database security - ig
TRANSCRIPT
F0004
Database Security *Property of STI Page 1 of 10
TOPIC TITLE: Database Security SPECIFIC OBJECTIVES: At the end of the topic session, the students are expected to: Cognitive:
1. Define database security. 2. Explain the SQL security model. 3. Identify the importance of User IDs, Objects, and Privileges. 4. Identify the use of GRANT statement for security privileges. 5. Identify the use of REVOKE statement for security privileges.
Affective:
1. Listen to others with respect. 2. Actively participate in class discussions.
MATERIALS/EQUIPMENT:
o 09 OHP Slides 1.pdf o OHP
TOPIC PREPARATION:
o Have the students research on the following:
Database Security o Prepare additional examples on the topic to be presented. o It is imperative for the instructor to incorporate various kinds of
teaching strategies while discussing the suggested topics. The instructor may use the suggested learning activities below to facilitate a thorough and creative discussion of the topic.
o Prepare the slides to be presented in class.
TOPIC PRESENTATION: The topic discusses the Query optimization. This will be the suggested flow of discussion for the course topic:
1. Start the class by asking the students to define database security.
2. Define database security and explain the importance of it by giving different scenarios.
3. Provide the purpose of the SQL security model and discuss its three concepts.
4. Explain the uses of User IDs and its importance. 5. Relate the purpose of Objects to SQL security. 6. Discuss the different groups, types, and objects of Privileges. 7. Discuss how to create users. 8. Explain the uses of GRANT statement. 9. Explain when to use REVOKE statement.
F0004
Database Security *Property of STI Page 2 of 10
Introduction to Database Security Page 1 of 11
Advanced Database Systems
* Property of STI
Page 1 of 11
Database Security
Introduction to Database Security
The security issues that the
database users or administrators
must address are broken down into
basic situations as follows:
Accessing data in a table should
be limited only to qualified
users.
Modifying tables must be limited
only to qualified users with
administrator rights.
Accessibility to columns/rows of
a table must be defined for
certain users.
Introduction to Database Security One of the requirements of any database is to be able to protect the data from unauthorized usage or malicious attacks. A database system must ensure that all authorized can easily access any information available to them. In the contrary, all unauthorized users must not have, in any form, access to data. In today’s world, the security of data in the database is a primary concern. Exposure of personal information such as social security numbers, credit card information or medical information to the public can bring costly lawsuits or even government fines and litigation. Even with this, the theft or exposure of information can still be performed anywhere. Due to this, the old-fashioned way in securing data is no longer applicable. The security issues that the database users or administrators must address are broken down into basic situations as follows:
Accessing data in a table should be limited only to qualified users.
Modifying tables must be limited only to qualified users with administrator rights.
Accessibility to columns/rows of a table must be defined for certain users.
An SQL security model is defined to address the issues or problems described above. This security model allows us to determine the qualified users that can access or modify specific data. The next discussion tackles more about SQL security model. [Introduction to Database Security, Page 1 of 11]
The SQL Security Model Page 2 of 11
Advanced Database Systems
* Property of STI
Page 2 of 11
Database Security
The SQL Security Model
The SQL security model provides a
basic syntax used to specify
security restrictions.
There are three concepts of SQL
security as follows:
Users
Objects
Privileges
The SQL Security Model Security is a major concern for most systems, network or database administrators. It is essential to first implement security within the organization, to make sure that right people have access to the right data. A security model will guide the administrators in implementing security in the organization. Without these security measures in place, you might find someone destroying your valuable data, or selling your company's secrets to your competitors or someone invading the privacy of others. Primarily a security model defines the security plan which is used to identify which users in the organization can see which data and perform which activities in the database. The SQL security model provides a basic syntax used to specify security restrictions. The DBMS will then implement the security system and enforce the required restrictions. SQL grants access to objects by users, it does not restrict the access. Therefore, a user cannot perform any action until SQL grants the request. There are three concepts of SQL security as follows:
Users Users or User IDs represent people or programs performing actions on objects in the database. Whenever the DBMS creates a new table, inserts or deletes records in that table, or modifies the records in that table, a user ID is associated with it. The DBMS grants user IDs privileges to perform specific actions on specific tables.
F0004
Database Security *Property of STI Page 3 of 10
The SQL Security Model Page 3 of 11
Advanced Database Systems
* Property of STI
Page 3 of 11
Database Security
The SQL Security Model
Figure 11.1 Assigning Privileges
Objects The SQL standards define specific objects in the database that users can manipulate. Originally, the only objects defined were tables and views. However, the standard has been expanded to include specific columns in tables as well as domains and character sets, and the individual DBMS often adds its own objects for users to manipulate.
