COMP 5138COMP 5138

Relational Database Relational Database

Management Systems Management Systems

Semester 2, 2007Semester 2, 2007

Lecture 6BLecture 6B

Security with SQLSecurity with SQL

3333

L7L7 Integrity & SecurityIntegrity & SecurityIntroduction to Database

Security

Secrecy: Users should not be able to see things they are not supposed to.

E.g., A student can’t see other students’ grades.

Integrity: Users should not be able to modify things they are not supposed to.

E.g., Only instructors can assign grades.

Availability: Users should be able to see and modify things they are allowed to.

5555

L7L7 Integrity & SecurityIntegrity & Security Access Controls

A security policy specifies who is authorized to do what.

A security mechanism allows us to enforce a chosen security policy.

Discretionary access control is the the main mechanism at the DBMS level

6666

L7L7 Integrity & SecurityIntegrity & SecurityDiscretionary Access Control

Based on the concept of access rights or privileges for objects (tables and views), and mechanisms for giving users privileges (and revoking privileges).

Creator of a table or a view automatically gets all privileges on it.

DMBS keeps track of who subsequently gains and loses privileges, and ensures that only requests from users who have the necessary privileges (at the time the request is issued) are allowed.

7777

L7L7 Integrity & SecurityIntegrity & Security GRANT command

The following privileges can be specified: SELECT: Can read all columns (including those added later via ALTER TABLE

command). INSERT: Can insert extra tuples. DELETE: Can delete tuples. UPDATE (col-name): the ability to update the values in this column in

tuplesUPDATE means same right with respect to all columns.

REFERENCES (col-name): Can define foreign keys (in other tables) that refer to this column.

If a user has a privilege with the GRANT OPTION, can pass privilege on to other users (with or without passing on the GRANT OPTION).

Only owner can execute CREATE, ALTER, and DROP.

GRANT privileges ON object TO users [WITH GRANT OPTION]

8888

L7L7 Integrity & SecurityIntegrity & SecurityGrant and Revoke of

Privileges

GRANT INSERT, SELECT ON Students TO JohnJohn can query students or insert tuples into it.

GRANT DELETE ON Students TO John WITH GRANT OPTION

John can delete tuples, and also authorize others to do so.

GRANT UPDATE (title) ON Courses TO DustinDustin can update (only) the title field of Courses tuples.

REVOKE: When a privilege is revoked from X, it is also revoked from all users who got it solely from X.

9999

L7L7 Integrity & SecurityIntegrity & Security Naming objects

Once another user has allowed you to access a particular object, you can perform queries that mention this objectYou must be able to name tables etc of other users

In Oracle, each user creates tables that are in a separate namespacee.g. if lhossain has a table student, and comp5138-test has a table student, these are not the same tablesay username.tablename to refer to a table of another user

SELECT sidFROM lhossain.studentWHERE degree = ’MIT’

Different vendors have different syntax and rules for this

10101010

L7L7 Integrity & SecurityIntegrity & SecurityGrant and Revoke on Views

If the creator of a view loses the SELECT privilege on an underlying table, the view is dropped!If the creator of a view loses a privilege held with the grant option on an underlying table, (s)he loses the privilege on the view as well; so do users who were granted that privilege on the view!Granting a privilege on a view does not imply granting any privileges on the underlying relations.

11111111

L7L7 Integrity & SecurityIntegrity & Security Views and Security

Views can be used to present necessary information (or a summary), while hiding details in underlying relation(s).

Define a view that shows sailors and how many boats they reserved, but not which boats; if we grant select on that view to a user (but not select on Reserves itself), then they can find out who has reservations but not which boat.

Creator of view has a privilege on the view if (s)he has the privilege on all underlying tables.Together with GRANT/REVOKE commands, views are a very powerful access control tool.

12121212

L7L7 Integrity & SecurityIntegrity & SecurityRole-based Authorisation

In SQL-92, privileges are actually assigned to authorisation ids, which can denote a single user or a group of users.In SQL:1999 (and in many current systems), privileges are assigned to roles.

Roles can then be granted to users and to other roles.Reflects how real organisations work.Example: create role manager

grant select,insert on students to manager grant manager to lhossain

13131313

L7L7 Integrity & SecurityIntegrity & SecurityLimitations of SQL

AuthorisationSQL does not support authorization at a tuple level

E.g. we cannot restrict students to see only (the tuples storing) their own gradesCan be simulated to a certain degree using Views, but VERY cumbersome

With the growth in Web access to databases, database accesses come primarily from application servers.

End users don't have database user ids, they are all mapped to the same database user id

All end-users of an application (such as a web application) may be mapped to a single database userThe task of authorisation in the above cases falls on the application program, with no support from SQL

Benefit: fine grained authorisations, such as to individual tuples, can be implemented by the application.Drawback: Authorisation must be done in application code, and may be dispersed all over an applicationChecking for absence of authorisation loopholes becomes very difficult since it requires reading large amounts of application code