Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fine Grained Authorization Through Predicated Grants Surajit Chaudhuri, Tanmoy Dutta, S. Sudarshan (ICDE 2007) Presented By: Ahmad Abusalah

Published byClare McLaughlin Modified over 9 years ago

Similar presentations

Presentation on theme: "Fine Grained Authorization Through Predicated Grants Surajit Chaudhuri, Tanmoy Dutta, S. Sudarshan (ICDE 2007) Presented By: Ahmad Abusalah"— Presentation transcript:

1 Fine Grained Authorization Through Predicated Grants Surajit Chaudhuri, Tanmoy Dutta, S. Sudarshan (ICDE 2007) Presented By: Ahmad Abusalah abusalah@cs.purdue.edu

2 Background SQL standards: SQL 1999 SQL 2003 SQL 2008 Access Control. Authorization. Security Model. SQL Security Model SQL:1999 new security facility is found in its role capability. Privileges can be granted to roles just as they can be to individual authorization identifiers. SQL:2003, SQL:2008 modifications of non-core features and not related to security. Can be used Interchangeably Access to Database: User Login with password Access to Objects Which Object? What Action?

3 Do we have what we need? What We Have: Coarse-grained authorization model Granularity = Table Grants access to all rows of a table or none at all Finer-grained authorization: built-in Views with built-in functions (userid()) functions (userid()) Queries to be phrased against the views rather than on the original Table  Requires rewriting significant parts of an Application different queries would have to be written for users with different degrees of authorizations Granularity = Table Grants access to all rows of a table or none at all Finer-grained authorization: built-in Views with built-in functions (userid()) functions (userid()) Granularity = Table Grants access to all rows of a table or none at all Queries to be phrased against the views rather than on the original Table  Requires rewriting significant parts of an Application different queries would have to be written for users with different degrees of authorizations Finer-grained authorization: built-in Views with built-in functions (userid()) functions (userid()) Granularity = Table Grants access to all rows of a table or none at all

4 Do we have what we need? SQL Fine-grained authorization model Granularity = Rows and even to specific Columns values  Cells What We Need: Fine-grained authorization implementation should move to the database instead of application layer Authorization checks are distributed over a large body of code  Security, trust, and simplicity issues Fine-grained authorization implementation should move to the database instead of application layer Authorization checks are distributed over a large body of code  Security, trust, and simplicity issues

5 How to Meet? What We Propose: Extend the SQL authorization model to support fine-grained authorization Such extension to SQL must have the following characteristics: Clear and simple semantics. Compatibility with existing SQL security model, with minimal changes. Ease of specification and administration of authorization. The ability to deal with (large numbers of) application users, not just a set of fixed database users/roles. Low impact on existing application code.

6 How to Meet? How to Extend:   Using Predicates: Applied on read and update of rows. Applied on execution of functions and procedures Column-level authorization, including variants that allow: nullification of values based on predicates  cell-level security Authorization on aggregates, while restricting authorization on the underlying data.   Support administration of systems with large numbers of application users and database objects including: Query-defined user groups. Authorization groups How to Meet? How to Extend:  Using Predicates: Applied on read and update of rows. Applied on execution of functions and procedures Column-level authorization, including variants that allow: nullification of values based on predicates  cell-level security Authorization on aggregates, while restricting authorization on the underlying data.  Support administration of systems with large numbers of application users and database objects including: Query-defined user groups. Authorization groups How to Meet? How to Extend:  Using Predicates: Applied on read and update of rows. Applied on execution of functions and procedures Column-level authorization, including variants that allow: nullification of values based on predicates  cell-level security Authorization on aggregates, while restricting authorization on the underlying data.  Support administration of systems with large numbers of application users and database objects including: Query-defined user groups. Authorization groups

7 Goal “The main goal of this paper is to present to the community a detailed initial proposal for extending SQL to support fine grained authorization, addressing important issues that arise in this context. Our hope is that this will eventually lead to extensions to the SQL standard, through refinement of the proposal.”

8 OutlineOutline Proposed Extensions: Predicates in Grants Authorization on Procedures/Functions Query-Defined User Groups Authorization on Columns Aggregate Authorizations Authorization Administration Features Stacked Grants Open Areas to explore.

9 Outline Proposed Extensions: Predicates in Grants Authorization on Procedures/Functions Query-Defined User Groups Authorization on Columns Aggregate Authorizations Authorization Administration Features Stacked Grants Open Areas to explore.

