In order to keep passwords from being hard-coded into SAS programs, or from appearing in SAS logs, the following methods are suggested:
1) The most secure option is to issue a LIBNAME statement using the required SAS/Access engine, and specify DBPROMPT=YES. This will prompt you for connection information to the database as the SAS code runs, so that no connection information will be stored in your program.
However, since this requires some manual interaction when running jobs, it may not be feasible in your situation.
2) Database connection information can be stored in the SAS registry and the password required for connection will be encrypted. In order to set this up, run SAS interactively, and from the Explorer window, highlight "Libraries". From the pmenus, select File-New. Enter the libref you wish to use for your database connection in the "Name" box, then select the database engine being used from the pull-down menu. Once the engine has been selected, you will see a window that allows you to enter username, password, path, and options. Fill in your connection information, then click the small button on the upper right that indicates "Enable at Startup". This method stores your connection information in the SAS registry and will automatically connect when you launch SAS. When running SAS in batch mode, you MUST specify -startlib at invocation in order for the library to be allocated. Your password will appear in your SAS log as an encrypted value.
3) If running PROC SQL Pass-Through, you can pass the password to SAS via the -sysparm option at SAS invocation, and use the &sysparm SAS macro variable where the password would normally be coded. An example follows:
sas -nodms -sysparm mypassword
PROC SQL;
CONNECT TO ORACLE(user=scott password="&sysparm");
Note that if the macro options MPRINT and/or SYMBOLGEN are in effect, the resolved macro variable will appear in the SAS log, and therefore, your password will appear in plain text in your SAS log. NOMPRINT and NOSYMBOLGEN are the default settings.
4) Also, if running PROC SQL Pass-Through, you can store your CONNECT statement in a file protected by operating system permissions such that only you have read permission, then use the %INCLUDE statement to include the CONNECT statement. An example follows:
sas -nodms
OPTIONS NOSOURCE2;
PROC SQL;
%INCLUDE 'myconnect.dat';
In the above example, OPTIONS NOSOURCE2 prevents the included code from being displayed in the SAS log. Specifying SOURCE2 lists the contents of the included file in the SAS log. NOSOURCE2 is the default setting.
You can also use the /nosource2 option on the %include statement, like
%INCLUDE 'myconnect.dat' /nosource2;
Is has the same effect as described above, but it will only be set in the scope of the %include.
5) Using the PWENCODE procedure to encrypt the password.
proc pwencode in='mypassword';
run;
The encrypted password with be found in the SAS Log and this encrypted value can be used in your code instead of the actual password itself.
For example:
proc pwencode in='my password';
run;
{sas001}bXkgcGFzc3dvcmQ=
Now you can use the value above inyour code as follows:
libname mydblib db2 user=userid password='{sas001}bXkgcGFzc3dvcmQ=' database=databse;