This document discusses discretionary access control in database systems through granting and revoking privileges at both the account and relational levels. It describes how privileges can be assigned and propagated through accounts, as well as techniques for limiting propagation like horizontal and vertical limits. Key points covered include the use of views to restrict access, revoking privileges to prevent further propagation, and specifying limits on propagation to control privilege spread.

1.  The typical method of enforcing discretionary access control in a database system is based on the
granting and revoking of privileges in the context of a relational Database.
 The main idea is to include statements in the query language that allow the DBA and selected
users to grant and revoke privileges.

2.  The DBMS must provide selective access to each relation in the database based on
specific accounts.
 Operations may also be controlled; thus, having an account does not necessarily entitle
the account holder to all the functionality provided by the DBMS.
LEVELS FOR ASSIGNING PRIVILLEGES
ACCOUNT LEVEL RELATIONAL LEVEL

3. ACCOUNT LEVEL:
 The privileges at the account level apply to the capabilities provided to the account itself and can include
the CREATE SCHEMA or CREATE TABLE privilege,CREATE VIEW privilege, ALTER privilege, DROP privilege,
MODIFY privilege, SELECT privilege ,to retrieve information from the database by using a SELECT query.
 If a certain account does not have the CREATE TABLE privilege, no relations can be created from that
account.
DATABASE
ADMINSTRATOR
ACCOUNT
DATA ANALYST
ACCOUNT
DATA ENTRY
ACCOUNT
DAVELOPER
ACCOUNT

4. RELATIONAL LEVEL:
 the relation level includes base relations and virtual (view) relations. the term relation may refer
either to a base relation or to a view
 Privileges at the relation level specify for each user the individual relations on which each type
of command can be applied. Some privileges also refer to individual columns (attributes) of
relations.
 The granting and revoking of privileges generally follow an authorization model for
discretionary privileges known as the access matrix model, where
 Rows of a matrix M represent subjects (users, accounts, programs) .
 Columns represent objects (relations, records, columns, views, operations).
 Each position M(i, j) in the matrix represents the types of privileges (read, write, update)
that sub- ject i holds on object j.
Table X Table Y Table Z View V
User A R W - R
User B R - U -
User C - - R -
Subjects
Objects

5.  To control the granting and revoking of relation privileges ,each relation R in a database is assigned an
owner account.
 the DBA can assign an owner to a whole schema by creating the schema using the CREATE SCHEMA
command.
 The owner account holder can pass privileges on any of the owned relations to other users by granting
privileges to their accounts. In SQL, the following types of privileges can be granted on each individual
relation R:
 SELECT (retrieval or read) privilege on R.
 Modification privileges on R (UPDATE, DELETE, and INSERT).
 References privilege on R for specifying integrity constraints.

6. REVOKING OF PRIVILEGES:
 In some cases, it is desirable to grant a privilege to a user temporarily.
 For example, the owner of a relation may want to grant the SELECT privilege to a user for a specific
task and then revoke that privilege once the task is completed. Hence, a mechanism for revoking
privileges is needed.
 In SQL, a REVOKE command is included for the purpose of canceling privileges.
PROPAGATION OF PRIVILEGES USING THE GRANT OPTION:
 When the owner A grants a privilege on a relation R to another account B, B can receive the
privilege with or without the ability to grant it to others (GRANT OPTION).
 If B has the GRANT OPTION and grants the privilege to account C, privileges on R can
spread without A's knowledge.
 If A revokes the privilege given to B, all privileges propagated by B should also be
automatically revoked.
 To ensure this, a database management system tracks how privileges were granted, so
revoking privileges can be done correctly and completely. This tracking helps maintain control
and security over the system.

