•A data warehouse by nature is an open, accessible system.•Aim : Make large amounts of data easily accessible to theusers•Any Security restrictions seen as obstacles to that goal,become constrains on the design of data warehouse.•This is not to say that security is not important; on thecontrary ,security is paramount to ensuring that the dataitself remains clean,consistent and integral.
•It is important to establish early any security and auditrequirements that will be placed on the data warehouse.•Clearly, adding security will affect performance and designof data warehouse.Security can affect many different parts of the datawarehouse such as User Access Data Load Data Movement Query Generation
Data Classification Based on sensitivity Based by role or job functionUser Classification Based on Department,Section,Group etc.. (User access hierarchy ) Based on their role (Role access hierarchy )
Data warehouse Inc. Sales Marketing Snr Analyst Analyst Analyst Administrator Aggregation Detailed Database Reference Summarized DetailedAdmin Data Data Sales data Sales data
Data Ware House Sales MarketingData Mart Data Mart Users Users
Data warehouse Inc. Sales MarketingAnalyst Administrator Snr Analyst Analyst AdministratorAnalyst Analyst AdministratorAnalyst AnalystAnalyst Detailed Reference Summarized Detailed Sales data Data Sales data Customer Data
Select customer,account_number,sum(value),count(transaction_id)From txn_last_quarterWhere transaction_date between ‘01-jun-96’ and ‘30-jun-96’Group by customer account _number---------------------------------------Restricting users by using views as--------------------------------------------Create view sales_lq asSelect customer,account_number,sum(value),count(transaction_id)From txn_last_quarterWhere transaction_date between ‘01-jun-96’ and ‘30-jun-96’ and account_id<>123456789Group by customer account _number
Create view sales_lq asSelect customer,account_number,sum(value),count(transaction_id)From txn_last_quarterWhere transaction_date between ‘01-jun-96’ and ‘30-jun-96’ and account_id<>123456789 or account_id<>234567891Group by customer account _number•Where possible, avoid the use of views to enforce data access restrictions. They canrapidly become a nightmare to maintain.•Use Multiple Tables instead of views also creates duplication and overheads.•Create a dummy field in position or nullify it from the user.
•Legal RequirementsThe design team will require some analysts with knowledge and experience ofbusiness area.•Audit Requirements connections •disconnections •data access •data changeUnderstand the reasons for each audit requirement. Only implement those that are genuinely required for local, company and security reasons.
•Network RequirementsWhen doing the security requirements capture it is important not to overlook issues such as network security. encryption of data needed? which network routes the data can take?•Data Movement Where is the flat file is stored? who ha access to that disk space? do you backup encrypted or decrypted versions? do these backups need special tapes to store ? who has access to these tapes ? Where that temporary table to be held ? how do we make such tables visible ?
•DocumentationIt is probably better to document all the restrictions as part of a seperate datawarehouse security policy document. Data Classifications User Classifications Network Requirements Data Movement and storage requirements All audible actions•High Security Environments Trusted RDBMS ! Trusted RDBMS will generally run on trusted operating systems. Covert channels ! Avoid creating covert channels that Inadvertently make information about data available. ! Covert channels are not typically a problem, as the majority of data warehouses do not require such high level of security.
•ViewsSome of the common restrictions that may apply to the handling of views are restricted Data Manipulation Language(DML) operations, lost query optimization paths. restriction on parallel processing of view projections.•Data MovementDifferent ways in which bulk data movement can occur data loads aggregation creation results temporary tables data extracts•AUDITING
•APPLICATION DEVELOPMENTExtra Security code may be needed for each of the process managers : load manager warehouse manager query manager•Data Base Design If a table has three indexes ,three constraints, and five views on it, each copyof the table will probably add not just the copy but 11 other objects to the database aswell.•TestingFurther security additions will increase the complexity of the programme causeincrease in errors during testing phase and also additional added functionality to be