it203 unit 8: database security i is it secure? copyright © 2012 pearson education, inc. publishing...
TRANSCRIPT
IT203 Unit 8: Database Security IIT203 Unit 8: Database Security I
Is It Secure?
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.1
Overview
• Security is essential for any database that will be put into production.
• One way to begin thinking about security is to look at two terms:– Authentication– Authorization
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.2
Authentication
• Authentication is the process of determining if the person is, in fact, who he or she claims to be.
• This can be done in a variety of ways:– Login name and password– Certificate– Biometrics
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.3
Authorization
• Authorization is about “authorizing” a user to do things in the database.
• It involves setting permissions on objects and data.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.4
SQL Server Authentication
• SQL Server has two primary ways of authenticating users:– Windows authentication– SQL Server authentication
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.5
Windows Authentication
• In Windows Authentication, a windows or Active Directory account is mapped to a SQL Server Account.
• Users log into their Windows machine and access the SQL Server through this account.
• This is the preferred method of authentication.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.6
SQL Server Authentication
• In SQL Server or mixed authentication, a user is given a login name and a password for logging into the server.
• This is useful in environments where not every user has a Windows account.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.7
Example: Creating a SQL Server Login
CREATE LOGIN StudentLogIn WITH PASSWORD=ʼp@ssw0rd1ʼ,DEFAULT_DATABASE=TutorManagement
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter_.8
Roles
• Roles are collections of permissions.• Rather than try to assign and maintain
individual user permissions, users can be assigned to a role that provides a common set of permissions.
• Roles provide a much more efficient and maintainable way of controlling user access to the database.
• New roles can be created as needed and SQL Server provides a set of built-in roles.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.9
Table of Built-in Roles
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.10
Database Role Descriptiondb_accessadmin Can ALTER any User and create Schemadb_backupoperator Grants the user to back up and restore the particular database
db_datareader Grants the user SELECT on all Tables and Views in the databasedb_datawriter Grants the user INSERT , UPDATE and DELETE permissions on all
Tables and Viewsdb_ddladmin Grants the ability to CREATE or ALTER any database objectdb_denydatareader Denies SELECT on all Tables and Views
db_denydatawriter Denies INSERT ,UPDATE, and DELETE on all Tables and Viewsdb_owner Grants ownership and full permissions on all database objectsdb_securityadmin Grants the ability to ALTER roles and CREATE Schemapublic Grants access to database but by default has no permissions on
any objects. Every user is a member of public as well as any other roles. The public role cannot be removed
Example: Creating a Role
USE TutorManagementGoCREATE ROLE StudentRole
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter_.11
Schema
• Schema can be used to achieve results similar to roles.
• However, a role is a collection of permissions; a schema is a collection of objects owned by a schema.
• Users can be assigned to a schema and then assigned permissions on schema objects.
• When they log in, they will only see the objects in their schema. Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.12
Analyzing Security Needs
• One way to analyze the security needs of a database is to look at the security requirements of each type of database user.
• You can analyze those needs in terms of specific permissions on tables and objects.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.13
Analysis Example
Table name SELECT INSERT UPDATE DELETE ConstraintsStudent Tutor X A public subset
of tutor infoCourse X StudentCourse Ethnicity Session X X* X* *Only for own
sessionsRequest X RequestNote X
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall Chapter8.14
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic,
mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. Printed in the United States of America.
Copyright © 2012 Pearson Education, Inc. Publishing as Prentice Hall