SAS administrators have a delicate balance to maintain. SAS users want to be happy and productive, and to be granted the freedom to use any techniques in their skill set to accomplish their work. But the Business (or Government or Research institution) wants their sensitive data to be protected, and to be used only for legitimate activities that support the organization's goals.
To satisfy all constituents, the administration tasks often require a heroic effort. And every hero deserves some superpowers. The most recent releases of SAS provide admins with some impressive new abilities to provide users access to the data they need, while keeping those users on the "approved path" for pulling that data into their SAS processes. Here are the new powers that SAS admins should explore:
Control access to your SAS data with metadata-bound libraries. By putting your SAS-based data files into a secured library, you can use SAS metadata permissions to grant access to just the SAS users that need them. Because this access is completely controlled by the SAS Metadata Server, even a savvy SAS programmer can't gain access with a well-formed LIBNAME statement. (Attempts will be rebuffed, as if in Sue Storm's invisible shield.) SAS secured libraries were added in SAS 9.3 Maintenance 2.
Limit the locations that SAS users can reach with LOCKDOWN. With the LOCKDOWN system option and LOCKDOWN statement, an admin can build a virtual fence around the SAS Workspace session (like Wonder Woman's golden lasso), granting access to only to those pre-approved file paths that are identified when the session starts. The LOCKDOWN feature was added in SAS 9.4.
These are two different mechanisms that you can use to protect your data assets from unauthorized use. The metadata-bound libraries place protection around the data itself, so that users cannot see it without explicit permissions. The LOCKDOWN mechanism fences in the SAS user to approved file areas, thus restricting their movements (in their programs as well as in the point-and-click interfaces) to those paths that are deemed necessary for their work. While neither technique should be considered a replacement for OS-level file permissions or database access, these SAS-based techniques can reduce the risk of (intentional or accidental) Bad Data Exposure.
Learn more about these powers
P.S. I was going to say something like "with great Power To Know comes great responsibility", but I was afraid of a backlash from Marvel fans and from the SAS legal department. (I won't say which I feared more.)