Chapter 6: Integrity and Chapter 6: Integrity and SecuritySecurity

Domain Constraints Domain Constraints Referential IntegrityReferential Integrity AssertionsAssertions TriggersTriggers SecuritySecurity Authorization Authorization Authorization in SQLAuthorization in SQL

Domain ConstraintsDomain Constraints

Integrity constraints guard against Integrity constraints guard against accidental damage to the database, by accidental damage to the database, by ensuring that authorized changes to the ensuring that authorized changes to the database do not result in a loss of data database do not result in a loss of data consistency. consistency.

Domain constraintsDomain constraints are the most are the most elementary form of integrity constraint.elementary form of integrity constraint.

They test values inserted in the database, They test values inserted in the database, and test queries to ensure that the and test queries to ensure that the comparisons make sense. comparisons make sense.

New domains can be created from existing New domains can be created from existing data typesdata types E.g. E.g. create domaincreate domain DollarsDollars numericnumeric(12, 2)(12, 2)

create domaincreate domain PoundsPounds numericnumeric(12,2)(12,2) We cannot assign or compare a value of We cannot assign or compare a value of

type Dollars to a value of type Pounds. type Dollars to a value of type Pounds. However, we can convert type as belowHowever, we can convert type as below

( (castcast rr..AA asas PoundsPounds) ) (Should also multiply by the dollar-to-pound (Should also multiply by the dollar-to-pound conversion-rate)conversion-rate)

Domain ConstraintsDomain Constraints The The checkcheck clause in SQL-92 permits clause in SQL-92 permits

domains to be restricted:domains to be restricted: Use Use checkcheck clause to ensure that an hourly-wage clause to ensure that an hourly-wage

domain allows only values greater than a domain allows only values greater than a specified value.specified value.

create domaincreate domain hourly-wage hourly-wage numeric(5,2)numeric(5,2)constraintconstraint value-test value-test checkcheck((value value > = 4.00)> = 4.00)

The domain has a constraint that ensures that The domain has a constraint that ensures that the hourly-wage is greater than 4.00the hourly-wage is greater than 4.00

The clause The clause constraintconstraint value-testvalue-test is optional; is optional; useful to indicate which constraint an update useful to indicate which constraint an update violated.violated.

Can have complex conditions in domain Can have complex conditions in domain checkcheck createcreate domaindomain AccountTypeAccountType charchar(10)(10)

constraintconstraint accountaccount--typetype--testtest checkcheck ( (valuevalue inin (‘Checking’, ‘Saving’)) (‘Checking’, ‘Saving’))

checkcheck ( (branchbranch--namename inin ( (selectselect branchbranch--namename fromfrom branchbranch))))

Referential IntegrityReferential Integrity Ensures that a value that appears in one relation for a Ensures that a value that appears in one relation for a

given set of attributes also appears for a certain set of given set of attributes also appears for a certain set of attributes in another relation.attributes in another relation. Example: If “Perryridge” is a branch name appearing in one of the Example: If “Perryridge” is a branch name appearing in one of the

tuples in the tuples in the accountaccount relation, then there exists a tuple in the relation, then there exists a tuple in the branchbranch relation for branch “Perryridge”. relation for branch “Perryridge”.

Formal DefinitionFormal Definition Let Let rr11((RR11) and ) and rr22((RR22) be relations with primary keys ) be relations with primary keys KK11 and and KK22

respectively.respectively. The subset The subset of R of R22 is a is a foreign keyforeign key referencing referencing KK11 in relation in relation rr11, if , if

for every for every tt22 in in rr22 there must be a tuple there must be a tuple tt11 in in rr11 such that such that tt11[[KK11] = ] =

tt22[[].].

Referential integrity constraint also called Referential integrity constraint also called subset dependencysubset dependency since its can be written assince its can be written as ((rr22) ) KK11 ( (rr11))

Referential Integrity in the Referential Integrity in the E-R ModelE-R Model

Consider relationship set Consider relationship set RR between entity sets between entity sets EE11

and and EE22. The relational schema for . The relational schema for RR includes the includes the

primary keys primary keys KK11 of of EE11 and and KK22 of of EE22..

