Last time we discussed the fundamentals of SAS data and how we reference that data in SAS Foundation. Now, we will turn our attention to how you access and protect data when you want to expose data through SAS clients versus the traditional LIBNAME method.
Before we start talking about data metadata, let’s introduce what SAS means by metadata. In SAS Version 9 (circa 2004), users were introduced to the SAS Metadata Server. In the world of SAS, metadata is fairly specific to mean the following concepts (with representative examples):
- Business Metadata – conceptual information that describes objects that represent the real world such as business groups and which users belong to those groups
- Technical Metadata – structure and content of tables, databases, OLAP cubes, tables, columns, servers, report definitions and characteristics
- Process Metadata – what happened during the processing such as how long a job took, how many records were updated, who accessed what table
In the discussion here, the focus will be on the intersection of business and technical metadata where we look more closely at the metadata about data and demonstrate the flow from physical data to metadata represented in the SAS clients, specifically SAS Enterprise Guide.
Metadata in SAS Enterprise Guide
Our previous post showed an example of a library as seen in one of our clients, SAS Enterprise Guide (referred to as EG.)
We demonstrated how to navigate this library by expanding the server (SASApp) to view libraries defined to the system.
In EG, you can allocate a library manually by submitting a LIBNAME statement in your program and submit your program. (See note below.) Alternatively, you can define the library in the SAS Metadata server so that it’s “automagically” there for your users.
Why assign libraries
You might notice that we have three libraries in our list above that have white icons (filing cabinets) whereas some are yellow. The yellow filing cabinets have either been assigned by submitting a LIBNAME statement in the current session or preassigned as defined in the SAS Metadata Server. Unless a library has been assigned, you cannot use it in your program. For example, when I try to run the following program:
PROC Print data=mydata.postassessments; run;
The program will fail with the following error:
ERROR: Libname MYDATA is not assigned.
To remedy this, you would need to assign the library. You can do this manually by right-clicking on the library icon and selecting assign or through a Metadata Libname Engine, which we will explore in detail below.
Pros and cons of pre-assigned libraries
If you want these libraries to be assigned automatically when your users connect to the server, you can select the pre-assign option on the library definition or include this in an autoexec process flow, which can be run automatically when you open an EG project.
An alternative method is to have EG run a specific program when connecting to the SAS Workspace Server.
Recently, I had an interesting conversation with a customer on the benefits of pre-assignment versus “just in time”. On one hand, pre-assigning libraries makes them available to clients without having to know which libraries might be referenced in a particular EG Project.
Pre-assigning may have an advantage if you have projects with lots of process flows and steps and can’t always remember which libraries are being referenced (and thereby avoiding the error we saw above.) Conversely, EG startup time is slower when the system has to allocate these libraries and interrogate the metadata for each of these libraries.
Metadata Libname Engine
So far, we discussed using LIBNAMEs directly through a native engine (like BASE) or one that is assigned by the SAS administrator. If you want your users to be able to access them through clients like EG, the latter works fine. However, if you are running this code in batch, you’ll need to get those libraries assigned somehow. This is where the power of SAS Metadata Libname Engine (MLE) comes into play.
The MLE is a SAS LIBNAME engine that uses the metadata server to enforce access control so that only authorized users and groups can access the library. In addition, the MLE enforces fine-grained security on the library or table or both.
For example, let’s say that I have a library defined in metadata called MYDATA.
Comparing user views of data using the two methods
We will first show what the library looks like when we allocate it using a physical LIBNAME and show the results in EG.
libname mydata "/stornext/sas/userdata/projects/thottest/datalib";
Note that we have four physical tables which matches the directory listing above.
Now, let’s register this library using the SAS Management Console and grant users ReadMetadata and Read privileges to the table. We’ll also register only one of the four tables so we can see how EG “sees” the library.
Similarly, we can issue the a LIBNAME statement using the MLE and run a PROC DATASETS on the dataset to see what we the user sees.
libname mydata2 META library="metaref"; PROC DATASETS NOLIST NODETAILS; CONTENTS DATA=MYDATA2._all_; RUN;
Notice that both visual displays of our new library in EG shows only the one dataset that was registered.
Similarly, when we run a PROC DATASETS on the dataset, the output only displays the information accessible by the user based on the metadata.
Compare this with the same output based on the physical LIBNAME statement.
libname mydata "/stornext/sas/userdata/projects/thottest/datalib"; PROC DATASETS NOLIST NODETAILS; CONTENTS DATA=MYDATA._all_; RUN;
So now we begin to see how physical references to the data versus metadata references to the data can affect what users can see and how they interact with data.
Next time, we will explore pre-assigned libraries in detail and especially how the various options affect whether users can read or both read and write data. In addition, we’ll explore some best practices for managing access to SAS data so that we don’t run into issues of users locking datasets, which may cause problems when we want to update the data in our scheduled Data Integration Studio jobs.
Until then… Happy Data!
Note: If you are interested in administering certain aspects of Enterprise Guide, take a look at Best Practices for Administering SAS® Enterprise Guide® by Casey Smith at SAS. He describes a few methods to restrict user’s ability to bypass metadata security when they issue their own LIBNAME statement.