SQL Bible [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

SQL Bible [Electronic resources] - نسخه متنی

Alex Kriegel

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
ارسال به دوستان
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات
توضیحات
افزودن یادداشت جدید








Managing Security with Roles


ROLE is an
abstract concept introduced in the relational databases to facilitate user
management tasks by grouping users'' privileges according to some criteria,
usually a job function. If, for example, your accounting staff of 100 people
needs privileges for the dozens of objects they access daily — in addition to
some system-level privileges — you have two choices: go through each and every
user and individually grant him/her all the privileges required; or create a
group (role), such as
ACCOUNTANTS, grant all the privileges to
the role, and thus grant this role to all the users in the group. Revoking the
privileges would pose the same choices. It seems fairly obvious which choice is
better.


Some RDBMS provide roles-creating
capabilities, in addition to having a number of predefined system roles that
could be granted to a user. Oracle 9i and the Microsoft
SQL Server 2000 have this feature, while DB2 UDB employs only fixed, predefined
roles (authorities).


The
Oracle 9i roles are collections of privileges that
could be granted to (or revoked from) a user or another role, thus providing a
hierarchy of privileges. A role must be enabled (with a
SET
ROLE statement or by the database
administrator) before it can pass on all the privileges granted to it.


Oracle 9i has a
number of predefined roles through which privileges are granted to users.
Table
12-8
shows these with short descriptions.


































Table 12-8: Oracle 9i
Predefined Roles


Predefined
Role




Description




CONNECT
RESOURCE
DBA




Provided for compatibility
with the previous versions of Oracle; it is explicitly stated that these roles
might not be supported in the future releases.


There are a number of
privileges associated with each of these roles in Oracle
9i. The DBA role, for example, has 124 privileges;
RESOURCE and
CONNECT have 8 each. Some of these
have overlapping privileges — like
CREATE
TABLE or
CREATE
VIEW — and some of them are
unique.


Refer to the
DBA_SYS_PRIVS dictionary view for
the full list of privileges and their descriptions.




DELETE_CATALOG_ROLE
EXECUTE_CATALOG_ROLE
SELECT_CATALOG_ROLE




Provided for users who need to
access data dictionary views.




EXP_FULL_DATABASE
IMP_FULL_DATABASE




Provided for users who need to
perform full database export.




AQ_USER_ROLE
AQ_ADMINISTRATOR_ROLE




Needed for Oracle''s advanced
queuing functionality.




SNMPAGENT




Used by Enterprise
Manager/Intelligent Agent.




RECOVERY_CATALOG_OWNER




Needed for a user who owns a
recovery catalog.




HS_ADMIN_ROLE




Provided to grant access to the
DBMS_HS package, which is required
for heterogeneous services
administration.




You neither can add new privileges to a
predefined role, nor can you revoke any from the role.


The following Oracle syntax, which creates
a custom role, is straightforward:


CREATE ROLE <role name>
[IDENTIFIED {BY <password> | EXTERNALLY | GLOBALLY | USING
[<schema>].[<package>] } ];


Only the role name is a required argument
for this statement, the rest is optional. If the role is to have its own
password, then the
IDENTIFIED clause must be used. The
NOT
IDENTIFIED clause indicates that no
password is required to enable it.









SQL Server 2000 DENY
Statement


The Microsoft-specific
DENY statement adds an additional level
of granularity to the system of privileges not found in Oracle or DB2 UDB. The
SQL92/99 standard does not define such a statement.


If you are using roles to assign a set
of privileges to a user, you might find yourself in a situation when this set
should be modified for one and only one user, while preserving it for all other
users to whom this role was granted. Attempting to revoke a privilege from the
user that was granted through a role will result in an error. You could create
another role and grant a subset of privileges from the first role and then
grant it to a user; or you could grant these privileges to the user directly,
bypassing the role. Any of these, while workable, would lead to redundancy and
possible confusion. The
DENY statement provides an elegant
solution to the problem. It allows you to grant a role with a full set of
privileges and then deny some of these privileges to a user.


