Post on 12-Mar-2020
IASP 525 Database Security – Session 3
Tej Anand
09/19/2018
Objectives
© 2018. Tej Anand 2
1. Logical Model and Normalizing Data
2. SQL Review
3. OLAP Models
4. Types of data - PHI, IHI, Financial,
Confidential, Proprietary
Database Modeling Scenario
© 2018. Tej Anand 3
1. Model a business with employees who work in departments.
2. Departments can be arranged under other departments (parent
department)
3. Departments conduct projects.
4. Projects can be under other projects (major project)
5. Projects have a responsible department
6. Projects have a responsible employee
Conceptual Model
© 2018. Tej Anand 4
Employee
EmployeeId(PK)FullNameDate of BirthGenderDate of HireDepartmentNamePhone NumberTitleEducation LevelSalaryBonusCommission
Project
NameResponsibleDepartmentNameResponsibleEmployeeName
Has
0
1M
Department
Name
WorksIn
1
1
CanHaveAParent1
CanHaveAMajorProject
0
1
Logical Model
© 2018. Tej Anand 5
Employee
EmployeeId(PK)LastNameMiddleInitialFirstNameDate of BirthGenderDate of HireDepartmentId(FK)Phone NumberJobTitleEducation LevelSalaryBonusCommission
0
Department
DepartmentId(PK)ParentDepartmentId(FK)Name
Contains
M
1
CanHaveAParent1
1
Project
ProjectId(PK)MasterProjectId(FK)NameRespDepartId(FK)RespleEmplId(FK)StartDateEndDate
Has1M
0
1
M
CanHaveAMajorProject
IsResponsibleFor
Normalizing the Logical Model
© 2018. Tej Anand 6
Employee
EmployeeId(PK)LastNameMiddleInitialFirstNameDate of BirthGenderDate of HireDepartmentId(FK)Phone NumberJobTitleId (FK)Education LevelSalaryBonusCommission
0
Department
DepartmentId(PK)ParentDepartmentId(FK)Name
Contains
M
1
CanHaveAParent1
1
Project
ProjectId(PK)MasterProjectId(FK)NameRespDepartId(FK)RespleEmplId(FK)StartDateEndDate
Has1M
0
1
M
JobTitle
JobTitleId(PK)Name
1M
CanHaveAMajorProject
IsResponsibleFor
IsGivenTo
Should we consider further normalization?
© 2018. Tej Anand 7
1. Should education level and gender have their own entities?
2. What functional limitations do we see in this model?
a. Salary, bonus and commission?
b. Job Title?
c. Department?
d. Can Projects change Departments?
3. What eventually drives decisions to the questions above?
A much more functional model?
© 2018. Tej Anand 8
Employee
EmployeeId(PK)LastNameMiddleInitialFirstNameDate of BirthGenderDate of HireDepartmentId(FK)Phone NumberJobTitleId (FK)Education Level
Has M
1
JobTitle
JobTitleId(PK)Name1
M
IsGivenTo
Compensation
CompensationId(PK)EmployeeId(FK)SalaryCommissionBonusStartDateEndDate
EmployeeJobTitle
EmployeeJobTitle(PK)EmployeeId(FK)JobTitleId(FK)StartDateEndDate
1
MHas
Pros and Cons of Normalizing
© 2018. Tej Anand 9
Pros
1. Reduce redundant data – leads
to increased data integrity
2. Increase the number of
questions that can be asked
3. Segment sensitive data
4. Grant granular permission
Cons
1. More difficult for business to
understand
2. Queries require joins
3. Update performance can be
reduced
4. Insert performance?
Relational Database Physical Implementation
© 2018. Tej Anand 10
1. In relational databases, all data is stored in tables
2. Tables are structured in rows and columns
3. Horizontally, into rows
4. Vertically, into columns
5. Fields may or may not contain data
6. The data in fields is considered atomic
7. The column names of a table must be unique
8. All rows of a table should be different
SQL Overview
© 2018. Tej Anand 11
Creating the Employee Table
© 2018. Tej Anand 12
CREATE TABLE EMPLOYEE
( EMPNO CHAR(6) NOT NULL,
FIRSTNME VARCHAR(12) NOT NULL,
MIDINIT CHAR(1) NOT NULL,
LASTNAME VARCHAR(15) NOT NULL,
WORKDEPT CHAR(3) ,
. . .
