Chapter 6:Chapter 6:Integrity and SecurityIntegrity and Security

Thomas NiklThomas Nikl

19 October, 200419 October, 2004

CS157BCS157B

Integrity!Integrity!

Integrity constraintsIntegrity constraints ensure that changes ensure that changes made to the database made to the database by authorized users by authorized users do not result in loss of do not result in loss of data consistency.data consistency.

Domain ConstraintsDomain Constraints

A domain of possible values must be A domain of possible values must be associated with every attribute in the associated with every attribute in the database.database.

Declaring an attribute of a particular Declaring an attribute of a particular domain acts as a restraint on the values it domain acts as a restraint on the values it can take.can take.

They are easily tested by the systemThey are easily tested by the system EX1:EX1: cannot set an integer variable to cannot set an integer variable to

“cat”.“cat”.

Creating New DomainsCreating New Domains

The ‘create domain’ clause allows you to The ‘create domain’ clause allows you to create your own domain types.create your own domain types.

EX1:EX1: create domain create domain DollarsDollars numeric(12,2) numeric(12,2) These create numerical domains with 12 total These create numerical domains with 12 total

digits, two of which are after the decimal point.digits, two of which are after the decimal point.

Referential IntegrityReferential Integrity

Ensuring that a value that appears in one Ensuring that a value that appears in one relation for a given set of attributes also relation for a given set of attributes also appears for a certain set of attributes in appears for a certain set of attributes in another relation.another relation.

EX1:EX1: In a banking system, the attribute In a banking system, the attribute branch-namebranch-name in in Account-SchemaAccount-Schema is a is a foreign key referencing the primary key of foreign key referencing the primary key of Branch-SchemaBranch-Schema..

Database ModificationDatabase Modification

Inserting, deleting and updating can cause Inserting, deleting and updating can cause violations of referential integrity.violations of referential integrity.

Therefore, the system must check that Therefore, the system must check that referential integrity is maintained when you referential integrity is maintained when you perform these operations.perform these operations.

If referential integrity is violated during these If referential integrity is violated during these operations, the default action is to reject the operations, the default action is to reject the operation.operation.

However, you can define other actions (more However, you can define other actions (more later).later).

Referential Integrity in SQL: Referential Integrity in SQL: Foreign KeysForeign Keys

Foreign Keys are Foreign Keys are specified as part of specified as part of the SQL ‘create table’ the SQL ‘create table’ statement by using statement by using the ‘foreign key’ the ‘foreign key’ clause.clause.

By default, a foreign By default, a foreign key references the key references the primary key attributes primary key attributes of the referenced of the referenced table.table.

Foreign Key DeclarationForeign Key Declaration

EX1:EX1:create table create table accountaccount ( ( account-numberaccount-number char(10), char(10), branch –namebranch –name char(15), char(15), balancebalance integer, integer, primary key primary key (account-number),(account-number), foreign key foreign key (branch-name)(branch-name) references branch, references branch, check (check (balancebalance >= 0)) >= 0))

CascadingCascading

When referential integrity is violated during When referential integrity is violated during a modification, instead of just rejecting the a modification, instead of just rejecting the modification, you can cascade:modification, you can cascade: Delete cascadeDelete cascade Update cascadeUpdate cascade

Delete CascadeDelete Cascade

In a In a delete cascadedelete cascade, , anything that has anything that has references to the references to the deleted item is also deleted item is also deleted.deleted.

Update CascadeUpdate Cascade

In an In an update cascadeupdate cascade, , when the updated when the updated item results in a item results in a violation of referential violation of referential integrity, the system integrity, the system will update will update accordingly to fix the accordingly to fix the problem.problem.

Defining a Cascade OperationDefining a Cascade Operation

EX1:EX1:create table accountcreate table account

(…(…

foreign key foreign key (branch-name)(branch-name) references references branch branch

on delete cascadeon delete cascade

on update cascade,on update cascade,

……))

AssertionsAssertions

An An assertionassertion is a predicate expressing a is a predicate expressing a condition that we wish the database to always condition that we wish the database to always satisfy.satisfy.