7. OWNER A
ACCOUNT B ACCOUNT C
GRANT P
GRANT P
The access control mechanism ensures that revoking a privilege from an account effectively
revokes any privileges propagated by that account, preventing privileges from being passed on
without the knowledge or authorization of the owner of the resource.
OWNER A
ACCOUNT B ACCOUNT C
REVOKE P
REVOKE P

8. Suppose that the DBA creates four accounts-A1, A2, A3, and A4-and wants only A1 to
be able to create base relations.
GRANT command in SQL:
GRANT CREATETAB TO A1;
Account A1 the capability to create new database tables
(base relations) and is hence an account privilege.
the same effect can be accomplished by having the DBA issue a
CREATESCHEMA command, as follows:
CREATE SCHEMA EXAMPLE AUTHORIZATION A1;
User account A1 can now create tables under the schema called EXAMPLE.

9.  Suppose that A1 creates the two base relations EMPLOYEE and DEPARTMENT.A1 is then the
owner of these two relations and hence has all the relation privileges on each of them.
 A1 is then the owner of these two relations and hence has all the relation privileges on each
of them.
GRANT INSERT, DELETE ON EMPLOYEE, DEPARTMENT TO
A2;
 A1 allowing it to grant privileges on the relation to other accounts.
 However, account A2 cannot grant INSERT and DELETE privileges on the EMPLOYEE and
DEPARTMENT tables because A2 was not given the GRANT OPTION in the preceding command.
 Suppose that At wants to allow account A3 to retrieve information from either of the
two tables and also to be able to propagate the SELECT privilege to other
accounts.A1 issues the following command,
GRANT SELECT ON EMPLOYEE, DEPARTMENT TO A3 WITH GRANT
OPTION;
• A3 can now propagate the privilege to other accounts by using GRANT.

10.  A3 can grant the SELECT privilege on the EMPLOYEE relation to A4.
GRANT SELECT ON EMPLOYEE TO A4;
 A4 cannot propagate the SELECT privilege to other accounts becausethe GRANT OPTION was
not given to A4.
 Now suppose that A1 decides to revoke the SELECT privilege on the EMPLOYEE relation from A3; A1 then
can issue this command:
REVOKE SELECT ON EMPLOYEE FROM A3;
EMPLOYEE
Name Ssn Bdate Address Sex Salary Dno
DEPARTMENT
Dnumber Dname Mgr_ssn

11.  Next, suppose that A1 wants to give back to A3 a limited capability to SELECT from the EMPLOYEE relation
and wants to allow A3 to be able to propagate the privilege.
 The limitation is to retrieve only the Name, Bdate, and Address attributes and only for the tuples with Dno
= 5. A1 then can create the following view:
CREATE VIEW A3 EMPLOYEE AS
SELECT Name, Bdate, Address
FROM EMPLOYEE
WHERE Dno = 5;
 After the view is created. A1 can grant SELECT on the view A3EMPLOYEE to A3 as follows:
GRANT SELECT ON A3EMPLOYEE TO A3 WITH GRANT
OPTION;
 Finally, suppose that A1 wants to allow A4 to update only the Salary attribute ofEMPLOYEE;
A1 can then issue the following command:
GRANT UPDATE ON EMPLOYEE (Salary) TO A4;

12. SPECIFYING LIMITS ON PROPAGATION OF PRIVILEGES:
 HORIZONTAL PROPAGATION: Limit the number of accounts to which a privilege can be granted.
Account B (with GRANT OPTION) can grant the privilege to at most i other accounts.
 VERTICAL PROPAGATION: Limit the depth of granting privileges. Account B (with vertical propagation j)
can grant the privilege to other accounts only with a vertical propagation less than j.
Example: A1 grants SELECT to A2 with horizontal propagation = 1 and vertical
propagation = 2. A2 can grant SELECT to at most 1 account (horizontal limit) and
reduce vertical propagation by 1 when passing the privilege (vertical limit).
OWNER A1
ACCOUNT A2 ACCOUNT C(1) ACCOUNT D(0)
ACCOUNT E(2) ACCOUNT F(1) ACCOUNT G(0)

13.  Horizontal and vertical propagation techniques limit privilege
spread, ensuring depth and breadth control. These techniques are
not currently available in SQL or most relational systems.
UNIVERSITY QUESTIONS:
1. Present an overview of database security.(13M)
2. Explain in detail DB Security.(8m)