Then Then KK11 and and KK22 form foreign keys on the relational form foreign keys on the relational

schemas for schemas for EE11 and and EE22 respectively. respectively.

Weak entity sets are also a source of referential Weak entity sets are also a source of referential integrity constraints. integrity constraints. For the relation schema for a weak entity set must For the relation schema for a weak entity set must

include the primary key attributes of the entity set on include the primary key attributes of the entity set on which it dependswhich it depends

RE1 E2

Checking Referential Checking Referential Integrity on Database Integrity on Database

ModificationModification The following tests must be made in order to preserve The following tests must be made in order to preserve the following referential integrity constraint:the following referential integrity constraint:

((rr22) ) KK ( (rr11))

Insert.Insert. If a tuple If a tuple tt22 is inserted into is inserted into rr22, the system must , the system must ensure that there is a tuple ensure that there is a tuple tt11 in in rr11 such that such that tt11[[KK] = ] =

tt22[[]. That is ]. That is

tt22 [[] ] KK ( (rr11))

Delete.Delete. If a tuple, If a tuple, tt11 is deleted from is deleted from rr11, the system , the system

must compute the set of tuples in must compute the set of tuples in rr22 that reference that reference tt11::

= = tt11[K][K] ( (rr22))

If this set is not emptyIf this set is not empty either the delete command is rejected as an error, or either the delete command is rejected as an error, or the tuples that reference the tuples that reference tt11 must themselves be deleted must themselves be deleted

(cascading deletions are possible). (cascading deletions are possible).

Database Modification Database Modification (Cont.)(Cont.) Update.Update. There are two cases: There are two cases:

If a tuple If a tuple tt22 is updated in relation is updated in relation rr22 and the update modifies and the update modifies

values for foreign key values for foreign key , then a test similar to the insert case , then a test similar to the insert case is made:is made:

Let Let tt22’ denote the new value of tuple ’ denote the new value of tuple tt22. The system must ensure . The system must ensure

that that

tt22’[’[] ] KK((rr11))

If a tuple If a tuple tt11 is updated in is updated in rr11, and the update modifies values , and the update modifies values

for the primary key (for the primary key (KK), then a test similar to the delete case ), then a test similar to the delete case is made: is made:

1.1. The system must computeThe system must compute

= = tt11[K][K] ( (rr22) )

using the old value of using the old value of tt11 (the value before the update is applied). (the value before the update is applied).

2.2. If this set is not emptyIf this set is not empty1.1. the update may be rejected as an error, or the update may be rejected as an error, or

2.2.the update may be cascaded to the tuples in the set, or the update may be cascaded to the tuples in the set, or

3.3.the tuples in the set may be deleted. the tuples in the set may be deleted.

Referential Integrity in SQLReferential Integrity in SQL Primary and candidate keys and foreign keys can be Primary and candidate keys and foreign keys can be

specified as part of the SQL specified as part of the SQL create tablecreate table statement: statement: The The primary keyprimary key clause lists attributes that comprise the primary clause lists attributes that comprise the primary

key.key. The The unique keyunique key clause lists attributes that comprise a candidate clause lists attributes that comprise a candidate

key.key. The The foreign keyforeign key clause lists the attributes that comprise the foreign clause lists the attributes that comprise the foreign

key and the name of the relation referenced by the foreign key.key and the name of the relation referenced by the foreign key. By default, a foreign key references the primary key By default, a foreign key references the primary key

attributes of the referenced tableattributes of the referenced table foreign key foreign key ((account-numberaccount-number) ) references references accountaccount

Short form for specifying a single column as foreign keyShort form for specifying a single column as foreign keyaccount-number account-number char char (10) (10) references references accountaccount

Reference columns in the referenced table can be explicitly Reference columns in the referenced table can be explicitly specifiedspecified but must be declared as primary/candidate keys but must be declared as primary/candidate keys

foreign key foreign key ((account-numberaccount-number) ) references references accountaccount((account-account-numbernumber))

Referential Integrity in SQL Referential Integrity in SQL – Example– Example

create table create table customercustomer(customer-name(customer-name char(20)char(20),,customer-streetcustomer-street char(30),char(30),customer-citycustomer-city char(30),char(30),primary keyprimary key ( (customer-name))customer-name))

create table create table branchbranch(branch-name(branch-name char(15)char(15),,branch-citybranch-city char(30),char(30),assetsassets integer,integer,primary keyprimary key (branch-name))(branch-name))

