Roles: A New Security Feature in INFORMIX-OnLine Dynamic Server, Version 7.10.UD1



Similar documents
IT360: Applied Database Systems. Database Security. Kroenke: Ch 9, pg PHP and MySQL: Ch 9, pg

Database Security. Principle of Least Privilege. DBMS Security. IT420: Database Management and Organization. Database Security.

Database 10g Edition: All possible 10g features, either bundled or available at additional cost.

Database Security. The Need for Database Security

ADO and SQL Server Security

Informix Performance Tuning using: SQLTrace, Remote DBA Monitoring and Yellowfin BI by Lester Knutsen and Mike Walker! Webcast on July 2, 2013!

USING MYWEBSQL FIGURE 1: FIRST AUTHENTICATION LAYER (ENTER YOUR REGULAR SIMMONS USERNAME AND PASSWORD)

Oracle Database 10g: Introduction to SQL

Oracle Database 10g Express

A basic create statement for a simple student table would look like the following.

In This Lecture. Security and Integrity. Database Security. DBMS Security Support. Privileges in SQL. Permissions and Privilege.

Database Administration with MySQL

SQL INJECTION ATTACKS By Zelinski Radu, Technical University of Moldova

CS143 Notes: Views & Authorization

New Security Options in DB2 for z/os Release 9 and 10

Instant SQL Programming

CONVERTING FROM NETKEEPER ISAM v6.32 to NETKEEPER SQL

Role-Based Access Control Approaches In Mangodb 2.4 and Informix Online Dynamic Server Version 7.2

Fine Grained Auditing In Oracle 10G

AUTHENTICATION... 2 Step 1:Set up your LDAP server... 2 Step 2: Set up your username... 4 WRITEBACK REPORT... 8 Step 1: Table structures...

MatriXay Database Vulnerability Scanner V3.0

Geodatabase Programming with SQL

UNISYS. Business Information Server. MRI Administration and User s Guide. Printed in USA May

Contents. Welcome to the Priority Zoom System Version 17 for Windows. This document contains instructions for installing the system.

CHAPTER 2 DATABASE MANAGEMENT SYSTEM AND SECURITY

A Brief Introduction to MySQL

Oracle Database Links Part 2 - Distributed Transactions Written and presented by Joel Goodman October 15th 2009

ASP.NET Programming with C# and SQL Server

Oracle PL/SQL Injection

Microsoft SQL Server Security & Auditing. March 23, 2011 ISACA Chapter Meeting

How to Copy A SQL Database SQL Server Express (Making a History Company)

Release Notes For Versant/ODBC On Windows. Release

DBMS Questions. 3.) For which two constraints are indexes created when the constraint is added?

COURSE NAME: Database Management. TOPIC: Database Design LECTURE 3. The Database System Life Cycle (DBLC) The database life cycle contains six phases;

Oracle Database 12c: Introduction to SQL Ed 1.1

Data Warehouse Center Administration Guide

SQL - QUICK GUIDE. Allows users to access data in relational database management systems.

BM482E Introduction to Computer Security

Using ELM Reports in WhatsUp Gold. This guide provides information about configuring ELM reports in WhatsUp Gold v15.0

Database Security. Chapter 21

Tutorial: How to Use SQL Server Management Studio from Home

CSCI-UA: Database Design & Web Implementation. Professor Evan Sandhaus sandhaus@cs.nyu.edu evan@nytimes.com

Setting Up Your Team-SQL Database for ORACLE 8.05

2. Oracle SQL*PLUS Winter Some SQL Commands. To connect to a CS server, do:

DB2 - DATABASE SECURITY

SQL Injection. The ability to inject SQL commands into the database engine through an existing application

ICAB4136B Use structured query language to create database structures and manipulate data

Administration: User Management and Security. SAP Sybase IQ 16.0

Schema Evolution in SQL-99 and Commercial (Object-)Relational DBMS

The first time through running an Ad Hoc query or Stored Procedure, SQL Server will go through each of the following steps.

XMailer Reference Guide

Serious Threat. Targets for Attack. Characterization of Attack. SQL Injection 4/9/2010 COMP On August 17, 2009, the United States Justice

Division of IT Security Best Practices for Database Management Systems

Database Programming with PL/SQL: Learning Objectives

Connecting to a Database Using PHP. Prof. Jim Whitehead CMPS 183, Spring 2006 May 15, 2006

and what does it have to do with accounting software? connecting people and business

Distributed Database Guide Version: 00.01

A Tutorial on SQL Server CMPT 354 Fall 2007

Managing Objects with Data Dictionary Views. Copyright 2006, Oracle. All rights reserved.