Privileges SQL security comprises of privileges that allow users to manipulate objects. These privileges start with SELECT, INSERT, DELETE, and UPDATE for tables and views but have been expanded to include privileges appropriate to non-data objects. Setting up security on a database involves creating objects such as tables and views, creating users, and finally granting authority to perform specific actions on specific objects to specific users.
Figure 11.1 Assigning Privileges
In Figure 11.1, Mary has been granted full privileges on the Personnel table, but Sue has been granted only the SELECT, UPDATE, and INSERT privileges on specific columns. Likewise, an Order Entry group has been created and full access has been given to this group on the Orders table, while a Shipping group was created and granted the UPDATE privileges only to some columns. [The SQL Security Model, Pages 2-3 of 11]
F0004
Database Security *Property of STI Page 4 of 10
User IDs Page 4 of 11
Advanced Database Systems
* Property of STI
Page 4 of 11
Database Security
User IDs
Setting up security begins with
creating user IDs and passwords
that varies enormously from DBMS
to DBMS.
In a secure DBMS, a user ID is a
name/password pair that allows
some entity to perform actions in
the database.
User IDs Setting up security begins with creating user IDs and passwords that vary enormously from DBMS to DBMS. User IDs are the foundation of SQL security because of its uniqueness. At least one user ID is created by the database, known variously as the database owner (DBO), system administrator (SA), etc. This user can be referred as superuser that starts everything, typically creating the first tables and creating the user IDs of other users allowed in the table. In simple databases, it is common for all users to log in as the system administrator, which means that every user has all privileges to all objects. In a small office where no one is capable of understanding and maintaining database security, this may be an appropriate model, but for large corporations this is a recipe for disaster. In a secure DBMS, a user ID is a name/password pair that allows some entity to perform actions in the database. The entity may be a person, a program, or a program directly manipulated by a person, but the end result is that the entity has to log in to the database, providing a valid username and password. The DBMS searches the username and password, and then performs validation ensuring that both data are acceptable in the system, and determines the user level in the database. In a secured database, a user will be assigned a user ID and the user ID has a corresponding password.” The user ID then becomes the central character in the security system. Every SQL statement is executed in behalf of a user ID, and the privileges assigned to a user ID determine which statements can legally be performed by that user ID. [User IDs, Page 4 of 11]
Objects Page 5 of 11
Advanced Database Systems
* Property of STI
Page 5 of 11
Database Security
Objects
The SQL standard defines security
in terms of objects to which
actions are performed.
In the SQL1 standard, the only
objects that security is applied are
tables and views.
Figure 11.2 Using Grant
Objects The SQL standard defines security in terms of objects to which actions are performed. In the SQL1 standard, the only objects that security is applied are tables and views. Thus, privileges are assigned to a user ID to perform an action on a table or a view. If a user is not granted a privilege to an object, then that user cannot access object. SQL2 extended the security syntax and added new objects such as user-defined character sets and domains. Figure 11.2 shows that user ID Fred is granted SELECT privileges on tblPersonnel, whereas user ID John is granted SELECT privileges on tblPersonnel as well as UPDATE privileges on tblOrders.
F0004
Database Security *Property of STI Page 5 of 10
Figure 11.2 Using Grant
Modern DBMSs have added additional objects to the security syntax to cover objects such as stored procedures in SQL Server. Stored procedures are programming functions that can be created by users to perform all sorts of tasks. The ability to create and drop these functions can be controlled by the security system, for instance, certain user IDs are granted permission to create or drop stored procedures, while others are not. For example, a physical tablespaces where tables are created and stored are treated as security objects to user IDs who have granted permission to create tables in a given tablespace. In summary, the modern DBMS has simply extended the SQL syntax to allow granting of privileges to objects not considered by the SQL standard. These extensions vary from DBMS to DBMS, and because the extensions are specific to the DBMS, the methods used to grant these privileges also vary considerably. [Objects, Page 5 of 11]
Privileges Page 6 of 11
Advanced Database Systems
* Property of STI
Page 6 of 11
Database Security
Privileges
Privileges are issued via the GRANT
command and are taken away via
the REVOKE command.
The privileges that can be granted
are divided into four groups:
Column privileges relate to one
specific column of a table.
Table privileges relate to all
data of one specific table.
Database privileges relate to all
tables of one specific database.
User privileges relate to all
databases that are known to
SQL.
Privileges Privileges are authority levels used to access the database, access objects within the database, manipulate data in the database, and perform various administrative functions within the database. Privileges are issued via the GRANT command and are taken away via the REVOKE command. The privileges that can be granted are divided into four groups:
Column privileges relate to one specific column of a table. For example, the privilege to update the values in the UNITS column of the COURSE table using UPDATE statements.