Referential Integrity in SQL – Referential Integrity in SQL – Example (Cont.)Example (Cont.)

create tablecreate table account account(account-number(account-number char(10)char(10),,branch-namebranch-name char(15),char(15),balancebalance integer,integer,primary keyprimary key ( (account-number), account-number), foreign keyforeign key ( (branch-name) branch-name) references references branch)branch)

create table create table depositordepositor(customer-name(customer-name char(20)char(20),,account-numberaccount-number char(10)char(10),,primary keyprimary key (customer-name, account-number), (customer-name, account-number),foreign keyforeign key (account-number) (account-number) references references account,account,foreign keyforeign key (customer-name) (customer-name) references references customer)customer)

Cascading Actions in SQLCascading Actions in SQL

create table create table accountaccount

. . .. . .foreign keyforeign key(branch-name) (branch-name) references references branchbranch

on delete cascadeon delete cascadeon update cascadeon update cascade

. . .. . . ) ) Due to the Due to the on delete cascadeon delete cascade clauses, if a delete of a clauses, if a delete of a

tuple in tuple in branchbranch results in referential-integrity results in referential-integrity constraint violation, the delete “cascades” to the constraint violation, the delete “cascades” to the accountaccount relation, deleting the tuple that refers to the relation, deleting the tuple that refers to the branch that was deleted.branch that was deleted.

Cascading updates are similar.Cascading updates are similar.

Cascading Actions in SQL Cascading Actions in SQL (Cont.)(Cont.) If there is a chain of foreign-key dependencies across If there is a chain of foreign-key dependencies across

multiple relations, with multiple relations, with on delete cascadeon delete cascade specified for specified for each dependency, a deletion or update at one end of the each dependency, a deletion or update at one end of the chain can propagate across the entire chain.chain can propagate across the entire chain.

If a cascading update to delete causes a constraint If a cascading update to delete causes a constraint violation that cannot be handled by a further cascading violation that cannot be handled by a further cascading operation, the system aborts the transaction. operation, the system aborts the transaction. As a result, all the changes caused by the transaction and its As a result, all the changes caused by the transaction and its

cascading actions are undone.cascading actions are undone. Referential integrity is only checked at the end of a Referential integrity is only checked at the end of a

transactiontransaction Intermediate steps are allowed to violate referential integrity Intermediate steps are allowed to violate referential integrity

provided later steps remove the violationprovided later steps remove the violation Otherwise it would be impossible to create some database Otherwise it would be impossible to create some database

states, e.g. insert two tuples whose foreign keys point to each states, e.g. insert two tuples whose foreign keys point to each otherother

E.g. E.g. spousespouse attribute of relation attribute of relation marriedperson(name, address, spouse)marriedperson(name, address, spouse)

Referential Integrity in SQL Referential Integrity in SQL (Cont.)(Cont.)

Alternative to cascading:Alternative to cascading: on delete set nullon delete set null on delete set defaulton delete set default

Null values in foreign key attributes Null values in foreign key attributes complicate SQL referential integrity complicate SQL referential integrity semantics, and are best prevented using semantics, and are best prevented using not nullnot null if any attribute of a foreign key is null, the if any attribute of a foreign key is null, the

tuple is defined to satisfy the foreign key tuple is defined to satisfy the foreign key constraint!constraint!

AssertionsAssertions

An An assertion assertion is a predicate expressing a condition that we is a predicate expressing a condition that we wish the database always to satisfy.wish the database always to satisfy.