Domain constraints and referential integrity Domain constraints and referential integrity constraints are special forms of assertions.constraints are special forms of assertions.

But there are many constraints we cannot But there are many constraints we cannot express by using only these special forms.express by using only these special forms.

EX1:EX1: The sum of all loan amounts for each The sum of all loan amounts for each branch must be less than the sum of all account branch must be less than the sum of all account balances at the branch.balances at the branch.

Creating an AssertionCreating an Assertion

EX1:EX1:create assertion create assertion sum-constraintsum-constraint check check

(not exists (select * from (not exists (select * from branchbranch

where (select sum where (select sum (amount)(amount) from from loanloan

where where loan.branch-nameloan.branch-name = = branch.branch-namebranch.branch-name))

>= (select sum >= (select sum (balance)(balance) from from accountaccount

where where account.branch-nameaccount.branch-name = = branch.branch-namebranch.branch-name))))))

Creating an AssertionCreating an Assertion

When an assertion is created, the system will When an assertion is created, the system will test it for validity.test it for validity.

If the assertion is valid, then any future If the assertion is valid, then any future modification to the database is allowed only if it modification to the database is allowed only if it does not cause the assertion to be violated.does not cause the assertion to be violated.

But assertions can create a considerable But assertions can create a considerable amount of overhead, especially if complex amount of overhead, especially if complex assertions have been made.assertions have been made.

Therefore, assertions should only be used with Therefore, assertions should only be used with great care.great care.

TriggersTriggers

A A triggertrigger is a statement that the system executes is a statement that the system executes automatically as a side effect of a modification to the automatically as a side effect of a modification to the database.database.

To design a trigger we must meet two requirements:To design a trigger we must meet two requirements: 1. Specify when a trigger is to be executed. This is broken up 1. Specify when a trigger is to be executed. This is broken up

into an into an eventevent that causes the trigger to be checked and a that causes the trigger to be checked and a conditioncondition that must be satisfied for trigger execution to proceed. that must be satisfied for trigger execution to proceed.

2. Specify the 2. Specify the actionsactions to be taken when the trigger executes. to be taken when the trigger executes. This is referred to as the This is referred to as the event-condition-action modelevent-condition-action model of of

triggerstriggers

TriggersTriggers

The database stores triggers just as if they The database stores triggers just as if they were regular data.were regular data.

This way they are persistent and are This way they are persistent and are accessible to all database operations.accessible to all database operations.

Once a trigger is entered into the Once a trigger is entered into the database, the database system takes on database, the database system takes on the responsibility of executing it whenever the responsibility of executing it whenever the event occurs and the condition is the event occurs and the condition is satisfied.satisfied.

Need for TriggersNeed for Triggers

EX1:EX1: A good use for a trigger would be, for A good use for a trigger would be, for instance, if you own a warehouse and you instance, if you own a warehouse and you sell out of a particular item, to sell out of a particular item, to automatically re-order that item and automatically re-order that item and automatically generate the order invoice.automatically generate the order invoice.

So, triggers are very useful for automating So, triggers are very useful for automating things in your database.things in your database.

Security!Security! The information in your The information in your

database is important.database is important. Therefore, you need a Therefore, you need a

way to protect it way to protect it against unauthorized against unauthorized access, malicious access, malicious destruction or destruction or alteration, and alteration, and accidental introduction accidental introduction of data inconsistency.of data inconsistency.

Database SecurityDatabase Security

Database Security refers to protection Database Security refers to protection from malicious access.from malicious access.

Absolute protection is impossibleAbsolute protection is impossible Therefore, make the cost to the Therefore, make the cost to the

perpetrator so high it will deter most perpetrator so high it will deter most attempts.attempts.

Malicious AccessMalicious Access

Some forms of malicious Some forms of malicious access:access:

Unauthorized reading Unauthorized reading (theft) of data(theft) of data

Unauthorized modification Unauthorized modification of dataof data

Unauthorized destruction of Unauthorized destruction of datadata

To protect a database, To protect a database, we must take security we must take security measures at several measures at several levels.levels.

Security LevelsSecurity Levels Database System:Database System: Since some users may modify data Since some users may modify data

while some may only query, it is the job of the system to while some may only query, it is the job of the system to enforce authorization rules.enforce authorization rules.