The following
DENY statement works both for
system-level and object-level privileges, with the syntax very similar to that
of
GRANT and
REVOKE statements:


DENY ALL [PRIVILEGES] |
<permission>,... [(<column>)] ON [<table> | <view>] |
ON [<table> | <view>] [(<column>,...)] | ON
[<stored_procedure> | <extended_procedure>] | ON
[<user_defined_function>] TO <security_account>,...
[CASCADE]


The
CASCADE clause means that a privilege
(permission) denied to the
security_account will also be denied to
every other user/role/group to that has this
security_account permission.


For example, you have a role
SALES that has all the privileges in the
database, and a user
NEW_USER needs all of these, except for
CREATE
TABLE. The following statements take care
of granting the appropriate privileges to the user:


GRANT sales TO new_user GO
DENY CREATE TABLE TO new_user GO


The
DENY statement always takes precedence,
so while having the inherited privileges of the
SALES role, the user
NEW_USER will get an error if s/he ever
attempts to create a table, though other members granted
SALES role will have no problems doing
so.














For identified users, the
IDENTIFIED
BY <password> clause actually creates a local user with this
password if none previously existed; a password needs to be specified when
enabling the role. The
USING [<schema>].[<package>] clause creates an application role (compared
to that in the MS SQL Server), which means that the role can be enabled by that
specific application using authorized package.






Note


Package in Oracle RDBMS is a collection of pre-compiled routines
(usually written in PL/SQL), and residing in RDBMS itself. A user could access
database functionality through procedures and functions defined in the
package.




Using the
EXTERNALLY clause creates an external user
(see OS Security integration sidebar later in the chapter), and the
GLOBALLY clause creates a global user,
authorized by the enterprise directory service.


Here is an example of a role created for
the ACME database with a minimal set of default options:


CREATE ROLE sales_force; Role
created.


Now you can grant privileges to this role
(see
GRANT statement paragraph earlier in this
chapter for more information), and later grant the privileges to everyone who
needs them by assigning those people to the
sales_force role.






Note


You can enable or disable
ROLE for the duration of the current
database session using the
SET
ROLE statement. There might be a limit to
the number of concurrent roles that can be set by the database
administrator.




A custom role can be altered or dropped by
using, respectively, the
ALTER
ROLE or
DROP
ROLE statements.


Any user that accesses the
IBM DB2 UDB database must have a valid OS
account. Once authenticated, the user''s access to the database''s objects is
governed by a system of authorities (roles) and privileges inside the RDBMS.
DB2 does not support user-defined roles. Instead it relies on the system''s
predefined authorities (roles), which a user can be a member of, and on
GROUP, which behave almost the same as
roles that are employed in Oracle or the MS SQL Server 2000.


System authorities (roles) include system
administration (SYSADM), system control (SYSCTRL), system maintenance (SYSMAINT), and database administration (DBADM), listed in
Table
12-9
. Each of these roles implies certain privileges; certain types of
privileges are automatically granted to every user authenticated by the
OS.
























Table 12-9: IBM DB2 UDB System
Authorities



System
Authority




Description




SYSADM




System administration, which
includes all the privileges of all other system authorities as well as the
ability to grant and revoke
DBADM
authority.




SYSCTRL




System control, which includes
privileges to create, update, or drop a database. It does not allow direct
access to the data.




SYSMAINT




System Maintenance, which
enables database maintenance tasks in all databases associated with an
instance, including the authority to modify configure files, and backup and
restore databases.




DBADM




Database administration, which
has all the privileges within a single
database.




A privilege in DB2 UDB is defined as
permission for the authenticated user to access and use database resources such
as tables, views, and stored procedures, which will be discussed in greater
detail later in the chapter.


Most of IBM DB2 UDB privileges — both on
system and object levels — granted to the authorities (Table 12-9) are listed
in
Table
12-6
.






Note


Some privileges for the database objects are not relevant for all
discussed RDBMS. For example, the
PACKAGE object can be found in the DB2
UDB or Oracle database, but is nonexistent in the MS SQL Server.




The highest authority level belongs to
SYSADM, which has full control over all
database objects, as well as the DB2 UDB installation that contains this
database. It defaults to the Administrators Group on Windows NT/2000/XP; on
Unix the initial value is
NULL and defaults to the primary group of
the database instance owner.