10 Predicates in Grants Usage: grant on where ( ) to [as ]Goal: A predicated grant statement authorizes access only to rows that satisfy the grant predicateExample: Each person is granted access to their own employee record. grant select on employee where (empid = userId()) to public grant select on employee E where (E.deptid in (select deptid from manages where mgrid = userId())) to public Each department head is granted access to the records of his employees Predicates in Grants Usage: grant on where ( ) to [as ]Goal: A predicated grant statement authorizes access only to rows that satisfy the grant predicateExample:

11 Semantics Semantics for Queries: grant select on R where P to U The semantics of the grant is that all uses of R in any queries issued by the database user U are replaced by the expression: select * from R where P If a user has multiple authorizations with predicates P 1..P n, then the disjunction (P 1 v …v P n ) is used in place of P in the above expression.

12 Semantics Semantics for Updates: grants all (select, insert, delete and update) authorization to all employee records with dept-id = Sales, to SalesDept grant all on employee where deptid =’Sales’ to SalesDept For updates, the old and new value of any updated tuple must satisfy the update authorization predicates. Inserts, deletes and updates on tuples that violate the predicate are rejected update employee set phone = ‘555-1212’, deptid = ‘Legal’ where empid = ‘1234’ If the employee 1234 was in the Sales department, the user would have authorization to update the phone number, but the update to deptid would fail since the updated tuple fails the authorization predicate (deptid = ‘Sales’).

13 Outline Proposed Extensions: Predicates in Grants Authorization on Procedures/Functions Query-Defined User Groups Authorization on Columns Aggregate Authorizations Authorization Administration Features Stacked Grants Open Areas to explore.

14 Authorization on Procedures/Functions Current SQL standard supports: grant execute on proc() to U Proposed Extension: Use predicated grants: grant execute on proc() where to Example: grant execute on getsalary(userid) where (userid = userId()) to employeeGrp

15 Outline Proposed Extensions: Predicates in Grants Authorization on Procedures/Functions Query-Defined User Groups Authorization on Columns Aggregate Authorizations Authorization Administration Features Stacked Grants Open Areas to explore.

16 Query-Defined User Groups Scenario: Assign a set of permissions to managers only and not any other employee Current SQL standard supports “Roles” - Which are groups of permissions on objects assigned to individual users.  Maintenance overhead each time individuals’ list is changed. 1st Proposed Extension: (Predicated Grants) grant select on employee E where (E.deptid in (select deptid from manages where mgrid = userId())) to public  Most of users are not managers  Checking the predicate each time we access the employee table is unnecessary overhead

17 Query-Defined User Groups 2nd Proposed Extension: (Query defined user groups) create group managerGrp as (select mgrid from manager) How to create it? Group has an associated query that returns the set of application user-ids that belong to the group What is it? grant select on employee where (deptid in (select deptid from managers where mgrid = userId())) to managerGrp How to assign permissions?  Less overhead

18 Outline Proposed Extensions: Predicates in Grants Authorization on Procedures/Functions Query-Defined User Groups Authorization on Columns Aggregate Authorizations Authorization Administration Features Stacked Grants Open Areas to explore.

19 Authorization on Columns Goal: Permissions to be assigned to specific columns only Current SQL standard: - This feature is supported - Grant select (col_name) on table_name to user  Maintenance overhead each time individuals’ list is changed.  Simple and efficient Proposed Extension: (Predicated Grants) grant select on employee(name) where (dept =’sales’) to public Issues: - A user may have multiple grants on different columns of a relation, with different predicates. - A query may access columns covered by different authorizations.

20 Authorization on Columns Issues: - A user may have multiple grants on different columns of a relation, with different predicates. - A query may access multiple columns covered by different authorizations. Proposed Model 1. Use only authorizations that cover all accessed.Example: User has Pa on column A, Pb on column B, Pc on Columns A,b. If Q accesses A & B then allow access to rows that satisfy Pc. Proposed Model 2. Cover different authorizations, but only return rows that satisfy all the predicates associated with the authorizationsExample: User has Pa on column A. Pb on column B. If Q accesses A & B then allow access to rows that satisfy Pa and Pb only. Proposed Model 3. Cover different authorizations, and return rows where at least one column satisfies the authorization predicate on the column. However, nullify cells for which none of the applicable authorization predicates evaluate to true. Authorization on Columns Issues: - A user may have multiple grants on different columns of a relation, with different predicates. - A query may access multiple columns covered by different authorizations.