. . .
BIRTHDATE DATE ,
SALARY DECIMAL(9,2) ,
BONUS DECIMAL(9,2) ,
COMM DECIMAL(9,2)
)
Importance of strong
data types for security
SQL Data Types
© 2018. Tej Anand 13
Data Type Comment
SMALLINT Whole numbers from -32768 to +32767
INTEGER Whole numbers from -2,147,483,648 to +2,147,483,647
DECIMAL(m,n) Decimal numbers with max. 31 digits m = total number of digits n = number of decimal digits
CHAR(n) or CHARACTER(n)
A fixed length string of numbers and or characters
VARCHAR(n) A variable length string of numbers and or characters
DATE (YYYYMMDD)
Display / Input Format (USA – mm/dd/yyyy, EUR –dd.mm.yyyy, ISO – yyyy-mm-dd)
TIME (HHMMSS) Display / Input Form (USA – fhh:mm AM or PM, EUR –hh.mm.ss, ISO – hh.mm.ss)
Advantages of Strong Data Types• Input verification• Logical, arithmetic, string operations• Sorting• Component extraction
Creating the Department Table
© 2018. Tej Anand 14
CREATE TABLE DEPARTMENT
( DEPTNO CHAR(3) NOT NULL,
DEPTNAME VARCHAR(25) NOT NULL,
MGRNO CHAR(6) NOT NULL,
ADMRDEPT CHAR(3) ,
)
Creating the Project Table
© 2018. Tej Anand 15
CREATE TABLE PROJECT
( PROJNO CHAR(6) NOT NULL,
PROJNAME VARCHAR(25) NOT NULL,
DEPTNO CHAR(3) NOT NULL,
RESPEMP CHAR(6) NOT NULL,
PRSTAFF SMALLINT(3,2) ,
PRSTDATE DATE NOT NULL,
PRENDDATE DATE
)
Employee Table
© 2018. Tej Anand 16
Department Table
© 2018. Tej Anand 17
Project Table
© 2018. Tej Anand 18
Retrieving data
© 2018. Tej Anand 19
SELECT Columns- Column names
- Arithmetic expressions
- Literals (text or numeric)
- Scalar functions
- Column functions
FROM Table or view names
WHERE Conditions (qualifies rows)
ORDER BY Sorts result rows
Retrieving data
© 2018. Tej Anand 20
SELECT Columns- Column names
- Arithmetic expressions
- Literals (text or numeric)
- Scalar functions
- Column functions
FROM Table or view names
WHERE Conditions (qualifies rows)
ORDER BY Sorts result rows
GROUP BY Creates sub totals in conjunction with column functions
Practicing SQL Select – Basic
© 2018. Tej Anand 21
1. Provide all data that exists in the DEPARTMENT table
2. What are the different JOB titles on the EMPLOYEE table?
3. Provide all employees, first and last names, and their salary sorted by salary
4. Show the order in which employees were hired, earliest first, with only their first and last names
5. Provide all employees making over $40,000. List their first name, last name, salary and order it by salary.
6. Provide all project names, project numbers, and the responsible employee number in DEPTNO ‘E01’
7. Provide the employee number, job title and education level of all analysts who have an education level of 16.
8. Provide the first name, last name, job title, and bonus of all employees who received a bonus greater than or equal to $700 but less less than or equal to $1000, and are not a manager
9. Provide the first name and last name of all male employees with a first name ending in “N” and a salary in the range $20000 to $40000
10. Provide first name, last name, salary, and education sorted by education level and salary for employees who are not a manager, commission is greater than bonus, salary range is $20000-$40000, there is an “E” anywhere in their first name and education level is 12, or 14, or 16, or 18
Practicing SQL Select – Functions
© 2018. Tej Anand 22
11. I need a list containing EMPNO, SALARY, COMM, and SALARY + COMM for employees whose salary is less than $20000,ordered by employee number
12. I need a list containing EMPNO, SALARY, COMM, and INCOME that is SALARY + COMM for employees whose salary is less than $20000,ordered by employee number