Operating System:Operating System: No matter how secure the database No matter how secure the database system is, the operating system may serve as another system is, the operating system may serve as another means of unauthorized access.means of unauthorized access.

Network:Network: Since most databases allow remote access, Since most databases allow remote access, hardware and software security is crucial.hardware and software security is crucial.

Physical:Physical: Sites with computer systems must be Sites with computer systems must be physically secured against entry by intruders or physically secured against entry by intruders or terroriststerrorists..

Human:Human: Users must be authorized carefully to reduce Users must be authorized carefully to reduce the chance of a user giving access to an intruder.the chance of a user giving access to an intruder.

AuthorizationAuthorization

For security purposes, we may assign a user For security purposes, we may assign a user several forms of several forms of authorizationauthorization on parts of the on parts of the databases which allow:databases which allow: Read: read tuples.Read: read tuples. Insert: insert new tuple, not modify existing tuples.Insert: insert new tuple, not modify existing tuples. Update: modification, not deletion, of tuples.Update: modification, not deletion, of tuples. Delete: deletion of tuples.Delete: deletion of tuples.

We may assign the user all, none, or a We may assign the user all, none, or a combination of these.combination of these.

AuthorizationAuthorization

In addition to the previously mentioned, we In addition to the previously mentioned, we may also assign a user rights to modify the may also assign a user rights to modify the database schema:database schema: Index: allows creation and modification of Index: allows creation and modification of

indices.indices. Resource: allows creation of new relations.Resource: allows creation of new relations. Alteration: addition or deletion of attributes in Alteration: addition or deletion of attributes in

a tuple.a tuple. Drop: allows the deletion of relations.Drop: allows the deletion of relations.

Authorization in SQLAuthorization in SQL

The SQL language The SQL language offers a fairly powerful offers a fairly powerful mechanism for mechanism for defining defining authorizations by authorizations by using privileges.using privileges.

Privileges in SQLPrivileges in SQL

SQL standard includes the privileges:SQL standard includes the privileges: DeleteDelete InsertInsert SelectSelect UpdateUpdate References: References: permits declaration of foreign keys.permits declaration of foreign keys.

SQL includes commands to grant and SQL includes commands to grant and revoke privileges.revoke privileges.

Privileges in SQLPrivileges in SQL

EX1:EX1:grant <privilege list> grant <privilege list> on <relation or view name> on <relation or view name> to <user>to <user> EX2:EX2:grant update grant update (amount)(amount)on on loan loan to U1, U3, U4to U1, U3, U4

Privilege to Grant PrivilegesPrivilege to Grant Privileges

By default, a user granted privileges is not By default, a user granted privileges is not allowed to grant those privileges to other allowed to grant those privileges to other users.users.

To allow this, we append the term “with To allow this, we append the term “with grant option” clause to the appropriate grant option” clause to the appropriate grant command.grant command.

EX1:EX1:grant select on grant select on branchbranch to to U1U1 with grant optionwith grant option

Revoking PrivilegesRevoking Privileges

To revoke a privilege we use the ‘revoke’ To revoke a privilege we use the ‘revoke’ clause, which is used very much like clause, which is used very much like ‘grant’.‘grant’.

EX1:EX1:

revoke <privilege list>revoke <privilege list>

on <relation or view name>on <relation or view name>

from <user list>from <user list>

Integrity: ConclusionIntegrity: Conclusion

It is essential to ensure It is essential to ensure that the data in a that the data in a database is accurate.database is accurate.

It is also important to It is also important to protect the database from protect the database from domain and referential domain and referential integrity violations.integrity violations.

If the data is inaccurate or If the data is inaccurate or lacks integrity then the lacks integrity then the database loses database loses effectiveness!effectiveness!

Security: ConclusionSecurity: Conclusion

We must also ensure We must also ensure that unauthorized that unauthorized users are prevented users are prevented from accessing or from accessing or modifying our modifying our database.database.

To do this, we To do this, we implement implement authorization rules for authorization rules for users called users called privileges.privileges.

Thank You for your Attention!Thank You for your Attention!