An assertion in SQL takes the formAn assertion in SQL takes the form

create assertion create assertion <assertion-name> <assertion-name> checkcheck <predicate><predicate>

When an assertion is made, the system tests it for validity, When an assertion is made, the system tests it for validity, and tests it again on every update that may violate the and tests it again on every update that may violate the assertionassertion This testing may introduce a significant amount of overhead; This testing may introduce a significant amount of overhead;

hence hence assertions should be used with great careassertions should be used with great care.. Asserting Asserting

for all X, P(X) for all X, P(X) is achieved in a round-about fashion using is achieved in a round-about fashion using not exists X such that not P(X) not exists X such that not P(X)

Assertion ExampleAssertion Example

The sum of all loan amounts for each branch must be The sum of all loan amounts for each branch must be less than the sum of all account balances at the branch.less than the sum of all account balances at the branch.

create assertioncreate assertion sum-constraint sum-constraint checkcheck (not exists (select * from (not exists (select * from branchbranch

where (select sumwhere (select sum(amount)(amount) from from loanloan

where where loan.branch-name = loan.branch-name = branch.branch-name) branch.branch-name)

>= >= (select sum(select sum(amount)(amount) from from accountaccount

where where loan.branch-name = loan.branch-name = branch.branch-name))) branch.branch-name)))

Assertion ExampleAssertion Example Every loan has at least one borrower who maintains an Every loan has at least one borrower who maintains an

account with a minimum balance or $1000.00account with a minimum balance or $1000.00

create assertion create assertion balance-constraint balance-constraint checkcheck (not exists ( (not exists ( select * from select * from loanloan

where not exists ( where not exists ( select * select *

from from borrower, depositor, accountborrower, depositor, account where where loan.loan-number = borrower.loan-numberloan.loan-number = borrower.loan-number and and borrower.customer-name = borrower.customer-name =

depositor.customer-namedepositor.customer-name andand depositor.account-number = depositor.account-number =

account.account-numberaccount.account-number and and account.balance >= account.balance >= 1000)))1000)))

TriggersTriggers

A A triggertrigger is a statement that is executed is a statement that is executed automatically by the system as a side effect of a automatically by the system as a side effect of a modification to the database.modification to the database.

To design a trigger mechanism, we must:To design a trigger mechanism, we must: Specify the conditions under which the trigger is to be Specify the conditions under which the trigger is to be

executed.executed. Specify the actions to be taken when the trigger Specify the actions to be taken when the trigger

executes.executes. Triggers introduced to SQL standard in Triggers introduced to SQL standard in

SQL:1999, but supported even earlier using non-SQL:1999, but supported even earlier using non-standard syntax by most databases.standard syntax by most databases.

Trigger Example Trigger Example

Suppose that instead of allowing negative Suppose that instead of allowing negative account balances, the bank deals with account balances, the bank deals with overdrafts by overdrafts by setting the account balance to zerosetting the account balance to zero creating a loan in the amount of the overdraftcreating a loan in the amount of the overdraft giving this loan a loan number identical to the giving this loan a loan number identical to the

account number of the overdrawn accountaccount number of the overdrawn account The condition for executing the trigger is The condition for executing the trigger is

an update to the an update to the accountaccount relation that relation that results in a negative results in a negative balance balance value.value.

Trigger Example in Trigger Example in SQL:1999SQL:1999create trigger create trigger overdraft-trigger overdraft-trigger after update on after update on account account

referencing new row as referencing new row as nrow nrow for each rowfor each rowwhen when nrow.balance nrow.balance < 0< 0begin atomicbegin atomic

insert into insert into borrowerborrower (select (select customer-name, account-numbercustomer-name, account-number

from from depositordepositor where where nrow.account-number = nrow.account-number = depositor.account-number depositor.account-number);); insert into insert into loan loan valuesvalues

(n(n.row.account-number, nrow.branch-name, .row.account-number, nrow.branch-name, – nrow.balance – nrow.balance);); update update account account set set balance balance = 0= 0

where where account.account-number = nrow.account-account.account-number = nrow.account-numbernumberendend

Triggering Events and Triggering Events and Actions in SQLActions in SQL Triggering event can be Triggering event can be insertinsert, , deletedelete or or updateupdate

Triggers on update can be restricted to specific Triggers on update can be restricted to specific attributesattributes E.g. create trigger E.g. create trigger overdraft-trigger overdraft-trigger after update of after update of

balance balance onon account account Values of attributes before and after an update can be Values of attributes before and after an update can be

referencedreferenced referencing old row asreferencing old row as : for deletes and updates : for deletes and updates referencing new row as : referencing new row as : for inserts and updatesfor inserts and updates

