SAS Viya sharing credentials for database access


SAS Viya deployments use credentials for accessing databases and other third-party products that require authentication. In this blog post, I will look at how this sharing of credentials is implemented in SAS Environment Manager.

In SAS Viya, domains are used to store the:

  • Credentials required to access external data sources.
  • Identities that are allowed to use those credentials.

There are three types of domains:

  • Authentication stores credentials that are used to access an external source that can then be associated with a caslib.
  • Connection used when the external database has been set up to require a User ID but no password.
  • Encryption stores an encryption key required to read data at rest in a path assigned to a caslib.

In this blog post we will focus on authentication domains which are typically used to provide access to data in a database management system. It is a pretty simple concept; an authentication domain makes a set of credentials available to a set of users. This allows SAS Viya to seamlessly access a resource. The diagram below shows a logical view of a domain. In this example, the domain PGAuth stores the credentials for a Postgres database, and makes those credentials available to two groups (and their members) and three users.

How does this work when a user accesses data in a database caslib? The following steps are performed:

1.     Log on to SAS Viya using personal credentials: the user’s identity is established including group memberships.

2.     Access a CASLIB for a database: using the user’s identity and the authentication domain of the CASLIB, Viya will look up the credentials associated with that identity in the domain.

3.     Two results are possible. A credential match is:

  • 1.     Found: the credentials are passed to the database authentication provider to determine access to the data.
  • 2.     Not found: no access to the data is provided.

To manage domains in SAS Environment Manager you must be an administrator. In SAS Environment Manager select Security > Domains. There are two views available:  Domains and Credentials. The Domains view lists all defined domains. You can access the credentials for a domain by right-clicking on the domain and selecting Credentials.

The Credentials view lists all credentials defined and the domains for which they are associated.

Whatever way you get to a credential, you can edit it by right-clicking and selecting Edit. In the edit dialog, you can specify the Identities (users and groups) that can use the credential, and the User ID and Password of the credential.  Note that only users who are already listed in the Identities field will be able to edit this field, so make sure you are in this field (directly or through group membership) prior to saving.

To use an authentication domain, you reference it in the CASLIB definition. When defining a non-path based CASLIB you must select a domain to provide user credentials to connect to the database server. This can be done when creating a new CASLIB in SAS Environment Manager in the Data > Libraries area.

If you use code to create or access your caslib, use the authenticationdomain option. In this example, we specify authenticationdomain in the table.addcaslib action.

If a user is not attached to the authentication domain directly, or through a group membership, they will not be able to access the credentials. An error will occur when they attempt to access the data.

This has been a brief look at storing and using credentials to access databases from SAS Viya. You can find  more detail in the SAS Viya Administration Guide in the section titled Authentication: External Credentials.


About Author

Gerry Nelson

Principal Technical Consultant

Gerry Nelson is an Advisory Technical Architect in the Global Enablement and Learning (GEL) Team within SAS R&D Division. His primary focus is on administration of SAS VIya environments, particularly automation, modernization, migration, and upgrading.


  1. thanks Gary. do you mean my credentials page can be made accessible to end users and they can reset their logon credentials. Will this only update local SAS account or can update the AD as well?

      • Scott McCauley on

        Retrieval of the auth domain password is done automatically when you use the AUTHENTICATIONDOMAIN= option as shown in the example. Most of the data access-related methods and statements provide that option if they support outbound logins. Or have I misunderstood your question?

    • Scott McCauley on

      Yes, the My Credentials page is automatically available for all users in SAS Environment Manager. The only credentials that are reset are those that are stored in SAS Viya by the user or by the administrator, which are effectively copies of credentials. This facility cannot be used to reset passwords stored in AD or some other external authentication provider. If an account in AD is stored in My Credentials then it would need to be updated in both places if the password changes.

  2. Hi, this is great info for SAS Admins. Wondering how a SAS End user without admin access would update the id and password for a third party database in SAS Studio? In SAS Eg there's a menu option, and there's the SAS Personal Login Manager for end users with a local SAS install. I cannot seem to locate any info for end users who only have web access to SAS Studio and no installed software.

    • Gerry Nelson

      Hi Charles,

      I am glad you found it useful. There is no way for someone who is not an administrator to update shared credentials. There is a My Credentials page in SAS Environment Manager, which like Personal Login Manager allows users to manage their own credentials.

      Hope that helps.

Leave A Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Top