College of Arts and Sciences
School of computing
Advance
Database Design (STID5014)
Group
(B)
First Group Assignment
( Database Authorization )
Prepare for:
Dr. Muhamad Shahbani Abu Bakar
Prepared By:
Iman
Mohsin (813654).
Asma Khaazal (813732).
Alia Ahmed (813730).
WAEL HASAN (814522).
Data Base
Authorization
Alia Ahmed (813730) Asmaa
Khazaal (813732)
UMM, School of
Computing UMM,
School of Computing
Iman Mohsin (813654)
Wael
H. Ali (814522)
UMM, School of
Computing UMM,
School of Computing
ABSTRACT:
In DBMS, the term of security refers to protection of database
against unauthorized access, either intentional or accidental. Therefore a
multiuser database system must selectively permit users to share data, while
retaining the ability to restrict data access. There must be a mechanism to
provide protection and security, permitting information to be accessed only by
properly authorized users. Further, when tables or restricted views of tables
are created and destroyed dynamically, the granting, authentication, and
revocation of authorization to use them must also be dynamic. In
current database management systems the ability to grant authorization to
perform actions on objects resides with a central “database administrator” or
with the creator of the object. Many of the systems rely on password schemes,
which are vulnerable to guessing. In addition
many of them do not permit data dependent access control. In
this paper we define authorization term, identify the problems of user
authorizing and the Mechanism of authorization, in an environment in which more
than one user.
Keywords:
Database Security, Database Authorization, Users Authorization, Multi users
DBMS.
1 INTRODUCTION
Data base security has become an essential issue in assuring the
integrity, protection, and reliability of the data stored in a data base
management system (DBMS), In DBMS, the term of security refers to protection of
database against unauthorized access, either intentional or accidental.
Therefore a multiuser database system must selectively permit users to share
data, while retaining the ability to restrict data access.
There must be a mechanism to provide protection and security,
permitting information to be accessed only by properly authorized users.
Further, when tables or restricted views of tables are created and destroyed
dynamically, the granting, authentication, and revocation of authorization to
use them must also be dynamic. As
well as the DBMS must provide techniques to enable certain users or user groups
to access selected portions of a database without gaining access to the rest of
the database.
The authorization mechanism is the component of the data base
security system which has the primary responsibility of safeguarding the
previously defined data and access rules needed for data base access control.
The data and rules for authorization control assist in the enforcement of
access controls regarding the list of authorized users, the data objects which
the authorized users are allowed to manipulate and the operation that these
users can perform on these objects. This is particularly important when a large
integrated database is to be used by many different users within the same
organization. For example, sensitive information such as employee salaries or
performance reviews should be kept confidential from most of the database
system's users.
A DBMS typically includes a database security and authorization
subsystem that is responsible for ensuring the security of portions of a
database against unauthorized access. In current
database management systems the ability to grant authorization to perform
actions on objects resides with a central “database administrator” or with the
creator of the object. Many of the systems rely on password schemes, which are vulnerable
to guessing. In addition many of them do not permit data dependent access
control. In this paper we address the problems of dynamically authorizing data independent
and data dependent operations and of revoking such authorization, in an
environment in which more than one user may grant privileges on the same
object.
2 SHORT
HISTORY
The second principle is that for databases, in addition to
name-based access control, where the protected objects are specified by giving
their names, content-based access control has to be supported. Content based access
control allows the system to determine whether to give or deny access to a data
item based on the contents of the data item. The development of content based access
control models, which are, in general, based on the specification of conditions
against data contents, was made easy in relational databases by the
availability of declarative query languages, such as SQL.
In the area of discretionary access control models for relational
database systems, an important early contribution was the development of the
System access control model, which strongly influenced access control models of
current commercial relational DBMSs. Some key features of this model included
the notion of decentralized authorization administration, dynamic grant and revoke
of authorizations, and the use of views for supporting content-based
authorizations. Also, the initial format of well-known commands for grant and
revoke of authorizations, that are today part of the SQL standard, were developed
as part of this model.
Later research proposals have extended this basic model with a
variety of features, such as negative authorization, role-based and task based authorization
temporal authorization, and context-aware authorization.
3
REVIEWING ACCESS CONTROL
The idea with access control is that each database user gets access
to a subset of the database that the user can query. The current SQL standard
allows coarse grained access both to database tables as well as views. For
example, we wish to be able to grant each employee in an organization access
their own record in the employee table. Access
control mechanisms of current DBMSs are based on discretionary policies
governing the accesses of a subject to data based on the subject’s identity and
authorization rules. These mechanisms are discretionary in that they allow
subjects to grant authorizations on the data to other subjects.