Table privileges relate to all data of one specific table. For example, the privilege to query all the data of the STUDENTS table using SELECT statements.
Database privileges relate to all tables of one specific database. For example, the privilege to create new tables in the existing REGISTRATION database.
User privileges relate to all databases that are known to SQL. For example, the privilege to remove existing databases or to create new ones.
Even if a user can connect to a database does not give him the privilege to access all data within a database. The access to data
F0004
Database Security *Property of STI Page 6 of 10
Privileges Page 7 of 11
Advanced Database Systems
* Property of STI
Page 7 of 11
Database Security
Privileges
There are two types of privileges:
System privileges
Object privileges
SQL supports the following object
privileges:
SELECT
INSERT
DELETE
UPDATE
REFERENCES
ALTER
INDEX
within the database is handled through these privileges. There are two types of privileges:
System privileges
Object privileges System privileges are privileges that allow database users to perform administrative actions within the database, such as creating a database, dropping a database, creating user accounts, dropping users, dropping and altering database objects, altering the state of objects, altering the state of the database, and other actions that could result in serious repercussions if not carefully used. System privileges vary among the different relational database vendors; therefore, check the particular implementation for all the available system privileges and their correct usage. Object privileges are authority levels on objects, which means, a user must be granted appropriate privileges in order to perform certain actions on the database objects by the object’s owner. The object’s owner is also called the schema owner. For example, in order to select data from another user's table, the user must first grant the request to access the object. SQL supports the following object privileges:
SELECT This privilege gives a user the right to access the specified table with the SELECT statement.
INSERT This privilege gives a user the right to add rows to the specified table with the INSERT statement.
DELETE This privilege gives a user the right to remove rows from the specified table with the DELETE statement.
UPDATE This privilege gives a user the right to change values in the specified table with the UPDATE statement.
REFERENCES This privilege gives a user the right to create foreign keys that refer to the specified table.
ALTER This privilege gives a user the right to change the table with the ALTER TABLE statement.
INDEX This privilege gives a user the right to define indexes on the table.
Most implementations of SQL adhere to the standard list of object privileges for controlling access to database objects. These object-level privileges are those privileges that should be used to grant and restrict access to objects in a schema. These privileges can be used to protect objects in one schema from database users that have access to another schema in the same database. The ability to delete data from another user's object is another common object privilege available in many implementations. Remember to check your implementation documentation for all the available object-level privileges.
F0004
Database Security *Property of STI Page 7 of 10
Usually, the DBA issues the GRANT and REVOKE commands, although a security administrator, if one exists, may also have the authority to do so. The authority on which privileges will be GRANT or REVOKE would come from management and hopefully be in writing. Moreover, the owner of an object must grant privileges to other users in the database to use the object. Even the DBA cannot grant database users privileges on objects that do not belong to the DBA, although there are still ways to work around that. [Privileges, Pages 6-7 of 11]
Adding and Removing Users Page 8 of 11
Advanced Database Systems
* Property of STI
Page 8 of 11
Database Security
Adding Users
Some DBMSs have SQL statements,
extensions to the SQL standard
specific to that DBMS that allow
creating users.
In Oracle the statement is as
follow:CREATE USER username
IDENTIFIED {BY password |
EXTERNALLY | GLOBALLY AS
external_name}
Options
In Sybase, the syntax is as follow:GRANT CONNECT TO userid , . . .
[ AT starting-id ]
IDENTIFIED BY password, . . .
Adding Users Some DBMSs have SQL statements, extensions to the SQL standard specific to that DBMS that allow creating users. For example, in Oracle the statement is as follow: CREATE USER username IDENTIFIED {BY password | EXTERNALLY | GLOBALLY AS external_name} Options In Sybase, the syntax is as follow: GRANT CONNECT TO userid , . . . [ AT starting-id ] IDENTIFIED BY password, . . . GRANT CONNECT can also be used by any user to change the password. For example, use the following to create a user with an empty string as the password: GRANT CONNECT TO userid IDENTIFIED BY "" Use the following to create a user with no password: GRANT CONNECT TO userid A user with no password cannot connect to the database. However, this can be useful if you are creating a group and you do not want anyone to connect to the database using the group user ID. The example below makes two new users for the database: GRANT CONNECT TO John, Patrick IDENTIFIED BY Stephan, Rolly [Adding Users, Page 8 of 11]
F0004
Database Security *Property of STI Page 8 of 10
Granting Privileges Page 9 of 11
Advanced Database Systems
* Property of STI
Page 9 of 11
Database Security
Granting Privileges
The basic GRANT statement is used to grant security privileges on database objects to specific users or, in some DBMS implementations, to groups.
