DATABASE SECURITY - Database Design and Development: An Essential Guide for IT Professionals

Database Reference

In-Depth Information

Department

Employee

PRIVILEGE

Record

Read

Update

Insert

Delete

Y

N

Y

N

Y

N

Authorization Rule

Subject: Samantha Jenkins

Samantha Jenkins

(password JNK271)

Will Rogers

(password WRG346)

PRIVILEGE

Read

Update

Insert

Delete

Y

N

Y

N

Y

N

Authorization Rule

Object: Employee Record

Figure 16-6

Implementation of authorization rules.

rization table for either subjects or users. On the other hand, an authorization table

for objects can also do the job. A DBMS may implement authorization rules through

either of the two tables or both.

Figure 16-6 presents both options for implementing authorization rules. Note

how you can derive the same rule authorizing Samantha Jenkins to access the

EMPLOYEE table with read and insert privileges.

Enforcing Authorization Rules We have authorization rules in an authorization

matrix or in the form of authorization tables for users or objects. How are the rules

enforced by the DBMS? A highly protected privilege module with unconstrained

access to the entire database exists to enforce the authorization rules. This is the

arbiter or security enforcer module, although it might not go by those names in

every DBMS. The primary function of the arbiter is to interrupt and examine every

database operation, check against the authorization matrix, and either allow or deny

the operation.

The arbiter module goes through a sequence of interrogations to determine the

action to be taken about an operation. Figure 16-7 provides a sample interrogation

list.

Suppose after going through the interrogation sequence, the arbiter has to deny

a database operation. What are the possible courses of action? Naturally, the

particular course of action to be adopted depends on a number of factors and the

circumstances. Here are some basic options provided in DBMSs:

• If the sensitivity of the attempted violation is high, terminate the transaction

and lock the workstation.

• For lesser violations, send appropriate message to user.

• Record attempted security breaches in the log file.

Database Design and Development: An Essential Guide for IT Professionals

Search WWH ::

Custom Search

Home