Your SlideShare is downloading. ×
Sql ch 15 - sql security
Sql ch 15 - sql security
Sql ch 15 - sql security
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.

Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Sql ch 15 - sql security


Published on



Published in: Education, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. SQL – Ch 15 – SQL SECURITY 15. SQL SECURITY1 What are the security requirements of a database? In any multiuser environment, data security is very important Some of the security requirements of an organization are: 1. The data in any given table should be accessible to certain users only. 2. Only authorized users should be allowed to update data in a particular table; others should only be allowed to retrieve data. 3. For some tables, access should be restricted on a column-by-column basis. 4. Some users should be denied interactive SQL access to a table but should be allowed to use applications programs that update the table.2 With reference to SQL security, define the following concepts: users, database objects, and privileges. Users are a main component in the database. Every time the DBMS retrieves, inserts, deletes, or updates data, it does so on behalf of some user. The DBMS permits or prohibits the action depending on which user is making the request. Database objects are the items to which SQL security protection can be applied. Security is applied to tables, views, forms, application programs, and entire databases. Most users will have permission to use certain database objects but will be prohibited from using others. Privileges are the actions that a user is permitted to carry out for a given database object. A user may have permission to SELECT and INSERT rows in a certain table, for example, but may be denied permission to DELETE or UPDATE rows of the table. A different user may have a different set of privileges.3 How is the security scheme established for a database? The SQL GRANT statement is used to specify which users have which privileges on which database objects. For example, the following GRANT statement lets Sam retrieve and insert data in the OFFICES table. Let Sam retrieve and insert data in the OFFICES table. GRANT SELECT, INSERT ON OFFICES TO SAM Here SAM is the user-id, the object is the OFFICES table, and the privileges are SELECT and INSERT. Take away the privileges granted earlier to Sam Clark. REVOKE SELECT, INSERT ON OFFICES FROM SAM Grant all privileges to SAM GRANT ALL PRIVILEGES ON SALESREPS TO SAM4 What are the various security objects? SQL security protections apply to specific objects contained in a database. These are tables, views, domains, stored procedure. Privileges: The set of actions that a user can carry out against a database object are called the privileges for the object. The four basic privileges for tables and views are: 1. The SELECT privilege allows you to retrieve data from a table or view. With this privilege, youProf. Mukesh N. Tekwani [9869 488 356] Page 1
  • 2. SQL - Ch 13 – SQL VIEWS can specify the table or view in the FROM clause of a SELECT statement or sub-query. 2. The INSERT privilege allows you to insert new rows into a table or view. With this privilege, you can specify the table or view in the INTO clause of an INSERT statement. 3. The DELETE privilege allows you to delete rows of data from a table or view. With this privilege, you can specify the table or view in the FROM clause of a DELETE statement. 4. The UPDATE privilege allows you to modify rows of data in a table or view. With this privilege, you can specify the table or view as the target table in an UPDATE statement. The UPDATE privilege can be restricted to specific columns of the table or view, allowing updates to these columns but disallowing updates to any other columns.5 Views and SQL Security Views also play a key role in SQL security. THE DBA can define a view and give a user permission to access the view but not its source tables. This way we can restrict the users access to only selected columns and rows. For example, suppose we wanted to enforce this security rule in the sample database: Accounts receivable personnel should be able to retrieve employee numbers, names, and office numbers from the SALESREPS table, but data about sales and quotas should not be available to them. We can implement this security rule by defining a view as follows: CREATE VIEW REPINFO AS SELECT EMPL_NUM, NAME, REP_OFFICE FROM SALESREPS6 Queries on Security:a) Sam must be able to retrieve and insert data in the OFFICES table. GRANT SELECT, INSERT ON OFFICES TO SAMb) Give all users SELECT access to the OFFICES table. GRANT SELECT ON OFFICES TO PUBLICc) Let order processing users change company names and salesperson assignments. GRANT UPDATE (COMPANY, CUST_REP) ON CUSTOMERS TO OPUSERd) The following query shows how a privilege can be passed by one user to another user. GRANT SELECT ON SALESREPS TO JIMe) Revoke the SALESREP table insert and update privileges. REVOKE INSERT, UPDATE ON SALESREPS FROM OPUSER f) Take away UPDATE & DELETE privileges for users ARUSER and OPUSER on the OFFICES table. REVOKE UPDATE, DELETE ON OFFICES FROM ARUSER, OPUSERPage 2
  • 3. SQL – Ch 15 – SQL SECURITY g) Take away all privileges on the OFFICES from to all users. REVOKE ALL PRIVILEGES ON OFFICES FROM PUBLIC h) User SAM wants to grant update and select privileges on the software table to another user GROFF and he wants to let him grant these permissions to other users. GRANT SELECT, UPDATE ON SOFTWARE TO GROFF WITH GRANT OPTIONProf. Mukesh N. Tekwani [9869 488 356] Page 3