The syntax is as follow:
GRANT {
ALL [ PRIVILEGES ],
ALTER,
DELETE,
INSERT,
REFERENCES [ ( column-
name, . . . ) ],
SELECT [ ( column-name, . . . ) ],
UPDATE [ ( column-name, . . . ) ],
}
ON [ owner.]table-name
TO userid , . . .
[ WITH GRANT OPTION ]
[ FROM userid ]
Granting Privileges Page 10 of 11
Advanced Database Systems
* Property of STI
Page 10 of 11
Database Security
Granting Privileges
Example:
GRANT
SELECT, UPDATE ( street )
ON employee
TO Laurel
Granting Privileges The basic GRANT statement is used to grant security privileges on database objects to specific users or, in some DBMS implementations, to groups. In Sybase, the GRANT statement is used to grant permission on individual tables or views. The table permissions can be specified individually, or use ALL to grant all six permissions at once. For compatibility, the GRANT statement works only for user IDs; however, groups do not exist. When you create a table, you are the owner of that table and you can use the GRANT statement to grant privileges to any user you want. The syntax is as follow: GRANT { ALL [ PRIVILEGES ], ALTER, DELETE, INSERT, REFERENCES [ ( column-name, . . . ) ], SELECT [ ( column-name, . . . ) ], UPDATE [ ( column-name, . . . ) ], } ON [ owner.]table-name TO userid , . . . [ WITH GRANT OPTION ] [ FROM userid ] The example below shows the syntax in granting select and update permissions on the employee table to user John. GRANT SELECT, UPDATE ( street ) ON employee TO Laurel NOTE: One or more permissions can be granted in a single statement separating the permissions with commas. [Granting Privileges, Pages 9-10 of 11]
F0004
Database Security *Property of STI Page 9 of 10
Revoking Privileges Page 11 of 11
Advanced Database Systems
* Property of STI
Page 11 of 11
Database Security
Revoking Privileges
Use the REVOKE statement if you have granted privileges and later you need to revoke these
privileges.
Syntax 1
REVOKE special-priv , . . . FROM
userid , . . .
special-priv :
CONNECT
Syntax 2
REVOKE table-priv , . . . ON
[ owner.]table-name FROM
userid , . . .
table-priv :
ALL [PRIVILEGES]
| ALTER
| DELETE
| INSERT
| REFERENCES [ ( column-name, . . . ) ]
| SELECT [ ( column-name, . . . ) ]
| UPDATE [ ( column-name, . . . ) ]
Revoking Privileges If you have granted privileges and later you need to revoke these privileges, use the REVOKE statement. Revoking privileges can yield unexpected results depending on the implementation used by your DBMS, whether more than one user granted privileges on an object or the time sequence of the grants. The REVOKE syntax is almost similar to the GRANT syntax. The REVOKE statement can take away some or all of the privileges assigned in a GRANT statement, to some or the entire user IDs. In Sybase, the syntaxes are as follows: Syntax 1 REVOKE special-priv , . . . FROM userid , . . . special-priv : CONNECT Syntax 2 REVOKE table-priv , . . . ON [ owner.]table-name FROM userid , . . . table-priv : ALL [PRIVILEGES] | ALTER | DELETE | INSERT | REFERENCES [ ( column-name, . . . ) ] | SELECT [ ( column-name, . . . ) ] | UPDATE [ ( column-name, . . . ) ] Syntax 1 revokes special user permissions while Syntax 2 revokes table permissions. REVOKE CONNECT removes a user ID from a database, and destroys any objects (tables, views, procedures, etc.) owned by that user and any permissions granted by that user. The example below prevents user Patrick from updating the employee table: REVOKE UPDATE ON employee FROM Patrick; Another example drops user ID Stephan from the database: REVOKE CONNECT FROM Stephan [Revoking Privileges, Page 11 of 11]
GENERALIZATION:
o SQL security centers around users (or user IDs) that can grant privileges on database objects such as tables and views.
o Data in specific tables and views, and even columns of specific tables and views can be made available to some users.
o The GRANT statement grants SELECT, UPDATE, INSERT, and DELETE privileges to specific users.
o The REVOKE statement is used to revoke privileges granted to a user.
F0004
Database Security *Property of STI Page 10 of 10
REFERENCES:
o Elmasri, Ramez and Navathe, Shamkant, (2007), Fundamentals of Database Systems, Pearson Education, 4th ed.
o Ramakrishnan, Raghu and Gehrke, Johannes, (2002), Database Management Systems, McGraw-Hill, 3rd ed.
o Date, C.J., An Introduction to Database Systems, Addison Wesley, 7th ed.
o Elmasri, Ramez and Navathe, Shamkant, (2006), Fundamentals of Database Systems, Addison Wesley Co.