database security - ig

F0004

Database Security *Property of STI of 10

TOPIC TITLE: Database Security SPECIFIC OBJECTIVES: At the end of the topic session, the students are expected to: Cognitive:

1. Define database security. 2. Explain the SQL security model. 3. Identify the importance of User IDs, Objects, and Privileges. 4. Identify the use of GRANT statement for security privileges. 5. Identify the use of REVOKE statement for security privileges.

Affective:

1. Listen to others with respect. 2. Actively participate in class discussions.

MATERIALS/EQUIPMENT:

o 09 OHP Slides 1.pdf o OHP

TOPIC PREPARATION:

o Have the students research on the following:

Database Security o Prepare additional examples on the topic to be presented. o It is imperative for the instructor to incorporate various kinds of

teaching strategies while discussing the suggested topics. The instructor may use the suggested learning activities below to facilitate a thorough and creative discussion of the topic.

o Prepare the slides to be presented in class.

TOPIC PRESENTATION: The topic discusses the Query optimization. This will be the suggested flow of discussion for the course topic:

1. Start the class by asking the students to define database security.

2. Define database security and explain the importance of it by giving different scenarios.

3. Provide the purpose of the SQL security model and discuss its three concepts.

4. Explain the uses of User IDs and its importance. 5. Relate the purpose of Objects to SQL security. 6. Discuss the different groups, types, and objects of Privileges. 7. Discuss how to create users. 8. Explain the uses of GRANT statement. 9. Explain when to use REVOKE statement.

F0004


Introduction to Database Security Page 1 of 11

Advanced Database Systems

* Property of STI

Page 1 of 11

Database Security

Introduction to Database Security

The security issues that the

database users or administrators

must address are broken down into

basic situations as follows:

Accessing data in a table should

be limited only to qualified

users.

Modifying tables must be limited

only to qualified users with

administrator rights.

Accessibility to columns/rows of

a table must be defined for

certain users.

Introduction to Database Security One of the requirements of any database is to be able to protect the data from unauthorized usage or malicious attacks. A database system must ensure that all authorized can easily access any information available to them. In the contrary, all unauthorized users must not have, in any form, access to data. In today’s world, the security of data in the database is a primary concern. Exposure of personal information such as social security numbers, credit card information or medical information to the public can bring costly lawsuits or even government fines and litigation. Even with this, the theft or exposure of information can still be performed anywhere. Due to this, the old-fashioned way in securing data is no longer applicable. The security issues that the database users or administrators must address are broken down into basic situations as follows:

Accessing data in a table should be limited only to qualified users.

Modifying tables must be limited only to qualified users with administrator rights.

Accessibility to columns/rows of a table must be defined for certain users.

An SQL security model is defined to address the issues or problems described above. This security model allows us to determine the qualified users that can access or modify specific data. The next discussion tackles more about SQL security model. [Introduction to Database Security, Page 1 of 11]

The SQL Security Model Page 2 of 11


* Property of STI

Page 2 of 11

Database Security

The SQL Security Model

The SQL security model provides a

basic syntax used to specify

security restrictions.

There are three concepts of SQL

security as follows:

Users

Objects

Privileges

The SQL Security Model Security is a major concern for most systems, network or database administrators. It is essential to first implement security within the organization, to make sure that right people have access to the right data. A security model will guide the administrators in implementing security in the organization. Without these security measures in place, you might find someone destroying your valuable data, or selling your company's secrets to your competitors or someone invading the privacy of others. Primarily a security model defines the security plan which is used to identify which users in the organization can see which data and perform which activities in the database. The SQL security model provides a basic syntax used to specify security restrictions. The DBMS will then implement the security system and enforce the required restrictions. SQL grants access to objects by users, it does not restrict the access. Therefore, a user cannot perform any action until SQL grants the request. There are three concepts of SQL security as follows:

Users Users or User IDs represent people or programs performing actions on objects in the database. Whenever the DBMS creates a new table, inserts or deletes records in that table, or modifies the records in that table, a user ID is associated with it. The DBMS grants user IDs privileges to perform specific actions on specific tables.

F0004


The SQL Security Model Page 3 of 11


* Property of STI

Page 3 of 11

Database Security

The SQL Security Model

Figure 11.1 Assigning Privileges

Objects The SQL standards define specific objects in the database that users can manipulate. Originally, the only objects defined were tables and views. However, the standard has been expanded to include specific columns in tables as well as domains and character sets, and the individual DBMS often adds its own objects for users to manipulate.