Triggers can be activated before an event, which can Triggers can be activated before an event, which can serve as extra constraints. E.g. convert blanks to null.serve as extra constraints. E.g. convert blanks to null.create trigger create trigger setnull-trigger setnull-trigger before update on before update on rrreferencing new row as referencing new row as nrownrowfor each rowfor each row when when nrow.phone-number = ‘ ‘nrow.phone-number = ‘ ‘ set set nrow.phone-number nrow.phone-number = = nullnull

Statement Level TriggersStatement Level Triggers

Instead of executing a separate action for Instead of executing a separate action for each affected row, a single action can be each affected row, a single action can be executed for all rows affected by a executed for all rows affected by a transactiontransaction Use Use for each statement for each statement instead of instead of for for

each roweach row Use Use referencing old tablereferencing old table or or referencing referencing

new tablenew table to refer to temporary tables (called to refer to temporary tables (called transition tablestransition tables) containing the affected rows) containing the affected rows

Can be more efficient when dealing with SQL Can be more efficient when dealing with SQL statements that update a large number of rowsstatements that update a large number of rows

External World ActionsExternal World Actions We sometimes require external world actions to be We sometimes require external world actions to be

triggered on a database updatetriggered on a database update E.g. re-ordering an item whose quantity in a warehouse has E.g. re-ordering an item whose quantity in a warehouse has

become small, or turning on an alarm light, become small, or turning on an alarm light, Triggers cannot be used to directly implement external-Triggers cannot be used to directly implement external-

world actions, BUTworld actions, BUT Triggers can be used to record actions-to-be-taken in a separate Triggers can be used to record actions-to-be-taken in a separate

tabletable Have an external process that repeatedly scans the table, carries Have an external process that repeatedly scans the table, carries

out external-world actions and deletes action from tableout external-world actions and deletes action from table E.g. Suppose a warehouse has the following tablesE.g. Suppose a warehouse has the following tables

inventory(item, level): inventory(item, level): How much of each item is in the warehouseHow much of each item is in the warehouse minlevel(item, level) : minlevel(item, level) : What is the minimum desired level of each What is the minimum desired level of each

itemitem reorder(item, amount): reorder(item, amount): What quantity should we re-order at a timeWhat quantity should we re-order at a time orders(item, amount) : orders(item, amount) : Orders to be placed (read by external Orders to be placed (read by external

process)process)

External World Actions External World Actions (Cont.)(Cont.)create trigger create trigger reorder-trigger reorder-trigger after update of after update of amount amount

on on inventoryinventoryreferencing old row as referencing old row as oroworow, , new row as new row as nrownrowfor each rowfor each row when when nrow.level nrow.level < = (< = (select select levellevel

from from minlevelminlevel where where minlevel.item = orow.itemminlevel.item = orow.item))

and and orow.level orow.level > (> (select select levellevel from from minlevelminlevel

where where minlevel.item = minlevel.item = orow.itemorow.item))

beginbegininsert into insert into ordersorders ((select select item, amountitem, amount from from reorderreorder where where reorder.item = orow.itemreorder.item = orow.item))

endend

Triggers in MS-SQLServer Triggers in MS-SQLServer SyntaxSyntax

create trigger create trigger overdraft-trigger overdraft-trigger onon accountaccountfor updatefor updateas as if insertedif inserted.balance .balance < 0< 0beginbegin insert into insert into borrowerborrower ((select select customer-name,account-numbercustomer-name,account-number from from depositordepositor, , insertedinserted where inserted where inserted..account-number = account-number = depositor.account-number depositor.account-number)) insert into insert into loan loan valuesvalues ( (insertedinserted..account-numberaccount-number, , insertedinserted..branch-namebranch-name,, – – insertedinserted..balancebalance)) update update account account set set balance balance = 0= 0 from from accountaccount, , insertedinserted where where account.account-number account.account-number = = insertedinserted..account-account-numbernumberendend

When Not To Use TriggersWhen Not To Use Triggers

Triggers were used earlier for tasks such as Triggers were used earlier for tasks such as maintaining summary data (e.g. total salary of each department)maintaining summary data (e.g. total salary of each department) Replicating databases by recording changes to special relations Replicating databases by recording changes to special relations

(called (called changechange or or deltadelta relations) and having a separate process relations) and having a separate process that applies the changes over to a replica that applies the changes over to a replica

