About Author

Chris Hemedinger

Director, SAS User Engagement

+Chris Hemedinger is the Director of SAS User Engagement, which includes our SAS Communities and SAS User Groups. Since 1993, Chris has worked for SAS as an author, a software developer, an R&D manager and a consultant. Inexplicably, Chris is still coasting on the limited fame he earned as an author of SAS For Dummies


  1. Hi, Can you please suggest me ways to learn SAS coding from basics.
    What would be the good way to start? Any links or any books to start with?

    Thank you

  2. Hi Chris,

    This is very interesting.

    - By any chance, could we restrict the LOCKDOWN system option for a single account / technical user group using System Option restrictions at the Foundation level ?

    Thus we could expect the same behaviour as in your example.
    Thanks for pointing out the supreme stealth mode, which uses a file out of the user's scope to define the White list : since LOCKDOWN mode prevents the user to assign any pointer Libname / Fileref to this location, it's successfully squaring the circle ! :-)


    • Chris Hemedinger
      Chris Hemedinger on

      Ronan, LOCKDOWN is an option that can be restricted, technically. So yes, if you configured an environment with user-specific RSASV9.CFG files you could trigger LOCKDOWN for certain users.

      Then, if had user-specific AUTOEXEC files, I suppose you could point the LOCKDOWN statement to the appropriate whitelist per user. Or have a generic one as in my example, and include logic to trigger the LOCKDOWN statement conditionally.

      • Thanks, Chris. I couldn't retrieve the link but that's not important. I agree with your solution.
        The permission loophole can be said to be closed, this time ;-).

  3. Pingback: Making plans for SAS Global Forum 2014 - SAS Users Groups

  4. Pingback: New superpowers for SAS administrators - SAS Users Groups

  5. Hi Chris,
    With this topic repeating there should be the repeating notes. You are not surprised.

    For the “to be” administrators:
    Security amdin guide: http://support.sas.com/documentation/cdl/en/bisecag/67045/HTML/default/viewer.htm
    Watch all those notes on the needed OS layer controls, mostly associated with –cautions-.
    Locked-down Servers
    “You can limit the reach and activities of a SAS server by putting it in a locked-down state. This feature supplements the standard operating system-level and metadata-layer protections by giving SAS processes access to only specific physical resources on the server. This feature is intended for sites that need an extra level of security. For example, you might want to physically segregate sensitive data from other data by placing the sensitive data on a separate, locked-down server.”

    Not only this bisecag is having those notes, a lot of other SAS manuals having same ones (RTFM).
    - For SAS-VA (6.4 vaaug.pdf 105) mentioning that with the data-administrators.
    - For metdatabound see: Who Should Use Metadata-Bound Libraries?
    “You have not already met your security requirements through a combination of physical layer (operating system) separation and customized configuration of your SAS servers.”

    It is a killing factor to analytics trying to put those in a fixed process like most business proceses. That is the old COBOL waterfall approach building silos in organizations.
    The gains should come form the freedom of doing anytics on data. The big successfactor of Excel. The major differentator to Excel do that in a controlled auditable way.

    The real world problems:
    • Just focussing on some this technical features in SAS is giving a lot of people the false hope they do not need to understand OS-layers.
    • A very old IT approach of not wanting or capable to cooperate wiht analytical environments. For Unix environments using those by users is often not in scope.
    • There are many organizations lacking the required knowledge for OS-layers.
    • Role Based Acces Control, being auditable traceable, data governance with standard of good practice

    Just words don not help much, perhaps images will do.
    It is a misperception on how to get a secure installation, something like:

    As the OS layers are the foundation of your installation, ask yourself what happens when that foundation is not reliable.
    Information is not physical as that for most people too difficult. Build something nice on top and things like this happen:

    By the way(1):
    SAS has missed the opportunity to be kept present at log-analyses for security auditing. Once Mics MXG (SAS IT service visison) where wanted skills.
    Those people (secyurity auditors) have developed big aversion to SAS on their big data analsyes, pulling in other tools for BI and analytics into companies.

    By the way(2):
    Encrypting SAS datasets is a nice feature of SAS-foundation. But using EGuide….. no available features to do that.
    Even a system-failure when you try to add records to encrypted dataset with EGuide. It removes the read password without any note of that.
    All very annoying and I see them as failures.