Privileges SQL security comprises of privileges that allow users to manipulate objects. These privileges start with SELECT, INSERT, DELETE, and UPDATE for tables and views but have been expanded to include privileges appropriate to non-data objects. Setting up security on a database involves creating objects such as tables and views, creating users, and finally granting authority to perform specific actions on specific objects to specific users.

Figure 11.1 Assigning Privileges

In Figure 11.1, Mary has been granted full privileges on the Personnel table, but Sue has been granted only the SELECT, UPDATE, and INSERT privileges on specific columns. Likewise, an Order Entry group has been created and full access has been given to this group on the Orders table, while a Shipping group was created and granted the UPDATE privileges only to some columns. [The SQL Security Model, Pages 2-3 of 11]

F0004


User IDs Page 4 of 11


* Property of STI

Page 4 of 11

Database Security

User IDs

Setting up security begins with

creating user IDs and passwords

that varies enormously from DBMS

to DBMS.

In a secure DBMS, a user ID is a

name/password pair that allows

some entity to perform actions in

the database.

User IDs Setting up security begins with creating user IDs and passwords that vary enormously from DBMS to DBMS. User IDs are the foundation of SQL security because of its uniqueness. At least one user ID is created by the database, known variously as the database owner (DBO), system administrator (SA), etc. This user can be referred as superuser that starts everything, typically creating the first tables and creating the user IDs of other users allowed in the table. In simple databases, it is common for all users to log in as the system administrator, which means that every user has all privileges to all objects. In a small office where no one is capable of understanding and maintaining database security, this may be an appropriate model, but for large corporations this is a recipe for disaster. In a secure DBMS, a user ID is a name/password pair that allows some entity to perform actions in the database. The entity may be a person, a program, or a program directly manipulated by a person, but the end result is that the entity has to log in to the database, providing a valid username and password. The DBMS searches the username and password, and then performs validation ensuring that both data are acceptable in the system, and determines the user level in the database. In a secured database, a user will be assigned a user ID and the user ID has a corresponding password.” The user ID then becomes the central character in the security system. Every SQL statement is executed in behalf of a user ID, and the privileges assigned to a user ID determine which statements can legally be performed by that user ID. [User IDs, Page 4 of 11]

Objects Page 5 of 11


* Property of STI

Page 5 of 11

Database Security

Objects

The SQL standard defines security

in terms of objects to which

actions are performed.

In the SQL1 standard, the only

objects that security is applied are

tables and views.

Figure 11.2 Using Grant

Objects The SQL standard defines security in terms of objects to which actions are performed. In the SQL1 standard, the only objects that security is applied are tables and views. Thus, privileges are assigned to a user ID to perform an action on a table or a view. If a user is not granted a privilege to an object, then that user cannot access object. SQL2 extended the security syntax and added new objects such as user-defined character sets and domains. Figure 11.2 shows that user ID Fred is granted SELECT privileges on tblPersonnel, whereas user ID John is granted SELECT privileges on tblPersonnel as well as UPDATE privileges on tblOrders.

F0004


Figure 11.2 Using Grant

Modern DBMSs have added additional objects to the security syntax to cover objects such as stored procedures in SQL Server. Stored procedures are programming functions that can be created by users to perform all sorts of tasks. The ability to create and drop these functions can be controlled by the security system, for instance, certain user IDs are granted permission to create or drop stored procedures, while others are not. For example, a physical tablespaces where tables are created and stored are treated as security objects to user IDs who have granted permission to create tables in a given tablespace. In summary, the modern DBMS has simply extended the SQL syntax to allow granting of privileges to objects not considered by the SQL standard. These extensions vary from DBMS to DBMS, and because the extensions are specific to the DBMS, the methods used to grant these privileges also vary considerably. [Objects, Page 5 of 11]

Privileges Page 6 of 11


* Property of STI

Page 6 of 11

Database Security

Privileges

Privileges are issued via the GRANT

command and are taken away via

the REVOKE command.

The privileges that can be granted

are divided into four groups:

Column privileges relate to one

specific column of a table.

Table privileges relate to all

data of one specific table.

Database privileges relate to all

tables of one specific database.

User privileges relate to all

databases that are known to

SQL.

Privileges Privileges are authority levels used to access the database, access objects within the database, manipulate data in the database, and perform various administrative functions within the database. Privileges are issued via the GRANT command and are taken away via the REVOKE command. The privileges that can be granted are divided into four groups:

Column privileges relate to one specific column of a table. For example, the privilege to update the values in the UNITS column of the COURSE table using UPDATE statements.

