security authorization sql
TRANSCRIPT
-
8/3/2019 Security Authorization SQL
1/22
Security and User Authorization inSQL
Reading Material: Section10.1 of Text
1
-
8/3/2019 Security Authorization SQL
2/22
Kinds of Threats
u Threats to databases
w Loss ofintegrity
Transactional
Semantic
w Loss ofavailability Redundancy and clustering
w Loss ofconfidentiality
Security measures
2
-
8/3/2019 Security Authorization SQL
3/22
DBA - Privileges
u The database administrator (DBA) isthe central authority for managing adatabase system.
wThe DBAs responsibilities include granting privileges to users who need to use
the system
classifying users and data in accordance with
the policy of the organization
u The DBA is responsible for the overallsecurity of the database system.
3
-
8/3/2019 Security Authorization SQL
4/22
DBA - Privileges
u The DBA has a DBA account in the DBMS
w Sometimes these are called a system or superuseraccount
w These accounts provide powerful capabilities such as:
1. Account creation 2. Privilege granting
3. Privilege revocation
4. Security level assignment
w
Action1
is access control, whereas2
and3
arediscretionary and 4 is used to control mandatoryauthorization
4
-
8/3/2019 Security Authorization SQL
5/22
DBA -
u Whenever a person or group of persons need to access a database system,the individual or group must first apply
for a user account.wThe DBA will then create a new account
id and password for the user if he/shedeems there is a legitimate need to accessthe database
u The user must log in to the DBMS byentering account id and password
whenever database access is needed. 5
-
8/3/2019 Security Authorization SQL
6/22
Access Protection, User Accounts,
and Database Auditsu Whenever a person or group of person s
need to access a database system, theindividual or group must first apply for a useraccount.
wThe DBA will then create a new accountid and password for the user if he/she
deems there is a legitimate need to accessthe database
u The user must log in to the DBMS by enteringaccount id and password whenever database
access is needed. 6
-
8/3/2019 Security Authorization SQL
7/22
User IDs
Every database user has a user ID (user name)
Created by DBA
7
-
8/3/2019 Security Authorization SQL
8/22
Privileges On Tables and Views:
SELECT
INSERT DELETE
UPDATE
On attributes (name, addr)
REFERENCES Right to refer to the relation in an integrity constraint
May also have a list of attributes
TRIGGER Allow to create triggers on tables
8
-
8/3/2019 Security Authorization SQL
9/22
Privileges Contd
On Schemes USAGE
Elements of a scheme (Tables, views, assertions, PSM,etc)
Use the elements in users declarations
EXECUTE The right to execute a piece of code
On Object-Relational Databases
UNDER
Create subtypes of a given type
9
-
8/3/2019 Security Authorization SQL
10/22
Creating Privileges
1. When a Scheme is created, it is owned bythe user who created it
2. When a session is initiated by a CONNECT,indicate user and authorization
3. When a module is created, there is anoption to give it an owner by using an
AUTHORIZATION clause, like
AUTHORIZATION zakariya
10
-
8/3/2019 Security Authorization SQL
11/22
Granting Privileges
GRANT ON TO
[WITH GRANT OPTION]
ALL PRIVILEGES may be used in togrant all privileges to the
11
-
8/3/2019 Security Authorization SQL
12/22
Example
User thuraya is owner of theM
ovieSchema, andissues:
GRANT SELECT, INSERT ON Studio TO
zakariya, shakib WITH GRANT OPTION;
GRANT SELECT ON Movies TO zakariya, shakib
WITH GRANT OPTION;
The GRANT graph that results is on the nextslide
12
-
8/3/2019 Security Authorization SQL
13/22
13
thuraya
INSERT ON
Studio
**
thuraya
SELECT ON
Studio
**
thuraya
INSERT ON
Movies
**
thuraya
SELECT ON
Movies
**
zakarita
INSERT ON
Studio
*
zakariya
SELECT ON
Studio
*
thuraya
INSERT ON
Studio
*
thuraya
SELECT ON
Studio
*
zakariya
SELECT ON
Movies
*
thuraya
SELECT ON
Movies
*
-
8/3/2019 Security Authorization SQL
14/22
Example
Now, zakariya issues:GRANT SELECT, INSERT ON Studio TO ramez;
GRANT SELECT ON Movies TO ramez;
Now, shakib issues:
GRANT SELECT, INSERT(name) ON Studio TOramez;
GRANT SELECT ON Movies TO ramez;
The GRANT graph that results is on the nextslide
14
-
8/3/2019 Security Authorization SQL
15/22
15
thuraya
INSERT ON
Studio
**
thuraya
SELECT ON
Studio
**
thuraya
INSERT ON
Movies
**
thuraya
SELECT ON
Movies
**
zakarita
INSERT ON
Studio
*
zakariya
SELECT ON
Studio
*
ramez
SELECT ONMovies
ramez
SELECT ONStudio
ramez
INSERT ONStudio
ramez
INSERT(name)ON
shakib
INSERT ON
Studio
*
shakib
SELECT ON
Studio
*
zakariya
SELECT ON
Movies
*
shakib
SELECT ON
Movies
*
-
8/3/2019 Security Authorization SQL
16/22
Example: an SQL Statement
INSERT INTO Studio(name)SELECT DISTINCT studioName
FROM Movies
WHERE studioName NOT IN
(SELECT name
FROM Studio)
16
-
8/3/2019 Security Authorization SQL
17/22
Example: an SQL Statement
Minimum Privileges Needed:
1. SELECT(name) on Studio
2. SELECT (studioName) on Movies
3. INSERT(name) ON Studio
User ramez has these privileges, so ramez canexecute the SQL statement
17
-
8/3/2019 Security Authorization SQL
18/22
Revoking Privileges
REVOKE ON FROM
Can be followed by
1. CASCADE
2. RESTRICT
REVOKE GRANT OPTION FOR
18
-
8/3/2019 Security Authorization SQL
19/22
Example
User thurayaREVOKE SELECT, INSERT ON Studio FROM
shakib CASCADE;
REVOKE SELECT ON Movies FROM shakib
CASCADE;
Arcs are removed; and if a node is notreachable, then it will also be removed. Sothe resulting graph after these statementswill be as follows:
19
-
8/3/2019 Security Authorization SQL
20/22
20
thuraya
INSERT ON
Studio
**
thuraya
SELECT ON
Studio
**
thuraya
INSERT ON
Movies
**
thuraya
SELECT ON
Movies
**
zakarita
INSERT ON
Studio
*
zakariya
SELECT ON
Studio
*
ramez
SELECT ONMovies
ramez
SELECT ONStudio
ramez
INSERT ONStudio
zakariya
SELECT ON
Movies
*
shakib
SELECT ON
Movies
*
-
8/3/2019 Security Authorization SQL
21/22
Example
User thuraya executes:REVOKE SELECT ON Movies FROM shakibCASCADE;
So the resulting graph after these statementswill be as follows:
21
-
8/3/2019 Security Authorization SQL
22/22
22
thuraya
INSERT ON
Studio
**
thuraya
SELECT ON
Studio
**
thuraya
INSERT ON
Movies
**
thuraya
SELECT ON
Movies
**
zakarita
INSERT ON
Studio
*
zakariya
SELECT ON
Studio
*
ramez
SELECT ONMovies
ramez
SELECT ONStudio
ramez
INSERT ONStudio
zakariya
SELECT ON
Movies
*