The types of control which can be implemented through the
mechanisms can be classified as value independent controls, value dependent
controls, context dependent control, and in relation to statistical database
and statistical controls. Value independent controls allow for decision on
whether to grant and deny a user’s access request based on the name of the data
objects and not their values. Value dependent controls allow to decision on
grant and deny access request depend on the values of data objects themselves.
Context dependent controls make use of reference to system variables in the predefined
access predicate, some of these system variables refer to time and date,
specific terminal number, or a terminal access. Statistical controls add
another dimension by allowing the access matrix to contain references to
typical statistical operators such as sum and average in addition to other
privilege.
4 AUTHORIZATION
MECHANISMS
There are three known mechanisms to organize the
database authorization process and control of access for users. These mechanism
manage user’s tasks for DBMS and their privileges.
Below we will show all of these mechanism and their advantages and
disadvantages.
4.1 AUTHORIZATION
MATRIX MECHANISM
This mechanism consists of table in
which the rows identify authorized DBMS users and the column correspond to the
data objects which are to be controlled. Access privileges and specification of
operation on given data objects are assigned by filling in the appropriate
areas and fields corresponding to a particular user. A null entry signifies
that a particular data objects cannot be access by a particular user. Some of
operation which can specified in the matrix involve the selection,
modification, insertion, and deletion of data objects. These privileges can be
assigned either singularly or in any combination.
Since
owners of files may designate access privilege to their files through the
utilization of the concept of ownership, the authorization matrix must be
modify constantly in order to reflect these changes.
4.2
VIEW CONCEPT MECHANISM
Through the utilization of view
database administrator can build views that consist of various combinations of
data objects taken from underlying base tables. Views allow for hiding of
sensitive information from unauthorized users by restricting the data that they
can actually access. Through view mechanism the range and scope of values that
can be seen by a user can be specified through the use of an optional access
predicate.
There are many drawbacks in authorization view mechanism. Firstly,
it does not allow authorizer to specify the operation that an authorized user
can perform on those objects. An additional mechanism would have to be set up
to complement the view mechanism in order to handle the specification of
privileges over the objects. Secondly, it becomes cumbersome in cases when
users are to given different levels of access to different parts of given
relation or base table.
As well as, in the view mechanism if a record is either inserted or
modified through a view the system does not check the record with regards to
its consistency in terms of the original view definition. In this case, upon
retrieval of the data in the view, the corrupted and inconsistent data will
never be displayed to the user since the data does not satisfy his query view
definition. As a result, the data will always be invisible from user’s point of
view. The problem then arises where the inconsistent data will go undetected,
and will still remain in the underlay view.
In spite of disadvantages of this mechanism, also it has advantages
over other mechanism such as that the view mechanism is not prone to the
dynamic changes in authorization states under the circumstances outlined
before. Since the creation of views is based on the definition of underlying
base table, and the views are designed and authorization is determined by the
database administrator, the possibility of having users creating new views,
deleting views, modifying views is reduce. Also the views are static in nature
once they are defined, which assists in eliminating constant and dynamic change
in updating the authorization rules and data. Although at changes time may call
for changes for in the authorization data and corresponding rules, these change
can be made by DBA. As result the need for immediate update can be reduced
significantly.
4.3
CLASSIFICATION LEVELS MECHANISM
This mechanism utilizes the idea of
attaching a classification level to data objects and the establishment of
clearance levels for DBMS users. Within the classification levels additional
caveats can be employed to restrict authorization and access even further. This
type of environment is utilized in military installations where huge amount of
information is handle and processed constantly. In this type of environment two
rules are used in authorization process. The rules are commonly known as the
simple property and the confinement property, also known as the star property.
The star property stipulates that no subject has read
access to a given object that has classification level greater than the security
clearance of the subject, also no subject has append access to an object whose
security level is not at least the current security level of the subject, that
no subject has read-write access to an object whose security level is not equal
to the current security level of the subject and no subject has read access to
an object whose security level is not at most the current security level of the
subject.
The importance of the simple property is not only assist in
authorization control, but it also forces additional controls on authorized
users. The added control assist in the resolution of the problem concerning the
flow of information.