Table privileges relate to all data of one specific table. For example, the privilege to query all the data of the STUDENTS table using SELECT statements.

Database privileges relate to all tables of one specific database. For example, the privilege to create new tables in the existing REGISTRATION database.

User privileges relate to all databases that are known to SQL. For example, the privilege to remove existing databases or to create new ones.

Even if a user can connect to a database does not give him the privilege to access all data within a database. The access to data

F0004


Privileges Page 7 of 11


* Property of STI

Page 7 of 11

Database Security

Privileges

There are two types of privileges:

System privileges

Object privileges

SQL supports the following object

privileges:

SELECT

INSERT

DELETE

UPDATE

REFERENCES

ALTER

INDEX

within the database is handled through these privileges. There are two types of privileges:

System privileges

Object privileges System privileges are privileges that allow database users to perform administrative actions within the database, such as creating a database, dropping a database, creating user accounts, dropping users, dropping and altering database objects, altering the state of objects, altering the state of the database, and other actions that could result in serious repercussions if not carefully used. System privileges vary among the different relational database vendors; therefore, check the particular implementation for all the available system privileges and their correct usage. Object privileges are authority levels on objects, which means, a user must be granted appropriate privileges in order to perform certain actions on the database objects by the object’s owner. The object’s owner is also called the schema owner. For example, in order to select data from another user's table, the user must first grant the request to access the object. SQL supports the following object privileges:

SELECT This privilege gives a user the right to access the specified table with the SELECT statement.

INSERT This privilege gives a user the right to add rows to the specified table with the INSERT statement.

DELETE This privilege gives a user the right to remove rows from the specified table with the DELETE statement.

UPDATE This privilege gives a user the right to change values in the specified table with the UPDATE statement.

REFERENCES This privilege gives a user the right to create foreign keys that refer to the specified table.

ALTER This privilege gives a user the right to change the table with the ALTER TABLE statement.

INDEX This privilege gives a user the right to define indexes on the table.

Most implementations of SQL adhere to the standard list of object privileges for controlling access to database objects. These object-level privileges are those privileges that should be used to grant and restrict access to objects in a schema. These privileges can be used to protect objects in one schema from database users that have access to another schema in the same database. The ability to delete data from another user's object is another common object privilege available in many implementations. Remember to check your implementation documentation for all the available object-level privileges.

F0004


Usually, the DBA issues the GRANT and REVOKE commands, although a security administrator, if one exists, may also have the authority to do so. The authority on which privileges will be GRANT or REVOKE would come from management and hopefully be in writing. Moreover, the owner of an object must grant privileges to other users in the database to use the object. Even the DBA cannot grant database users privileges on objects that do not belong to the DBA, although there are still ways to work around that. [Privileges, Pages 6-7 of 11]

Adding and Removing Users Page 8 of 11


* Property of STI

Page 8 of 11

Database Security

Adding Users

Some DBMSs have SQL statements,

extensions to the SQL standard

specific to that DBMS that allow

creating users.

In Oracle the statement is as

follow:CREATE USER username

IDENTIFIED {BY password |

EXTERNALLY | GLOBALLY AS

external_name}

Options

In Sybase, the syntax is as follow:GRANT CONNECT TO userid , . . .

[ AT starting-id ]

IDENTIFIED BY password, . . .

Adding Users Some DBMSs have SQL statements, extensions to the SQL standard specific to that DBMS that allow creating users. For example, in Oracle the statement is as follow: CREATE USER username IDENTIFIED {BY password | EXTERNALLY | GLOBALLY AS external_name} Options In Sybase, the syntax is as follow: GRANT CONNECT TO userid , . . . [ AT starting-id ] IDENTIFIED BY password, . . . GRANT CONNECT can also be used by any user to change the password. For example, use the following to create a user with an empty string as the password: GRANT CONNECT TO userid IDENTIFIED BY "" Use the following to create a user with no password: GRANT CONNECT TO userid A user with no password cannot connect to the database. However, this can be useful if you are creating a group and you do not want anyone to connect to the database using the group user ID. The example below makes two new users for the database: GRANT CONNECT TO John, Patrick IDENTIFIED BY Stephan, Rolly [Adding Users, Page 8 of 11]

F0004


Granting Privileges Page 9 of 11


* Property of STI

Page 9 of 11

Database Security

Granting Privileges

The basic GRANT statement is used to grant security privileges on database objects to specific users or, in some DBMS implementations, to groups.

