LOCKDOWN System Option

During SAS batch processing and or server processing it is possible to limit access to files and some specific SAS features by using SAS system option: Lockdown.

This option could be specified during SAS invocation and or in SAS Configuration files. 

What is it?

The LOCKDOWN option is used in a multi-server installation to limit file system access and limits the SAS language features.  Lockdown is used together with another SAS System option: NOXMCD. 

How does it work?

Once a LOCKDOWN option is effective on a SAS session, SAS enters in a locked-down state after it completes its initialization point. Once in a locked-down state SAS limits file system access (local files and directories) and only validated paths listed in the “lockdown path list” (aka allowed list) are allowed access. 

A Lockdown is in effect after the SAS session is initialized.  During initialization metadata pre-assigned libraries, all autoexec, SASHELP, SASUSER, LOG, WORK is available.  Once SAS session is initialized, the Lockdown takes effect. The initialization process order is as follows, once done Lockdown is in effect.

1. SAS Session initialization
2. AUTOEXEC execution(s)
3. INITSTMT execution, and
4. Metadata library pre-assignment

SAS Lockdown also limits access to certain SAS language features.  For example:

• Data step Java object
• PROC JAVAINFO, PROC GROOVY

Are some well known features that are limited while in Lockdown state.

Lockdown Features:

• SAS does not verify the paths listed in the lockdown path list
• The operating system file system permission is still in effect, that is,  a path denied access by the OS file system permission will remain inaccessible even if that path is listed in the allow list.
• Lockdown path list is specified and could be hidden in the target server to be restricted.
• SAS server in lockdown state validates all access to the host file system via the allow list.
• Two types of paths in the lockdown path list.  SAS configuration directory and user files and directories.