Scribd
Upload
34 views

SQL - DCL (GRANT and REVOKE)

Uploaded by

random_integer_2014
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
34 views

SQL - DCL (GRANT and REVOKE)

Uploaded by

random_integer_2014
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PPTX, PDF, TXT or read online on Scribd
You are on page 1/ 18

DBS211

STRUCTURED QUERY LANGUAGE (SQL)

1
Database
Security and Privacy
FUNDAMENTALS OF DATABASE SYSTEMS- SIXTH EDITION – CHAPTER 24

INTRODUCTION TO TRANSACTION PROCESSING CONCEPTS AND THEORY

2
Threats to Databases

• A threat to a database can result in


• Loss of integrity
• Loss of availability
• Loss of confidentiality

3
Loss of integrity

• The loss of integrity can be caused by improper modification of data by an


unauthorized action:
• Insertion
• Deletion
• Modification
• Creation
• The loss of integrity can cause data inaccuracy and inconsistency .

4
Loss of availability

• The data should be available to the database users who are


eligible to access or modify data.

• A loss of availability means data is out of access.

5
Loss of confidentiality

• Loss of confidentiality refers to an unauthorized access to data.


• Data should be hidden from unauthorized users.

6
Access Control

• Access control is one of the control measures used in database systems to


provide data security.

• Access to the database can be restricted by the access control mechanism.


• e.g. creating user accounts and passwords.

• A security policy defines who can access or modify data in a database.

7
Database Security Mechanisms
• Types of database security mechanisms:
• Discretionary Access Control (DAC)
• Grant users to access specific data tables, rows, and columns in a specific mode (select,
insert, delete, and update)
• GRANT and REVOKE privileges
• Mandatory Access Control (MAC)
• Classify the data and the users into different security classes. Various security policy is
enforced to users in different classification level.
• Role Based Access Control (RBAC)
• Roles are assigned to the database.
• Roles have certain permissions on specific data.

8
Discretionary Security Mechanisms
• Grant privileges on a database objects:

GRANT privileges ON object TO user;


• Different privileges:
• Select
• Insert
• Update
• Delete
• Alter
• All (all privileges)
• Revoke Privileges on database objects

REVOKE privileges ON object FROM user;


9
Mandatory Access Control

• Mandatory Access Control


• Classifies data and users based on security classes.
• Defines what database objects can be accessed by a user.

• Multilevel security exists in government, military, and intelligence applications


• Typical security classes
• top secret (TS)
• secret (S)
• confidential
• unclassified

10
CONNECT Permission
• Database Administrator must first define a user by granting CONNECT
permission to logon to Oracle:
CREATE USER dbs211a01 IDENTIFIED BY userpassword
GRANT CONNECT TO dbs211a01;

• User can change password at any time as follows:


ALTER USER dbs211a01 IDENTIFIED BY newpswd;

• DBA can remove access privilege for a user:


REVOKE CONNECT FROM dbs211a01;

11
Privileges
• The privileges granted to an account determine which
operations the account can perform.
• Privileges differ in the contexts in which they apply and at
different levels of operation:
• Administrative Privileges
• The administrative privileges are global.
• Database Privileges
• The user has privileges for specific databases.
• Database Objects Privileges
• Defines the user privileges to database objects such as tables, indexes, views,
and stored routines. It can be on all database objects or some specific objects.
12
Access Privileges
• The owner of an object may grant another user permission to perform
database operations (ALTER, SELECT, UPDATE, DELETE, INSERT, ALL)
on an object within the owner’s schema :
GRANT ALL ON employee TO dbs211a03;
GRANT SELECT ON employee TO dbs211a04;

• Permission for operations can be removed:


REVOKE ALL ON employee FROM dbs211a03;
REVOKE SELECT ON employee FROM dbs211a04;

• read-only users have no ability to lock rows in the tables they query.
GRANT READ ON employee TO dbs211a03;
13
Grant
• Grant privileges to users
GRANT privileges ON object TO user;

Privileges: What type of operations granted to the user:


• CREATE
• ALTER
• DROP
• SELECT
• INSERT
• DELETE
• UPDATE
• ALL

14
Grant Example

• For table test and user dbs211a03, see following examples:

GRANT SELECT ON test TO dbs211a03


GRANT INSERT,UPDAE, DELETE ON test TO dbs211a03
GRANT ALL ON test TO dbs211a03
GRANT SELECT ON test TO dbs211a03

15
Revoke

• Revoke privileges from users


Revoke privileges ON object FROM user;

Example:
REVOKE DELETE ON users FROM dbs211a03;
REVOKE INSERT,UPDATE ON users FROM dbs211a03;
REVOKE ALL ON users FROM dbs211a03;

16
PUBLIC Role
• A role is a named group of related privileges that you grant, as a
group, to users or other roles.
• Roles are useful for quickly and easily granting permissions to users.
• PUBLIC role is accessible to every database user.
• All privileges and roles granted to PUBLIC are accessible to every
database user.

GRANT ALL ON employee TO PUBLIC;

REVOKE ALL ON employee FROM PUBLIC;


17
View Privilege and Role Information
• Query the following Data Dictionary Views, to access information about grants
of Privileges and Roles.
Data Dictionary View Description
user_tab_privs Lists grants on all objects where the current user is the grantee.
user_col_privs Describes column object grants for which the current user is the object
owner, grantor, or grantee.
user_role_privs Lists roles granted to the current user.

SELECT *
FROM user_tab_privs;

SELECT *
FROM user_col_privs;

SELECT *
FROM user_role_privs; 18

You might also like