Databases Reference
In-Depth Information
information to implement granular access control. In learning about granu-
lar access control, you will also see some fairly advanced options that have
emerged from security-conscious environments, such as federal agencies.
Finally, you will get an overview of some advanced integration topics that
you may encounter in large enterprises, including the integration with
LDAP repositories and identity management tools.
6.1
Align user models by communicating
application user information
The application user model will always be “broader” than the database user
model. Applications can support hundreds of users, but they sometimes
support thousands and millions of users; the database will not have that
many users—at least not natively. However, you can easily “project” the
application user into the database. At the most basic level, all you need to
do is agree on a database call that will carry this information (i.e., on an
agreed-upon communication pattern that both the application and the
database can understand). You can do this using any procedure or any
query, so long as both the application owner and the database security
owner agree to it.
All the application needs to do is communicate the user information
within
the database connection). More specifi-
cally, you only need to make an additional SQL call within that database
session and communicate the user information as a data value within that
SQL. This is usually done by calling a database procedure and passing the
application user identifier as an argument to the procedure. If the database
engine is responsible for fine-grained access control, then it can associate
the username it received through the procedure call or the query with the
database login that was used to initiate the connection (and which tags this
session). Section 6.2 will show you how database engine-based fine-grained
access control is accomplished based on this value that is communicated
from the application layer.
Although you will see a database-centric approach in Section 6.2, not
all databases support granular access control within the database. Addi-
tionally, sometimes it will not be practical to do this at the database
level—either because the schema cannot be changed or because the envi-
ronment cannot afford to go through a change. Luckily, communicating
the application user credentials within the session also works well when
using an external security system. Furthermore, using an external system is
always possible, does not require changing the database environment, and
the database session (
over
Search WWH ::
Custom Search