FLIGHT RESERVATION TEST CASES

Falcon Install Guide

How to Connect to CDL SQL Server Database via Internet

Using the SQL TAS v4

Security and Authorization. Introduction to DB Security. Access Controls. Chapter 21

Computer Security: Principles and Practice

The Ultimate Remote Database Administration Tool for Oracle, SQL Server and DB2 UDB

Toad for Data Analysts, Tips n Tricks

Analysis of SQL injection prevention using a proxy server

PROJECTIONS SUITE. Database Setup Utility (and Prerequisites) Installation and General Instructions. v0.9 draft prepared by David Weinstein

How to Set Up pgagent for Postgres Plus. A Postgres Evaluation Quick Tutorial From EnterpriseDB

Ch.5 Database Security. Ch.5 Database Security Review

TimesTen Auditing Using ttaudit.java

Incremental Replication from SQL Server to Oracle. Kane McKenzie Liberty University

MySQL for Beginners Ed 3

May 17, 2011 SQL SERVER SECURITY GRANTING, CONTROLLING, AND AUDITING DATABASE ACCESS. Mike Fal -

A Comparison of Enterprise Reporting Tools

Tivoli Security Compliance Manager. Version rel. 2 July, Collector and Message Reference Windows Oracle Addendum

Administering a Microsoft SQL Server 2000 Database

CS587 Project final report

Auditing Data Access Without Bringing Your Database To Its Knees

Demystified CONTENTS Acknowledgments xvii Introduction xix CHAPTER 1 Database Fundamentals CHAPTER 2 Exploring Relational Database Components

The Relational Model. Ramakrishnan&Gehrke, Chapter 3 CS4320 1

The Relational Model. Why Study the Relational Model?

Chapter 2: Security in DB2

Mul$media im Netz (Online Mul$media) Wintersemester 2014/15. Übung 03 (Nebenfach)

Chapter 9, More SQL: Assertions, Views, and Programming Techniques

Outline. SAS-seminar Proc SQL, the pass-through facility. What is SQL? What is a database? What is Proc SQL? What is SQL and what is a database

Oracle Database: Introduction to SQL

Working with Oracle Database XE. Create New User Account Using SQL Run Script Files PL/SQL Objects PL/SQL Server Pages

GUJARAT TECHNOLOGICAL UNIVERSITY, AHMEDABAD, GUJARAT. COURSE CURRICULUM COURSE TITLE: DATABASE MANAGEMENT (Code: ) Information Technology

Transcription:

Technical Features Roles: A New Security Feature in INFORMIX-OnLine Dynamic Server, Version 7.10.UD1 by Lester Knutsen 95 Introduction INFORMIX-OnLine Dynamic Server, version 7.10.UD1, introduced a new feature called Roles. Roles provide a way to grant and revoke privileges to a function, rather than to individual users. In addition, a user is granted the privilege to use one or more Roles. When a user requires access to the privileges of a Role, the user or application sets the current access levels to the Role. Then, after the user has performed the functions for which the Role was granted, the Role can be deselected so that the privileges are no longer in effect. This article examines some examples which use Roles to improve security, and discusses the limitations of Roles. The examples used in this article were developed using the stores database provided with INFORMIX-OnLine Dynamic Server, version 7.10.UD1, on a Sun Sparc hardware platform. This article begins with a simple example which illustrates the use of Roles. This example restricts insert, update, and delete access to a group of users in the Orders Department. First, all privileges are revoked from everyone in the table. Then, instead of granting the select, insert, update and delete privileges to each individual, three Roles are created. One Role, read_ord, provides select-only access. The next Role, upd_ord, provides select, update and insert access, and the final Role, del_ord, includes delete privileges. Then, individuals are granted the privilege to use these Roles. Finally, this article discusses how to set up the applications to use these Roles. Notes The examples contained in this article make use of the stores database and a table contained within this database called orders.

Roles: A New Security Feature in INFORMIX-OnLine Dynamic Server, Version 7.10.UD1 96 Creating Roles Creating a Role begins with the CREATE ROLE role_name statement, where role_name is an eight-character name for the Role. The role_name cannot be the name of a user on the system, since it is stored in the system table sysusers. In order to create a Role, it is necessary to have dba privileges in the database. The following statements are used to create the three Roles: create role read_ord; create role upd_ord; create role del_ord; After creating the Roles, the following query can be performed on the system table sysusers to view the Roles: select * from sysusers where usertype = G ; The query returns the following data: username usertype priority password read_ord G 5 upd_ord G 5 del_ord G 5 In the sysusers table, a usertype G, and a new usertype in INFORMIX- OnLine Dynamic Server, version 7.10.UD1, indicates a Role definition.

