Scribd
Upload
21 views

SQL - DCL (GRANT and REVOKE)

Uploaded by

random_integer_2014
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
21 views

SQL - DCL (GRANT and REVOKE)

Uploaded by

random_integer_2014
Copyright
© © All Rights Reserved
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

DBS211

STRUCTURED QUERY LANGUAGE (SQL)

1
Database
Security and Privacy
FUNDAMENTALS OF DATABASE SYSTEMS- SIXTH EDITION – CHAPTER 24

INTRODUCTION TO TRANSACTION PROCESSING CONCEPTS AND THEORY

2
Threats to Databases

• A threat to a database can result in


• Loss of integrity
• Loss of availability
• Loss of confidentiality

3
Loss of integrity

• The loss of integrity can be caused by improper modification of data by an


unauthorized action:
• Insertion
• Deletion
• Modification
• Creation
• The loss of integrity can cause data inaccuracy and inconsistency .

4
Loss of availability

• The data should be available to the database users who are


eligible to access or modify data.

• A loss of availability means data is out of access.

5
Loss of confidentiality

• Loss of confidentiality refers to an unauthorized access to data.


• Data should be hidden from unauthorized users.

6
Access Control

• Access control is one of the control measures used in database systems to


provide data security.

• Access to the database can be restricted by the access control mechanism.


• e.g. creating user accounts and passwords.

• A security policy defines who can access or modify data in a database.

7
Database Security Mechanisms
• Types of database security mechanisms:
• Discretionary Access Control (DAC)
• Grant users to access specific data tables, rows, and columns in a specific mode (select,
insert, delete, and update)
• GRANT and REVOKE privileges
• Mandatory Access Control (MAC)
• Classify the data and the users into different security classes. Various security policy is
enforced to users in different classification level.
• Role Based Access Control (RBAC)
• Roles are assigned to the database.
• Roles have certain permissions on specific data.

8
Discretionary Security Mechanisms
• Grant privileges on a database objects:

GRANT privileges ON object TO user;


• Different privileges:
• Select
• Insert
• Update
• Delete
• Alter
• All (all privileges)
• Revoke Privileges on database objects

REVOKE privileges ON object FROM user;


9
Mandatory Access Control

• Mandatory Access Control


• Classifies data and users based on security classes.
• Defines what database objects can be accessed by a user.

• Multilevel security exists in government, military, and intelligence applications


• Typical security classes
• top secret (TS)
• secret (S)
• confidential
• unclassified

10
CONNECT Permission
• Database Administrator must first define a user by granting CONNECT
permission to logon to Oracle:
CREATE USER dbs211a01 IDENTIFIED BY userpassword
GRANT CONNECT TO dbs211a01;

• User can change password at any time as follows:


ALTER USER dbs211a01 IDENTIFIED BY newpswd;

• DBA can remove access privilege for a user:


REVOKE CONNECT FROM dbs211a01;

11
Privileges
• The privileges granted to an account determine which
operations the account can perform.
• Privileges differ in the contexts in which they apply and at
different levels of operation:
• Administrative Privileges
• The administrative privileges are global.
• Database Privileges
• The user has privileges for specific databases.
• Database Objects Privileges
• Defines the user privileges to database objects such as tables, indexes, views,
and stored routines. It can be on all database objects or some specific objects.
12
Access Privileges
• The owner of an object may grant another user permission to perform
database operations (ALTER, SELECT, UPDATE, DELETE, INSERT, ALL)
on an object within the owner’s schema :
GRANT ALL ON employee TO dbs211a03;
GRANT SELECT ON employee TO dbs211a04;

• Permission for operations can be removed:


REVOKE ALL ON employee FROM dbs211a03;
REVOKE SELECT ON employee FROM dbs211a04;

• read-only users have no ability to lock rows in the tables they query.
GRANT READ ON employee TO dbs211a03;
13
Grant
• Grant privileges to users
GRANT privileges ON object TO user;

Privileges: What type of operations granted to the user:


• CREATE
• ALTER
• DROP
• SELECT
• INSERT
• DELETE
• UPDATE
• ALL

14
Grant Example

• For table test and user dbs211a03, see following examples:

GRANT SELECT ON test TO dbs211a03


GRANT INSERT,UPDAE, DELETE ON test TO dbs211a03
GRANT ALL ON test TO dbs211a03
GRANT SELECT ON test TO dbs211a03

15
Revoke

• Revoke privileges from users


Revoke privileges ON object FROM user;

Example:
REVOKE DELETE ON users FROM dbs211a03;
REVOKE INSERT,UPDATE ON users FROM dbs211a03;
REVOKE ALL ON users FROM dbs211a03;

16
PUBLIC Role
• A role is a named group of related privileges that you grant, as a
group, to users or other roles.
• Roles are useful for quickly and easily granting permissions to users.
• PUBLIC role is accessible to every database user.
• All privileges and roles granted to PUBLIC are accessible to every
database user.

GRANT ALL ON employee TO PUBLIC;

REVOKE ALL ON employee FROM PUBLIC;


17
View Privilege and Role Information
• Query the following Data Dictionary Views, to access information about grants
of Privileges and Roles.
Data Dictionary View Description
user_tab_privs Lists grants on all objects where the current user is the grantee.
user_col_privs Describes column object grants for which the current user is the object
owner, grantor, or grantee.
user_role_privs Lists roles granted to the current user.

SELECT *
FROM user_tab_privs;

SELECT *
FROM user_col_privs;

SELECT *
FROM user_role_privs; 18

You might also like