The syntax is as follow:

GRANT {

ALL [ PRIVILEGES ],

ALTER,

DELETE,

INSERT,

REFERENCES [ ( column-

name, . . . ) ],

SELECT [ ( column-name, . . . ) ],

UPDATE [ ( column-name, . . . ) ],

}

ON [ owner.]table-name

TO userid , . . .

[ WITH GRANT OPTION ]

[ FROM userid ]

Granting Privileges Page 10 of 11


* Property of STI

Page 10 of 11

Database Security

Granting Privileges

Example:

GRANT

SELECT, UPDATE ( street )

ON employee

TO Laurel

Granting Privileges The basic GRANT statement is used to grant security privileges on database objects to specific users or, in some DBMS implementations, to groups. In Sybase, the GRANT statement is used to grant permission on individual tables or views. The table permissions can be specified individually, or use ALL to grant all six permissions at once. For compatibility, the GRANT statement works only for user IDs; however, groups do not exist. When you create a table, you are the owner of that table and you can use the GRANT statement to grant privileges to any user you want. The syntax is as follow: GRANT { ALL [ PRIVILEGES ], ALTER, DELETE, INSERT, REFERENCES [ ( column-name, . . . ) ], SELECT [ ( column-name, . . . ) ], UPDATE [ ( column-name, . . . ) ], } ON [ owner.]table-name TO userid , . . . [ WITH GRANT OPTION ] [ FROM userid ] The example below shows the syntax in granting select and update permissions on the employee table to user John. GRANT SELECT, UPDATE ( street ) ON employee TO Laurel NOTE: One or more permissions can be granted in a single statement separating the permissions with commas. [Granting Privileges, Pages 9-10 of 11]

F0004


Revoking Privileges Page 11 of 11


* Property of STI

Page 11 of 11

Database Security

Revoking Privileges

Use the REVOKE statement if you have granted privileges and later you need to revoke these

privileges.

Syntax 1

REVOKE special-priv , . . . FROM

userid , . . .

special-priv :

CONNECT

Syntax 2

REVOKE table-priv , . . . ON

[ owner.]table-name FROM

userid , . . .

table-priv :

ALL [PRIVILEGES]

| ALTER

| DELETE

| INSERT

| REFERENCES [ ( column-name, . . . ) ]

| SELECT [ ( column-name, . . . ) ]

| UPDATE [ ( column-name, . . . ) ]

Revoking Privileges If you have granted privileges and later you need to revoke these privileges, use the REVOKE statement. Revoking privileges can yield unexpected results depending on the implementation used by your DBMS, whether more than one user granted privileges on an object or the time sequence of the grants. The REVOKE syntax is almost similar to the GRANT syntax. The REVOKE statement can take away some or all of the privileges assigned in a GRANT statement, to some or the entire user IDs. In Sybase, the syntaxes are as follows: Syntax 1 REVOKE special-priv , . . . FROM userid , . . . special-priv : CONNECT Syntax 2 REVOKE table-priv , . . . ON [ owner.]table-name FROM userid , . . . table-priv : ALL [PRIVILEGES] | ALTER | DELETE | INSERT | REFERENCES [ ( column-name, . . . ) ] | SELECT [ ( column-name, . . . ) ] | UPDATE [ ( column-name, . . . ) ] Syntax 1 revokes special user permissions while Syntax 2 revokes table permissions. REVOKE CONNECT removes a user ID from a database, and destroys any objects (tables, views, procedures, etc.) owned by that user and any permissions granted by that user. The example below prevents user Patrick from updating the employee table: REVOKE UPDATE ON employee FROM Patrick; Another example drops user ID Stephan from the database: REVOKE CONNECT FROM Stephan [Revoking Privileges, Page 11 of 11]

GENERALIZATION:

o SQL security centers around users (or user IDs) that can grant privileges on database objects such as tables and views.

o Data in specific tables and views, and even columns of specific tables and views can be made available to some users.

o The GRANT statement grants SELECT, UPDATE, INSERT, and DELETE privileges to specific users.

o The REVOKE statement is used to revoke privileges granted to a user.

F0004


REFERENCES:

o Elmasri, Ramez and Navathe, Shamkant, (2007), Fundamentals of Database Systems, Pearson Education, 4th ed.

o Ramakrishnan, Raghu and Gehrke, Johannes, (2002), Database Management Systems, McGraw-Hill, 3rd ed.

o Date, C.J., An Introduction to Database Systems, Addison Wesley, 7th ed.

o Elmasri, Ramez and Navathe, Shamkant, (2006), Fundamentals of Database Systems, Addison Wesley Co.

database security - ig

Data & Analytics