The
SYSCTRL and
SYSMAINT roles represent a lower level of
hierarchy, followed by
DBADM. Users that do not belong to any of
these roles are granted privileges on an object-by-object basis. A new group
can be created by
DBADM, and privileges could then be granted
to this group and to users in this group. This is a handy way to administer
privileges for a number of users with similar responsibilities within the
database, and is similar in functionality to the roles in Oracle and the
Microsoft SQL Server.


For the syntax of granting system
authorities, refer to the
GRANT statement section of this
chapter.


On the authentication level, the
MS SQL Server 2000 offers two choices:
Windows OS authentication and mixed authentication modes. The first is usually
rated as the better security provider, because it relies on the more robust
security mechanisms of the operating system, and — for accessing the database
over the network — it does not require sending login information unprotected.
The second offers a more "personal approach" that allows many users to connect
to the same SQL Server without needing to be added to the Windows users group.
Microsoft defines a special system administrator user — usually sa,
which is the default — who is responsible for all administrative
tasks within the MS SQL Server 2000.






Note


The SQL Server 2000 is tightly integrated with Windows OS: no
matter what authentication mode you choose during installation, Windows
authentication mode would always allow you to log on.




Authorization is performed by the SQL
Server itself. All information about the user''s granted permissions is recorded
in the server''s system tables (partially accessible through
INFORMATION_SCHEMA views). Like IBM DB2 UDB
and Oracle, the Microsoft SQL Server enforces security through a hierarchical
system of users implemented via fixed roles and
application roles
(the concept of a role is explained at the
beginning of this chapter).









OS Security Integration


It is important to remember that the
operating system (OS) was there before the first computer database was
invented, and no RDBMS could operate without some kind of OS. Each operating
system comes with its own security mechanisms. All the RDBMS discussed in this
book — to a certain extent — provide security integration with the OS they are
running on. Essentially, it boils down to using operating system accounts and
privileges to access the database, instead of relying on the RDBMS
itself.


The Microsoft SQL Server 2000, for
example, has tight OS-integrated security, which allows users with a valid
Windows account to be authenticated based on their Windows NT/2000/XP
credentials. Instead of supplying user ID and password, the user is able to
access the SQL Server 2000 automatically as soon as s/he logs onto the machine
that runs RDBMS.


Both Oracle 9i and
IBM DB2 UDB extend this functionality to multiple operating systems, and the
details of implementation and usage are just as different as the systems they
integrate with.


DB2 UDB uses an external facility for
user authentication — either the operating system, or a so-called
distributed computing environment (DCE) facility. A user
must have a valid OS account — login and user ID — in order to access the
database.


For regular users to be authenticated
externally, an Oracle database administrator must create a user account
prefixed with a character value from the Oracle initialization parameter
OS_AUTHENT_PREFIX and marked as
AUTHENTICATED
EXTERNALLY. Oracle uses the value of the
parameter
OS_AUTHENT_PREFIX to check whether any of
the users'' names created within the database are prefixed with this value if a
user name does not have this prefix, it will not be allowed to be authenticated
externally. This is only a brief description of the basic mechanism implemented
by Oracle, refer to the vendor''s documentation for more information on this
issue.


For
EXTERNALLY authenticated users that
intend to administer a database, Oracle 9i requires that
two predefined
OSDBA and
OSOPER groups be created on the machine
that is running the operating system, and make these users members of one of
these groups. In addition, the Oracle start-up parameter
REMOTE_LOGIN_PASSWORDFILE has to be set
to one of its valid values.


RDBMS running on some operating systems
(notably, Windows 9x) do not have OS security integration, as the OS itself
does not provide facilities for this.














Fixed server roles provide a server-wide
scope hierarchy where each role is allowed to perform certain activities,
SYSADMIN being on the top, and having
privileges to perform any activity. These roles are listed in
Table
12-10
.




































Table 12-10: Microsoft SQL Server Fixed Server
Roles



Fixed Server
Role




Actions
Allowed




SYSADMIN




Can perform any activity within
the SQL Server (this is the highest privileges level).




SERVERADMIN




Able to startup/shutdown
server, as well as modify server''s configuration.




SETUPADMIN




Able to manage linked servers
and modify startup procedures.




SECURITYADMIN




Manages logins, passwords, and
permissions; is allowed to read error logs.




PROCESSADMIN




Allowed to manage the SQL
Server''s processes.




DBCREATOR




Has permissions to create,
alter, and drop databases.




