Databases Reference
In-Depth Information
system), your database needs to support row-level security, as described in
the next section.
6.2
Use row-level security (fine-grained privileges/
access control)
Let's continue with the topic of using the application user to implement
better database access control—this time within the database engine. One
of the advanced security features available in many databases is that of row-
level security. The vendors have various names for this feature: Oracle calls
it Virtual Private Database (VPD)/Fine-Grained Access Control (FGAC).
DB2 currently only supports this feature on z/OS (i.e., mainframe) and
calls it Multi-Level Security (MLS). SQL Server only supports this feature
in SQL 2005 and calls it Fine-Grained Privileges. Sybase ASE also calls it
Fine-Grained Access Control—feature introduced in ASE 12.5. These
options are not fully equivalent in terms of functionality, but in all cases
they allow you to implement row-level security. Using row-level security is
generally a good idea when you need to have fine-grained access control, so
this is a good technique to know. Furthermore, some of the databases allow
you to use this feature to implement application user-based access control,
so it fits right in with the topic of this chapter.
Let's start by looking at DB2's MLS and then move on to Oracle's VPD.
After reviewing VPD, you'll complete the example started in the previous
section with Oracle's context mechanism and see how to use VPD/FGAC
to implement application user-based access control within the database.
Even if your environment is not DB2 or Oracle, you should understand
these concepts; they will probably be relevant to your environment either
today or in the near future.
DB2 UDB 8 Multi-Level Security (MLS) is available for z/OS V1R54
systems and is based on the Resource Access Control Facility (RACF) (and
specifically on the SECLABEL feature of RACF). For non-IBMers, z/OS
means mainframe. For us non-mainframe people, let's do a two-minute
review of RACF.
RACF was originally developed by IBM in 1976 and is still being used
to manage security within mainframes. RACF has evolved and has been
greatly enhanced over the years and has even been moved off the mainframe
to other environments. RACF manages user authentication, data access
authorization, journaling, DES encryption, and many other security fea-
tures. IBM mainframes are arguably the most secure computing environ-
ments out there—and a lot of that is due to RACF.
Search WWH ::
Custom Search