| SAS Companion for the OpenVMS Operating Environment |
The SAS System
protects data sets, catalogs, and external files by using the normal OpenVMS access-control
measures: file protection and access control lists. These access-control measures
apply equally to SAS data sets, catalogs, and external files. SAS data set
security measures, such as data set "read" and "write"
passwords, are also available.
File protection is
a generalized way of controlling access to files, based on the relationship
of the file accessor to the file owner. File protection consists of four classes
of users who may access a file:
-
SYSTEM
- refers to a user who has a system user identification
code (UIC) or SYSPRV privilege. This
class is typically reserved for the system manager and operations staff.
-
OWNER
- refers to a user who has the same UIC as
the user who created the file. At most sites, each user has a unique UIC,
so the OWNER is always the person who
created the file.
-
GROUP
- refers to a user who has the same group
number in his or her UIC as the creator of the file.
-
WORLD
- refers to any other user on the system.
A typical file protection is specified as a list of
user classes and their permitted operations. Permitted operations are
-
READ access
- is required in order to read a file. For
example, you must have READ access to a file if you intend to browse, copy,
or move it.
-
WRITE
access
- is required in order to change the attributes
of a file, including its file protection, as well as to modify data in the
file.
-
EXECUTE
access
- is required in order to execute files such
as command procedures. It does not apply to OpenVMS data
files such as SAS data sets, catalogs, or external files.
-
DELETE
access
- is required in order to delete or move a
file.
A typical file-protection specification might be
(S:RWE, O:RWED, G:RE, W)
This example permits a SYSTEM user
to READ, WRITE, or EXECUTE the file.
The OWNER is permitted any operation
on the file. Members of the same GROUP as the user are permitted to READ or EXECUTE the
file. All other users are denied access to the file.
Specifying File Protection for a Process
To specify file
protection for the duration of your process (or
until you change the specification), use the SET PROTECTION/DEFAULT DCL
command. The /DEFAULT parameter tells OpenVMS to
apply the specification to every file that you create during your OpenVMS process
except those for which you explicitly specify file protection. For example,
the following command specifies new protection values for files that you subsequently
create:
$ SET PROTECTION=(S:RWE,O:RWED,G:RE,W)/DEFAULT
Specifying File Protection for Individual Files
To
specify file protection for a particular file or set of files, use the SET PROTECTION command
without the /DEFAULT parameter. For
example, the following SET PROTECTION command
sets new protection values for the file MYDATA.SAS7BDAT:
$ SET PROTECTION=(S:RWE,O:RWED,G:RWED,W:RE) -
_$ MYDATA.SAS7BDAT
For more information about file protection, refer to OpenVMS User's
Guide and OpenVMS Security
Manual.
Access
control lists (ACLs) provide more specific control over who can perform operations
on a file. ACLs allow each file to have a list of identifiers, which can be
either UICs or keyword names that are assigned by the system manager. Only
users with matching UICs or resource identifiers can perform operations on
the file.
The description of ACLs is beyond the scope of this
document. For more information, refer to OpenVMS Security
Guide.
Copyright 1999 by SAS Institute Inc., Cary, NC, USA. All rights reserved.