21 Cell-Level Authorization with Nullification Scenario: Allow access to the address attribute of employees who have ‘opted-in’ to allow their addresses to be made public, but Return a null value for the address attribute of all other employees Proposed Extension: (Predicated Grants & “else nullify”) -The else nullify clause can only be specified on columns whose types permit null values. - It cannot be used on primary key columns, for example. - If a grant with nullify is specified on a column, queries can access that column, but the value returned for a row will be null unless the predicate is true for at least one of the grants.

22 grant select on employee(addr) where (P1) else nullify to public grant select on employee(phone) where (P2) else nullify to public grant select on employee(empid) where (P0) to public Cell-Level Authorization with Nullification Example: - Thus, if predicates P1 (resp. P2) in the above grants evaluate to false for a particular row for a particular user, that user will see null values for the address (resp. phone) attribute of the row. - On the other hand, if a query accesses an attribute on which else nullify is not specified, such as empid in the above example, the entire tuple will become inaccessible (including attributes for which else nullify has been specified). grant select on employee(addr) where (P1) else nullify to public grant select on employee(phone) where (P2) else nullify to public grant select on employee(empid) where (P0) to publicExample:

23 Outline Proposed Extensions: Predicates in Grants Authorization on Procedures/Functions Query-Defined User Groups Authorization on Columns Aggregate Authorizations Authorization Administration Features Stacked Grants Open Areas to explore.

24 Aggregate Authorizations Goal: Authorization can be granted on aggregated values, instead of individual values Example: To allow a salesperson to see the aggregate of sales in their region. grant select on sales(region, category,anyagg(units), anyagg(price)) where (region = getUserRegion()) to salesGrp select region, sum(units) from sales group by region select sum(units) from sales Same Result select region, sum(units) from sales group by region Same Result select sum(units) from sales select region, sum(units) from sales group by region Same Result

25 Outline Proposed Extensions: Predicates in Grants Authorization on Procedures/Functions Query-Defined User Groups Authorization on Columns Aggregate Authorizations Authorization Administration Features Stacked Grants Open Areas to explore.

26 Authorization Administration Features Hierarchies of groups: Scenario: To have group B inherit all members of group A, the group A can be used in the query defining group B create group A as (…) create group B as A union (…) Authorization Groups : Goal: Define a set of authorizations on a group of related objects.. create authorization select_purchaseorder with root order O as ( select on order O, select on lineitem L where (L.order_id=O.order_id)), select on part P where (P.part_id=L.part_id), select on partsupp PS where (PS.part_id = P.part_id), select on supplier S where (S.supplier_id = PS.supplier_id)) grant select_purchaseorder where(purchaser_id = userId()) to employeeGrp

27 Outline Proposed Extensions: Predicates in Grants Authorization on Procedures/Functions Query-Defined User Groups Authorization on Columns Aggregate Authorizations Authorization Administration Features Stacked Grants Open Areas to explore.

28 Stacked Grants Properties for a valid Stacked Grants: 1. A grantor A can only pass on authorizations that had been granted with grant option to the grantor. 2. The grant predicate cannot reveal information to the grantee B that was not visible to the grantor A, or was not granted with grant option to A. 3. Cycles in Stacked Grants is disallowed through the use of authorization graph. Stacked Grants What is it? The issue of further granting of predicated grants, is referred to as stacked grants grant select on R where P1 to A with grant option; Then, user A executes grant select on R where P2 to B;

29 Stacked Grants What Data B can access? grant select on R where P1 to A with grant option; Then, user A executes grant select on R where P2 to B; Answer1: (P1 Λ P2)? Incorrect! since P1 is only authorized to see data satisfying P1 with values from his/her user context. Suppose P1 is of the form “empid=userId()”, the userId() value for A is 1234, and that of B is 2345 Then A is authorized only to access (and grant access to) tuples with empid='1234’. Answer2: (P1’ Λ P2’)? Correct! P1’ is the result of replacing instances of userId() in P1 by the user-id of A. P2’ is the result of replacing relations in P2 by the views available to user A.

30 Outline Proposed Extensions: Predicates in Grants Authorization on Procedures/Functions Query-Defined User Groups Authorization on Columns Aggregate Authorizations Authorization Administration Features Stacked Grants Open Areas to Explore.