Technical Features Privileges for a Role Granting privileges to a Role is the same as granting privileges to a user, and uses the same syntax. For the purposes of the example, it is first necessary to revoke all privileges on the orders table. The following SQL statement displays all privileges which have been granted on the orders table: select * from systabauth where tabid in (select tabid from systables where tabname = orders ); To revoke privileges from public, use the following SQL statement: 97 revoke all on orders from public; This command must be repeated for each user with privileges to the orders table. Next, use SQL to grant privileges to each Role: grant select on orders to read_ord; grant select, insert, update on orders to upd_ord; grant select, delete on orders to del_ord; After granting privileges, run the query against the system tables to view the results: select * from systabauth where tabid in (select tabid from systables where tabname = orders ); Following are the results: grantor grantee tabid tabauth lester del_ord 101 s---d--- lester read_ord 101 s------- lester upd_ord 101 su-i---- The results show that the user lester granted the privileges, the grantee column displays the Role name, and the tabauth column contains the privileges.

Roles: A New Security Feature in INFORMIX-OnLine Dynamic Server, Version 7.10.UD1 98 Adding Users to a Role It is now necessary to add the users to the appropriate Roles. In the example, there are five users in the orders department: abby, joe, ron, jack, and linda. Of this group, everyone must have the ability to read orders, while only linda and abby must have the capability to add and update orders. In addition, abby must be able to delete orders. To accomplish this, use the following SQL statements. grant read_ord to abby, joe, ron, jack, linda; grant upd_ord to abby, linda; grant del_ord to abby ; Version 7.1 of INFORMIX-OnLine Dynamic Server provides a new system table called sysroleauth, which stores information about users access to Roles. A select on the table returns the following information: rolename grantee is_grantable read_ord abby n read_ord joe n read_ord ron n read_ord jack n read_ord linda n upd_ord abby n upd_ord linda n del_ord abby n The above information displays the Role name, the users who have access to that Role, and an N (No, cannot grant this Role to someone else) or a Y (Yes, can grant this Role to someone else).

Technical Features Using a Role: the SET ROLE Statement Once a user is granted the privilege to use a Role, he or she does not yet have automatic access to the privileges of the Role. The user, or the application executed by the user, must first execute the SET ROLE statement. Note that any user with SQL knowledge and connect privilege to the database can use the SET ROLE command to activate a role. If the user Joe attempts to select data from the orders table before the SET ROLE statement is executed, he receives the following error message: 99 select * from orders; # ^ # 272: No SELECT permission. However, when Joe or the application he is using sets the current Role to the proper privileges, he can read the data. The following SQL command sets the Role and selects all data from the orders table: set role read_ord ; select * from orders; When a user no longer requires a Role, the Role can be set to NONE or NULL, which removes the privileges of the Role. In an application, use the SET ROLE NONE or NULL statement to end the Role s privileges when those privileges are no longer required. Note the following syntax: set role none; select * from orders; # ^ # 272: No SELECT permission.

Roles: A New Security Feature in INFORMIX-OnLine Dynamic Server, Version 7.10.UD1 100 Roles in Applications Roles are designed for use in applications. The application can set a Role, perform the tasks, and then deselect the Role. In this way, a user only retains privileges while the application runs. Once the application is complete, the user s privileges are revoked. To use a Role in an application, it is necessary to prepare and execute a statement which sets the Role for the application. The following statements are examples, in the context of an INFORMIX-4GL program, that set the Role to read_ord: Conclusion prepare role_stmt from set role read_ord execute role_stmt if ( sqlca.sqlcode!= 0 ) then fi error Cannot use this role After executing the statement, ensure that it was successful. Otherwise, the user will attempt to perform functions without the proper privileges; this will generate numerous other SQL errors. There are several new error messages in INFORMIX-OnLine Dynamic Server, version 7.10.UD1, which handle Roles. For example, if a user does not have permission to use a Role, the sqlca.sqlcode is 19805: No privilege to set to the Role. Especially when many users are involved, Roles provide useful security features. Roles enable the Database Administrator (DBA) to effectively control database privileges. The only drawback, which is often true with any new features, is that the DBA must change existing applications to take advantage of Roles.

Technical Features About the Author Advanced DataTools Corporation Lester Knutsen is a database consultant who has used Informix products since 1983. He is the president of Advanced DataTools Corporation, a company which provides DBA training, support and consulting services to major corporations. Lester is also president of the Washington D.C. area Informix User Group. Over the last six years, he has guided its growth into one of the largest and most active Informix user groups in the U.S. He is also one of the founding members of the International Informix User Group. Lester can be contacted via e-mail at lester@access.digex.net. Advanced DataTools Corporation an Informix Solutions Alliance Partner provides consulting in database design, application development, web database access, decision support systems/data warehousing, performance enhancement, and project management using Informix products. The company developed DB Privileges, a tool for managing Informix database security. Advanced DataTools Corporation (ADTC) is located at 4216 Evergreen Lane, Suite 136, Annandale, VA 22003. For more information, contact ADTC at 703 256 0267 or 800 807 6732, or access the ADTC web site at www.access.digex.net/~lester. 101

102 Roles: A New Security Feature in INFORMIX-OnLine Dynamic Server, Version 7.10.UD1

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information