Security Authorization SQL

8/3/2019 Security Authorization SQL

1/22

Security and User Authorization inSQL

Reading Material: Section10.1 of Text

1


2/22

Kinds of Threats

u Threats to databases

w Loss ofintegrity

Transactional

Semantic

w Loss ofavailability Redundancy and clustering

w Loss ofconfidentiality

Security measures

2


3/22

DBA - Privileges

u The database administrator (DBA) isthe central authority for managing adatabase system.

wThe DBAs responsibilities include granting privileges to users who need to use

the system

classifying users and data in accordance with

the policy of the organization

u The DBA is responsible for the overallsecurity of the database system.

3


4/22

DBA - Privileges

u The DBA has a DBA account in the DBMS

w Sometimes these are called a system or superuseraccount

w These accounts provide powerful capabilities such as:

1. Account creation 2. Privilege granting

3. Privilege revocation

4. Security level assignment

w

Action1

is access control, whereas2

and3

arediscretionary and 4 is used to control mandatoryauthorization

4


5/22

DBA -

u Whenever a person or group of persons need to access a database system,the individual or group must first apply

for a user account.wThe DBA will then create a new account

id and password for the user if he/shedeems there is a legitimate need to accessthe database

u The user must log in to the DBMS byentering account id and password

whenever database access is needed. 5


6/22

Access Protection, User Accounts,

and Database Auditsu Whenever a person or group of person s

need to access a database system, theindividual or group must first apply for a useraccount.

wThe DBA will then create a new accountid and password for the user if he/she

deems there is a legitimate need to accessthe database

u The user must log in to the DBMS by enteringaccount id and password whenever database

access is needed. 6


7/22

User IDs

Every database user has a user ID (user name)

Created by DBA

7


8/22

Privileges On Tables and Views:

SELECT

INSERT DELETE

UPDATE

On attributes (name, addr)

REFERENCES Right to refer to the relation in an integrity constraint

May also have a list of attributes

TRIGGER Allow to create triggers on tables

8


9/22

Privileges Contd

On Schemes USAGE

Elements of a scheme (Tables, views, assertions, PSM,etc)

Use the elements in users declarations

EXECUTE The right to execute a piece of code

On Object-Relational Databases

UNDER

Create subtypes of a given type

9


10/22

Creating Privileges

1. When a Scheme is created, it is owned bythe user who created it

2. When a session is initiated by a CONNECT,indicate user and authorization

3. When a module is created, there is anoption to give it an owner by using an

AUTHORIZATION clause, like

AUTHORIZATION zakariya

10


11/22

Granting Privileges

GRANT ON TO

[WITH GRANT OPTION]

ALL PRIVILEGES may be used in togrant all privileges to the

11


12/22

Example

User thuraya is owner of theM

ovieSchema, andissues:

GRANT SELECT, INSERT ON Studio TO

zakariya, shakib WITH GRANT OPTION;

GRANT SELECT ON Movies TO zakariya, shakib

WITH GRANT OPTION;

The GRANT graph that results is on the nextslide

12


13/22

13

thuraya

INSERT ON

Studio

**

thuraya

SELECT ON

Studio

**

thuraya

INSERT ON

Movies

**

thuraya

SELECT ON

Movies

**

zakarita

INSERT ON

Studio

*

zakariya

SELECT ON

Studio

*

thuraya

INSERT ON

Studio

*

thuraya

SELECT ON

Studio

*

zakariya

SELECT ON

Movies

*

thuraya

SELECT ON

Movies

*


14/22

Example

Now, zakariya issues:GRANT SELECT, INSERT ON Studio TO ramez;

GRANT SELECT ON Movies TO ramez;

Now, shakib issues:

GRANT SELECT, INSERT(name) ON Studio TOramez;

GRANT SELECT ON Movies TO ramez;

The GRANT graph that results is on the nextslide

14


15/22

15

thuraya

INSERT ON

Studio

**

thuraya

SELECT ON

Studio

**

thuraya

INSERT ON

Movies

**

thuraya

SELECT ON

Movies

**

zakarita

INSERT ON

Studio

*

zakariya

SELECT ON

Studio

*

ramez

SELECT ONMovies

ramez

SELECT ONStudio

ramez

INSERT ONStudio

ramez

INSERT(name)ON

shakib

INSERT ON

Studio

*

shakib

SELECT ON

Studio

*

zakariya

SELECT ON

Movies

*

shakib

SELECT ON

Movies

*


16/22

Example: an SQL Statement

INSERT INTO Studio(name)SELECT DISTINCT studioName

FROM Movies

WHERE studioName NOT IN

(SELECT name

FROM Studio)

16


17/22

Example: an SQL Statement

Minimum Privileges Needed:

1. SELECT(name) on Studio

2. SELECT (studioName) on Movies

3. INSERT(name) ON Studio

User ramez has these privileges, so ramez canexecute the SQL statement

17


18/22

Revoking Privileges

REVOKE ON FROM

Can be followed by

1. CASCADE

2. RESTRICT

REVOKE GRANT OPTION FOR

18


19/22

Example

User thurayaREVOKE SELECT, INSERT ON Studio FROM

shakib CASCADE;

REVOKE SELECT ON Movies FROM shakib

CASCADE;

Arcs are removed; and if a node is notreachable, then it will also be removed. Sothe resulting graph after these statementswill be as follows:

19


20/22

20

thuraya

INSERT ON

Studio

**

thuraya

SELECT ON

Studio

**

thuraya

INSERT ON

Movies

**

thuraya

SELECT ON

Movies

**

zakarita

INSERT ON

Studio

*

zakariya

SELECT ON

Studio

*

ramez

SELECT ONMovies

ramez

SELECT ONStudio

ramez

INSERT ONStudio

zakariya

SELECT ON

Movies

*

shakib

SELECT ON

Movies

*


21/22

Example

User thuraya executes:REVOKE SELECT ON Movies FROM shakibCASCADE;

So the resulting graph after these statementswill be as follows:

21


22/22

22

thuraya

INSERT ON

Studio

**

thuraya

SELECT ON

Studio

**

thuraya

INSERT ON

Movies

**

thuraya

SELECT ON

Movies

**

zakarita

INSERT ON

Studio

*

zakariya

SELECT ON

Studio

*

ramez

SELECT ONMovies

ramez

SELECT ONStudio

ramez

INSERT ONStudio

zakariya

SELECT ON

Movies

*

Security Authorization SQL

Documents

Transcript of Security Authorization SQL