DISKADMIN




Allowed to manage SQL Server
disk files.




BULKADMIN




Allowed to perform
BULK
INSERT
operations.




A fixed role cannot be altered, and new
fixed server roles cannot be created. You may add new members to a role, or
remove members from the role using SQL Server system-stored procedures, or
through graphical user interface (GUI).


The next level in the SQL Server 2000''s
security hierarchy is fixed database roles, shown in
Table
12-11
. Each database defined within an SQL Server instance has a set of
predefined (fixed) database roles to which any of the database users (logins)
can be added. The scope of these roles is much more limited — they are confined
to the database within which they are declared. As with the fixed server roles,
no permissions can be altered for these roles, but new database roles can be
created (unlike fixed server roles).







































Table 12-11: Microsoft SQL Server Fixed Database
Roles



Fixed Database
Role




Actions
Allowed




DB_OWNER




Members of this group have
permissions to do anything — within the database scope.




DB_ACCESSADMIN




Members of this role can add or
remove users from the database.




DB_SECURITYADMIN




Members of this role manage
security: all the privileges, objects, roles, etc.




DB_DDLADMIN




Members of this role may issue
any DDL statement, but cannot issue
GRANT,
REVOKE, or
DENY
statements.




DB_BACKUPOPERATOR




Members of this role may issue
DBCC,
CHECKPOINT, and
BACKUP
statements.




DB_DATAREADER




Members of this role are
allowed to select all data from any user table in the
database.




DB_DATAWRITER




Members of this role are
allowed to modify any data in any user table in the
database.




DB_DENYDATAREADER




Members of this role are
not allowed to select any data from any user table in the
database.




DB_DENYDATAWRITER




Members of this role are
not allowed to modify any data in any user table in the
database.




Application roles are unique to the SQL
Server 2000 (and Oracle 9i with some specifics). They are
activated only by the application that accesses RDBMS; there are no predefined
application roles. In a way, they just provide another method to manage group
permissions — if users always connect to the database server through some
accounting program, the SQL Server DBA can create a role for that accounting
program and assign all the privileges it needs for normal functioning. When the
SQL Server receives a request from the accounting program, it activates the
role for this application — no sooner, no later. If the application is phased
out and replaced by a new one, all the DBA must do to prevent access from the
previous application is to drop an associated application role.


Application roles contain no members, and
there are no predefined application roles. There is much more to application
roles than described here. If you need to use them, refer to SQL Server (and
Oracle) documentation.






Note


The column level privileges are recorded in the system tables and
can be viewed through the
INFORMATION_SCHEMA view
COLUMN_PRIVILEGES. The
INFORMATION_SCHEMA views are covered in
detail in
Chapter
13
.




As with other RDBMS, permissions
(privileges) can be assigned at the object level, for example, in a table or
stored procedure — all the way down to a column. A column is the smallest
object for which a user may have privilege. In addition to object granularity,
privileges can be differentiated by type —
EXECUTE privilege,
SELECT privilege,
DELETE privilege, and so on, in any
combination. The privileges — both on system and object levels — are discussed
earlier in this chapter.


The SQL Server does not have the
CREATE
ROLE statement; it employs system-stored
procedures instead. The list of some relevant procedures is given in
Table
12-12
.


































Table 12-12: Selected Microsoft SQL Server 2000 Role
Management System-Stored Procedures



sp_addrole
<role
name>,




Creates a new role in the
current database.[<role
owner>]




sp_droprole
<role
name>




Removes a role from the current
database.




sp_addapprole
<role
name>,
<password>




Creates a new application role
in the current database.




sp_setapprole
<role
name>,
[<password>],
[<encryption>]




Activates the permissions
associated with an application role in the current
database.




sp_dropapprole
<role
name>




Removes an application role
from the current database.




sp_addrolemember
<role
name>,
<user
name>




Adds a member to an existing
database role.




sp_droprolemember
<role
name>,
<user
name>




Removes a member from the
existing role.




sp_addsrvrolemember
<role
name>,
<user
name>




Adds a member to an existing
fixed server role.




sp_dropsrvrolemember
<role
name>,
<user
name>




Removes a member from the fixed
server role.







Note


Microsoft provides a number of
sp_ help system-stored procedures to
obtain information on roles — either fixed or user-defined.




/ 207