5 AUTHORIZATION
IN SQL; THE GRANT COMMAND
In the System which has no central
database administrator in the usual sense of the term. Any database user may be
authorized to create a new table. When user does, user is fully and solely
authorized to perform actions upon it. If he wishes to share his table with
other users he may use the GRANT command of the SQL language to give various
privileges on that table to various users. Typically a table creator grants a
selected set of other user’s access to his table immediately after he has
created it or when he passes that table as a parameter to routines performed by
other users. Among the privileges that may be granted on a table are:
The
GRANT command of SQL has the form:
ALL RIGHTS
GRANT <PRIVILEGE> ON (table) TO (user-list)
[WITH GRANT OPTION]
ALL BUT
<PRIVILAGE>
The grantor may grant all privileges on a table; alternately, may
grant a specific set of privileges or all privileges except those named.
(user-list) is the USERID of the grantee, or a list of such grantees. It may
also be the keyword PUBLIC, in which case all database users are granted the
privileges on that table. The user may grant a set of privileges with the GRANT
option. The GRANT option permits the grantee to further grant his acquired
rights to other users. For example, let A be the creator of the EMPLOYEE
relation and assume that he issues the command.
GRANT
READ, 1NSERT ON EMPLOYEE TO B
Any
user who has granted a privilege may subsequently withdraw it, by issuing the
REVOKE command. The format of the REVOKE command is:
ALL
RIGHTS ON
REVOKE (table)
FROM (user-list)
(Privileges) ON
6 DISTRIBUTED
DATABASE AUTHORIZATION
A distributed database is a
collection of data which is distributed over computer network. Processing a
query usually required multiple accesses to geographically separated database.
There are two types of distributed database authorization control centralized
and decentralized.
6.1
CENTRALIZED AUTHORIZATION CONTROL
In the distributed database system
an authorization mechanism can be set to handle the concept of local views and
global views. The local views can be used to designate the data fragments that
can be seen by users at their node, while global views can be implemented to
designate the data fragments that users can have access and manipulate which do
not reside at the local node. The concept of local views allows for hiding of
sensitive data at the level of local database. In other hand, the global views
concept can be implemented in a distributed environments to control the
authorization of access privileges over data fragments dispersed over different
nodes. Together with GRANT and REVOKE mechanism, the concept of local and
global views can be tailored to control the spread of privilege that involve
data manipulation operations.
The system dictionary contains all
the information and data required for the authorization mechanism. The content
of dictionary must be controlled also to avoid unauthorized tampering with the
authorization matrix and other security related information. Access to the
system dictionary must be limited only to DBA. Any changes to the dictionary
must be logged like any transection process by DBMS, in addition the log must
be secured in order to preserve its contents for those who are privileged to
see it.
In distributed database the concept
of centralized authorization control a number of disadvantages. Firstly, if the
system dictionary is not stored redundantly at several nodes comprising the
system, there is a danger that this data might either be lost or would have to
be reconstructed from an archive version of dictionary if the files comprising
the dictionary were corrupted, lost, or otherwise rendered unreliable. Another
drawback is that if there is a failure at the central site, the other node
cannot have their authorization request fulfilled, which signifies that their
operation are hampered since they cannot on any of transaction processing
awaiting authorization confirmation.
6.2
DECENTRALIZED AUTHORIZATION CONTROL
In decentralized authorization
control an individual or group could be designated as the authorization for one
particular site in the network. Local database administrators may be appointed
to oversee the operations at each respective local site. Each local site
database administrator will then be responsible directly to the chief DBA at
the central organization. This allows for implementation of authorization
mechanism that serve the goals of the local organization while meeting the
overall objectives of parent organization. In other word, each individual site
can implement authorization mechanism that can be specifically tailored to its needs
as long as they provide the same level and consistently of security as
predefined in the organizational security policy.
References
[1] Wei Jie, Junaid Arshad, Richard Sinnott, Paul
Townend, Zhou Lei, A Review of Grid Authentication and Authorization
Technologies and Support for Federated Access Control.
[2] Elmasri, Navathe,
Database fundamental.
[3] Elisa
Bertino, Ravi Sandhu, Database Security—Concepts, Approaches, and Challenges.
[4] Patricia
P. Griffiths, Bradford W. Wade, an Authorization Mechanism for a Relational
Database System.
[5] Surajit Chaudhuri, Raghav Kaushik, Ravi Ramamurthy, Database Access
Control & Privacy: Is There A Common Ground?
[6] Csaba
Egyhazy, Security of database systems: Authorization features and mechanisms.
[7] Anil
L. Pereira, Vineela Muppavarapu, and Soon M. Chung, Role-Based Access Control
for Grid Database Services Using the Community Authorization Service.
[8] Teresa F. Lunt, Eduardo B. Fernandez, Database security.
[9] R. Ramakrishnan, J. Gehrke, Database Management Systems: Security
and Authorization
