
SAS Alliance Partner