31 Open Areas to Explore Query Optimization: Query modification to implement fine-grained authorization must be done each time a query is submitted, which can have a non-trivial cost. To reduce this cost, we can cache the rewritten query Q’ derived from Q, as well as the recompiled plan. Managing authorizations Managing authorizations. handle hierarchies Extensions to efficiently handle hierarchies of various types, such as organizational hierarchies, user hierarchies and user- interface hierarchies are required. database and application level authorization Integration of database and application level authorization

32 Thanks!

Download ppt "Fine Grained Authorization Through Predicated Grants Surajit Chaudhuri, Tanmoy Dutta, S. Sudarshan (ICDE 2007) Presented By: Ahmad Abusalah"

Similar presentations

MSc IT UFCE8K-15-M Data Management Prakash Chatterjee Room 2Q18

MSc IT UFCE8K-15-M Data Management Prakash Chatterjee Room 2Q18
Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.

Chapter 23 Database Security and Authorization Copyright © 2004 Pearson Education, Inc.
1 Constraints, Triggers and Active Databases Chapter 9.

1 Constraints, Triggers and Active Databases Chapter 9.
Relational Database Design UNIT II 1. 2 Advantages of Using Database Systems Centralized control of a firm’s data Redundancy can be reduced (avoid keeping.

Relational Database Design UNIT II 1. 2 Advantages of Using Database Systems Centralized control of a firm’s data Redundancy can be reduced (avoid keeping.
Database Management Systems, R. Ramakrishnan and J. Gehrke1 The Relational Model Chapter 3.

Database Management Systems, R. Ramakrishnan and J. Gehrke1 The Relational Model Chapter 3.
Database Management Systems 3ed, R. Ramakrishnan and J. Gehrke1 SQL: Queries, Programming, Triggers Chapter 5 Modified by Donghui Zhang.

Database Management Systems 3ed, R. Ramakrishnan and J. Gehrke1 SQL: Queries, Programming, Triggers Chapter 5 Modified by Donghui Zhang.
The Relational Model. Introduction Introduced by Ted Codd at IBM Research in 1970 The relational model represents data in the form of table. Main concept.

The Relational Model. Introduction Introduced by Ted Codd at IBM Research in 1970 The relational model represents data in the form of table. Main concept.
SQL Subqueries Objectives of the Lecture : To consider the general nature of subqueries. To consider simple versus correlated subqueries. To consider the.

SQL Subqueries Objectives of the Lecture : To consider the general nature of subqueries. To consider simple versus correlated subqueries. To consider the.
SQL Constraints and Triggers

SQL Constraints and Triggers
SPRING 2004CENG 3521 The Relational Model Chapter 3.

SPRING 2004CENG 3521 The Relational Model Chapter 3.
The Relational Database Model:

The Relational Database Model:
1 Relational Model. 2 Relational Database: Definitions  Relational database: a set of relations  Relation: made up of 2 parts: – Instance : a table,

1 Relational Model. 2 Relational Database: Definitions  Relational database: a set of relations  Relation: made up of 2 parts: – Instance : a table,
Triggers, security and authorization in SQL Niki Sardjono Niki Sardjono CS 157A sect 2 Prof. S. M. Lee.

Triggers, security and authorization in SQL Niki Sardjono Niki Sardjono CS 157A sect 2 Prof. S. M. Lee.
CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 157 Database Systems I SQL Constraints and Triggers.

CMPT 354, Simon Fraser University, Fall 2008, Martin Ester 157 Database Systems I SQL Constraints and Triggers.
Security and Integrity

Security and Integrity
Overview What is SQL Server? Creating databases Administration Security Backup.

Overview What is SQL Server? Creating databases Administration Security Backup.
Chapter 6: Integrity and Security Thomas Nikl 19 October, 2004 CS157B.

Chapter 6: Integrity and Security Thomas Nikl 19 October, 2004 CS157B.
©Silberschatz, Korth and Sudarshan6.1Database System Concepts Chapter 6: Integrity and Security Domain Constraints Referential Integrity Assertions Triggers.

©Silberschatz, Korth and Sudarshan6.1Database System Concepts Chapter 6: Integrity and Security Domain Constraints Referential Integrity Assertions Triggers.
The Relational Model These slides are based on the slides of your text book.

The Relational Model These slides are based on the slides of your text book.
The Relational Model. Review Why use a DBMS? OS provides RAM and disk.

The Relational Model. Review Why use a DBMS? OS provides RAM and disk.

Similar presentations

Ads by Google