  6. Muhammad Hammad on

    SAS 9.13 portable is not working on my computer Windows 7 64 bit.
    The following error comes in message box:

    ERROR: Cannot open "C:\Program Files\SAS\SAS 9.1\nls\en\SASV9.CFG"
    SAS option '-PATH' not set.
    Check configuration file, SAS environment options or command line options.
    SAS option '-RESOURCESLOC' not set.
    Check configuration file, SAS environment options or command line options.
    SASTBTraceBackCtx has been called with a
    string ("vacrash") instead of a CONTEXT pointer.
    Address   Frame     (DBGHELP API Version 4.0 rev 5)
    5C8D200D  051EBF30  tkmk:tkBoot+0x20FE9
    5C8D1E0F  051EBF3C  tkmk:tkBoot+0x20DEB
    5C8C826E  051EBF5C  tkmk:tkBoot+0x1724A
    04B2754F  051EBF7C  sashost:Main+0xD08BF
    04A5D974  051EBF9C  sashost:Main+0x6CE4
    04A51A33  051EBFF4  sashost:rtmdoit+0x1DF
    04AED53D  051EC000  sashost:Main+0x968AD
    04A7C353  051EC050  sashost:Main+0x256C3
    04A7AB9C  051EC080  sashost:Main+0x23F0C
    04A5119D  051EC18C  0001:0000019D sashost.dll
    04A5749A  0520FEA8  sashost:Main+0x80A
    04A65EC1  0520FED0  sashost:Main+0xF231
    04A62A97  0520FEE4  sashost:Main+0xBE07
    04A66C20  0520FEF8  sashost:Main+0xFF90
    01CB49C7  022A4248  0001:000139C7 os_exe.exe

    Please Help

    • Chris Hemedinger
      Chris Hemedinger on

      Sounds like you have something wrong with your SASV9.cfg file, or perhaps it's missing or empty. I suggest that you work with SAS Technical Support on this problem.

  7. Hi, Chris,

    I encountered the problem of lockdown restriction you talked in you post. Would you mind teach me how to disable it, so that I can work normally.

    ERROR: The path /Users/PC/Desktop/NE/TEMP/F_F.XPT is invalid because it is not in the list of accessible paths when SAS is in the lockdown state.
    ERROR: Error in the LIBNAME statement.

    Thanks for any help!

    • Chris Hemedinger
      Chris Hemedinger on

      Ping, you will have to ask your SAS admin to add this path into the list of allowed paths. It's not something that you can do yourself, unless you have the admin capabilities to modify the LOCKDOWN "whitelist" per the documentation.

  8. http://support.sas.com/kb/52/078.html

    ... For example, a user who has Write access to an operating system directory (for example, in order to create physical tables) can use host commands to delete and replace files within that directory. Such commands operate independently of any metadata binding.
    Currently, there is no workaround or solution for this problem. ...

    Follow development of OS guys, needing to go for SIEM. --This is waiting for the collision.---

    • Chris Hemedinger
      Chris Hemedinger on


      Yes, the documentation for the metadata-bound libraries makes it clear, I think -- this does not replace OS-based permissions for "tampering" with the data sets in the library. However, an unauthorized user cannot read the contents of the data, achieving the main goal of the feature. And SAS logging can alert you when a file has been tampered with.

      SIEM is an interesting approach, but it also replicates the function provided by database systems that many of our customers use. I think it remains-to-be-seen what the demand is for a file-system-based level of control/monitoring that approaches the SIEM qualifications.

  9. Hi,
    Is there any java api to check if the server is in lockdown mode or not?
    and java api to get the accessible folder list (whitelist) ?

    • Chris Hemedinger
      Chris Hemedinger on

      There isn't a direct Java API for this. You can use Java to connect to a SAS session using SAS Integration Technologies, and then submit SAS programs to check things such as PROC OPTIONS and the LOCKDOWN statement, but I'm not sure that's what you want. Can you explain your scenario a bit more and perhaps I can suggest something?

  10. Asger Wille-Jørgensen on

    Very interesting approach and a great write-up on a feature that is covered very sparsely. I have used this and made the usermods.bat file dynamically check AD memberships instead, which makes it easier for me/us to manage. If a user is a member of one of the specified ADs, they are in nolockdown, otherwise they will be in lockdown.

    So thanks for the inspiration!

Back to Top