Security and User Authorization in SQL CIS 4301 Lecture Notes Lecture /18/2006

Lecture 24© CIS Spring Authorization Both a DBMS and O/S have concept of user ID Why? Make sure users only see the data they're supposed to Guard the database against updates by malicious users How is that done under UNIX?

Lecture 24© CIS Spring Privileges Aka discretionary access control Users have PRIVILEGES = Users can only operate on data for which they're AUTHORIZED For a relation R and user U, U may be authorized for SELECT ON R INSERT ON R, INSERT(A) ON R UPDATE ON R, UPDATE(A) ON R DELETE ON R … total of nine types of privileges

Lecture 24© CIS Spring Example Student(ID, name, address, GPA, SAT) Campus(location, enrollment, rank) Apply(ID, location, date, major, decision) Sample query: UPDATE Apply SET decision = 'Y' WHERE ID IN (SELECT ID FROM Student WHERE GPA > 3.9) Q: What privileges are needed for this statement?

Lecture 24© CIS Spring Another Example DELETE FROM Student WHERE ID NOT IN (SELECT ID FROM Apply) Q: What privileges are needed for this statement?

Lecture 24© CIS Spring More on Privileges Assume user JH has only update privilege on table S Can JH execute UPDATE S SET S.ratings = 8; How about: UPDATE S SET S.ratings = S.rating + 8;

Lecture 24© CIS Spring Obtaining Privileges Creator of relation is OWNER Owner has all privileges and may GRANT privileges SQL GRANT ON R TO [ WITH GRANT OPTION ] : operations as earlier, separated by commas : list of user/group names, or PUBLIC

Lecture 24© CIS Spring Example GRANT DELETE, UPDATE(A) ON R TO PUBLIC; A user granted privileges WITH GRANT OPTION may grant equal or lesser privileges to other users

Lecture 24© CIS Spring Another Example User JH wants to create the following table which has a table constraint: CREATE TABLE Sneaky ( maxrating INT, CHECK (maxrating >= (SELECT MAX (S.rating) FROM S))); What are the privileges that user JH needs?

Lecture 24© CIS Spring More Fine-Grained Protection Operation-level privileges on single relations may not provide sufficient control Example Allow user U to select Student info for Berkeley applicants only Q: Suggestion?

Lecture 24© CIS Spring Another Example Allow user U to delete Berkeley application records only Q: How? Authorization is one very important use of views

Lecture 24© CIS Spring Grant Diagrams The relationship among objects, privileges, and grant options can get very complex! Use a grant diagram Illustrates the history of privileges granted

Lecture 24© CIS Spring Sample Grant Diagram User JH: GRANT SELECT, INSERT ON Student TO CJ, MS WITH GRANT OPTION; GRANT SELECT ON CAMPUS to CJ, MS WITH GRANT OPTION; GRANT SELECT, INSERT ON Student TO AD; User MS: GRANT SELECT, INSERT(ID) ON Student TO AD;

Lecture 24© CIS Spring Sample Grant Diagram JH SELECT On STUDENT ** JH INSERT On STUDENT ** JH SELECT On CAMPUS ** CJ SELECT On STUDENT * CJ INSERT On STUDENT * MS SELECT On STUDENT * MS INSERT On STUDENT * CJ SELECT On CAMPUS * MS SELECT On CAMPUS * AD SELECT On STUDENT AD INSERT On STUDENT AD INSERT(ID) On STUDENT

Lecture 24© CIS Spring Revoking Privileges SQL: REVOKE ON R FROM [ CASCADE | RESTRICT ] Ex: REVOKE INSERT(A), DELETE ON R FROM JH; CASCADE: Also revoke privileges granted from the privileges now being revoked (transitively), except for privileges granted from some other source as well

Lecture 24© CIS Spring Example JH now executes: REVOKE SELECT, INSERT ON Student FROM MS CASCADE; REVOKE SELECT ON Campus FROM MS CASCADE;

Lecture 24© CIS Spring Sample Grant Diagram JH SELECT On STUDENT ** JH INSERT On STUDENT ** JH SELECT On CAMPUS ** CJ SELECT On STUDENT * CJ INSERT On STUDENT * MS SELECT On STUDENT * MS INSERT On STUDENT * CJ SELECT On CAMPUS * MS SELECT On CAMPUS * AD SELECT On STUDENT AD INSERT On STUDENT AD INSERT(ID) On STUDENT

Lecture 24© CIS Spring Not Covered Many subtleties when it comes to granting and revoking privileges Checking of privileges by DBMS Handling of triggers and other modules Mandatory access control