COMP 5138COMP 5138
Relational Database Relational Database
Management Systems Management Systems
Semester 2, 2007Semester 2, 2007
Lecture 6BLecture 6B
Security with SQLSecurity with SQL
3333
L7L7 Integrity & SecurityIntegrity & SecurityIntroduction to Database
Security
Secrecy: Users should not be able to see things they are not supposed to.
E.g., A student can’t see other students’ grades.
Integrity: Users should not be able to modify things they are not supposed to.
E.g., Only instructors can assign grades.
Availability: Users should be able to see and modify things they are allowed to.
5555
L7L7 Integrity & SecurityIntegrity & Security Access Controls
A security policy specifies who is authorized to do what.
A security mechanism allows us to enforce a chosen security policy.
Discretionary access control is the the main mechanism at the DBMS level
6666
L7L7 Integrity & SecurityIntegrity & SecurityDiscretionary Access Control
Based on the concept of access rights or privileges for objects (tables and views), and mechanisms for giving users privileges (and revoking privileges).
Creator of a table or a view automatically gets all privileges on it.
DMBS keeps track of who subsequently gains and loses privileges, and ensures that only requests from users who have the necessary privileges (at the time the request is issued) are allowed.
7777
L7L7 Integrity & SecurityIntegrity & Security GRANT command
The following privileges can be specified: SELECT: Can read all columns (including those added later via ALTER TABLE
command). INSERT: Can insert extra tuples. DELETE: Can delete tuples. UPDATE (col-name): the ability to update the values in this column in
tuplesUPDATE means same right with respect to all columns.
REFERENCES (col-name): Can define foreign keys (in other tables) that refer to this column.
If a user has a privilege with the GRANT OPTION, can pass privilege on to other users (with or without passing on the GRANT OPTION).
Only owner can execute CREATE, ALTER, and DROP.
GRANT privileges ON object TO users [WITH GRANT OPTION]
8888
L7L7 Integrity & SecurityIntegrity & SecurityGrant and Revoke of
Privileges
GRANT INSERT, SELECT ON Students TO JohnJohn can query students or insert tuples into it.
GRANT DELETE ON Students TO John WITH GRANT OPTION
John can delete tuples, and also authorize others to do so.
GRANT UPDATE (title) ON Courses TO DustinDustin can update (only) the title field of Courses tuples.
REVOKE: When a privilege is revoked from X, it is also revoked from all users who got it solely from X.
9999
L7L7 Integrity & SecurityIntegrity & Security Naming objects
Once another user has allowed you to access a particular object, you can perform queries that mention this objectYou must be able to name tables etc of other users
In Oracle, each user creates tables that are in a separate namespacee.g. if lhossain has a table student, and comp5138-test has a table student, these are not the same tablesay username.tablename to refer to a table of another user
SELECT sidFROM lhossain.studentWHERE degree = ’MIT’
Different vendors have different syntax and rules for this
10101010
L7L7 Integrity & SecurityIntegrity & SecurityGrant and Revoke on Views
If the creator of a view loses the SELECT privilege on an underlying table, the view is dropped!If the creator of a view loses a privilege held with the grant option on an underlying table, (s)he loses the privilege on the view as well; so do users who were granted that privilege on the view!Granting a privilege on a view does not imply granting any privileges on the underlying relations.
11111111
L7L7 Integrity & SecurityIntegrity & Security Views and Security
Views can be used to present necessary information (or a summary), while hiding details in underlying relation(s).
Define a view that shows sailors and how many boats they reserved, but not which boats; if we grant select on that view to a user (but not select on Reserves itself), then they can find out who has reservations but not which boat.
Creator of view has a privilege on the view if (s)he has the privilege on all underlying tables.Together with GRANT/REVOKE commands, views are a very powerful access control tool.
12121212
L7L7 Integrity & SecurityIntegrity & SecurityRole-based Authorisation
In SQL-92, privileges are actually assigned to authorisation ids, which can denote a single user or a group of users.In SQL:1999 (and in many current systems), privileges are assigned to roles.
Roles can then be granted to users and to other roles.Reflects how real organisations work.Example: create role manager
grant select,insert on students to manager grant manager to lhossain
13131313
L7L7 Integrity & SecurityIntegrity & SecurityLimitations of SQL
AuthorisationSQL does not support authorization at a tuple level
E.g. we cannot restrict students to see only (the tuples storing) their own gradesCan be simulated to a certain degree using Views, but VERY cumbersome
With the growth in Web access to databases, database accesses come primarily from application servers.
End users don't have database user ids, they are all mapped to the same database user id
All end-users of an application (such as a web application) may be mapped to a single database userThe task of authorisation in the above cases falls on the application program, with no support from SQL
Benefit: fine grained authorisations, such as to individual tuples, can be implemented by the application.Drawback: Authorisation must be done in application code, and may be dispersed all over an applicationChecking for absence of authorisation loopholes becomes very difficult since it requires reading large amounts of application code