13. I need a list of the total income (salary and commission). In the total, assume unknown commissions to be zero.
14. I need a listing containing the ages of all employees 72 years old or more sorted by age in descending sequence
15. Interpret the first two characters of project number as a type of projects and display all projects of the type “IF”
16. Write a query to sum all salaries for workdepts beginning with the letter D
Practicing SQL Select – Group By
© 2018. Tej Anand 23
17. I need a list of the salaries for employees in the departments A00, B01 and C01. In addition, for these departments I want the total spent for salaries.
18. Find out the average salary per education level for each department group (given by the first character of the department number) for education levels 18 and higher.
19. Find the count of projects for each major project within a department and the average staff equivalent assigned to the major project. Report this sorted by major project.
20. Display the departments with the total spent for salaries is higher than $50,000.
21. By department, I need a list of jobs excluding manager, designer and field representative with an average salary higher than $25,000.
22. Display the departments with more than one employee.
Practicing SQL Select – Join
© 2018. Tej Anand 24
23. For every project, list the project number, project name and the name and number of the department responsible for the project.
24. For employees with a last name of HAAS, display the employee number, last name, and the name and number of the department they are working in.
25. Display the department name, the employee number and last name of the manager for department 21.
26. For department D21, list all project numbers, department number, manager number and last name.
27. Display the department name for the parent department of the Planning Services department.
28. Find all the employees who are older than their manager.
OLAP Data Models
© 2018. Tej Anand 25
1. OLAP vs. OLTP – performance, purpose, data flows
2. OLAP is read only – update is through controlled processes
3. Two major models – relational or pre-aggregated (multi-dimensional)
a. Performance vs. flexibility
b. Storage
c. Implementation complexity
4. Built-in mathematical operators (aggregate, drill-down)
OLAP Data Model Examples
© 2018. Tej Anand 26
Employee
Department
Project
Measures/Facts• …• …
Customer Product
Employee Supplier
Measures/Facts• …• …
Time
Time
Healthcare OLAP Data Model
© 2018. Tej Anand 27
Patient
Payor
Provider
Procedure
Measures/Facts• …• …
Time
OLAP Data Models Security Implications
© 2018. Tej Anand 28
1. Inference via drill down should be limited
2. Stay away from data that can identify unique individuals
3. Make sure the update processes are balanced and controlled
Types of Data
© 2018. Tej Anand 29
1. PHI (Personal Health Information), IHI (Individual Health
Information)
2. PII (Personally Identifiable Information)
3. Sensitive data – determined based on all stakeholders
4. Classified – determined based on “authoritative” stakeholders
5. Confidential, proprietary – determined by a business
6. Public
Week 4 Lookahead
© 2018. Tej Anand 30
• Assignment #1 – Data Breach Case Study - Due Date 09/21/2018 -
100 points
• Selected Readings
• Panos Vassiliadis, Timos Sellis, A survey of logical models for
OLAP databases, ACM SIGMOD Record, v. 28, no 4, 1999.
• Arjan Loeffen, Text databases: a survey of text models and
systems, ACM SIGMOD Record, v. 23, no 1, 1994.
• Norman W. Paton, Oscar Diaz, Active database systems, ACM
Computing Surveys, v. 31, no. 1, 1999.
• Hassan Artail, Haidar Safa, Mana, Shihab, Implementation of a
federated database on Bluetooth-enabled mobile devices, Proc.
of the 5th lnt'l Conf. on Pervasive Services, 2008.
• Domenico Beneventano, Sonia Bergamaschi, Claudio Sartori,
Description logics for semantic query optimization in object-
oriented database systems, ACM Transactions on Database
Systems, v. 28, no. 1, 2003.
© 2018. Tej Anand 31
Reflections …