There are better ways of doing these now:There are better ways of doing these now: Databases today provide built in materialized view facilities to Databases today provide built in materialized view facilities to

maintain summary datamaintain summary data Databases provide built-in support for replicationDatabases provide built-in support for replication

Encapsulation facilities can be used instead of triggers in Encapsulation facilities can be used instead of triggers in many casesmany cases Define methods to update fieldsDefine methods to update fields Carry out actions as part of the update methods instead of Carry out actions as part of the update methods instead of

through a trigger through a trigger

SecuritySecurity Security Security - protection from malicious attempts - protection from malicious attempts

to steal or modify data.to steal or modify data. Database system levelDatabase system level

AuthenticationAuthentication and and authorizationauthorization mechanisms to allow mechanisms to allow specific users access only to required dataspecific users access only to required data

We concentrate on authorization in the rest of this chapterWe concentrate on authorization in the rest of this chapter Operating system levelOperating system level

Operating system super-users can do anything they want to Operating system super-users can do anything they want to the database! Good operating system level security is the database! Good operating system level security is required.required.

Network level: must use encryption to preventNetwork level: must use encryption to prevent Eavesdropping (unauthorized reading of messages)Eavesdropping (unauthorized reading of messages) Masquerading (pretending to be an authorized user or Masquerading (pretending to be an authorized user or

sending messages supposedly from authorized users)sending messages supposedly from authorized users)

Security (Cont.)Security (Cont.)

Physical levelPhysical level Physical access to computers allows destruction of Physical access to computers allows destruction of

data by intruders; traditional lock-and-key security is data by intruders; traditional lock-and-key security is neededneeded

Computers must also be protected from floods, fire, Computers must also be protected from floods, fire, etc. etc.

More in Chapter 17 (Recovery)More in Chapter 17 (Recovery)

Human levelHuman level Users must be screened to ensure that an authorized Users must be screened to ensure that an authorized

users do not give access to intruders users do not give access to intruders Users should be trained on password selection and Users should be trained on password selection and

secrecysecrecy

AuthorizationAuthorizationForms of authorization on parts of the database:Forms of authorization on parts of the database:

Read authorization Read authorization - allows reading, but not - allows reading, but not

modification of data.modification of data. Insert authorization Insert authorization - allows insertion of new - allows insertion of new

data, but not modification of existing data.data, but not modification of existing data. Update authorization Update authorization - allows modification, - allows modification,

but not deletion of data.but not deletion of data. Delete authorization Delete authorization - allows deletion of data- allows deletion of data

Authorization (Cont.)Authorization (Cont.)Forms of authorization to modify the database schema:Forms of authorization to modify the database schema: Index authorization Index authorization - allows creation and deletion of - allows creation and deletion of

indices.indices. ResourcesResources authorizationauthorization - allows creation of new - allows creation of new

relations.relations. AlterationAlteration authorizationauthorization - allows addition or - allows addition or

deletion of attributes in a relation.deletion of attributes in a relation. DropDrop authorizationauthorization - allows deletion of relations. - allows deletion of relations.

Authorization and ViewsAuthorization and Views

Users can be given authorization on views, without being Users can be given authorization on views, without being given any authorization on the relations used in the view given any authorization on the relations used in the view definitiondefinition

Ability of views to hide data serves both to simplify Ability of views to hide data serves both to simplify usage of the system and to enhance security by allowing usage of the system and to enhance security by allowing users access only to data they need for their jobusers access only to data they need for their job

A combination or relational-level security and view-level A combination or relational-level security and view-level security can be used to limit a user’s access to precisely security can be used to limit a user’s access to precisely the data that user needs.the data that user needs.

View ExampleView Example

Suppose a bank clerk needs to know the names of Suppose a bank clerk needs to know the names of the customers of each branch, but is not authorized the customers of each branch, but is not authorized to see specific loan information.to see specific loan information. Approach: Deny direct access to theApproach: Deny direct access to the loan loan relation, but relation, but

grant access to the view grant access to the view cust-loancust-loan, which consists only of , which consists only of the names of customers and the branches at which they the names of customers and the branches at which they have a loan.have a loan.

The The cust-loan cust-loan view is defined in SQL as follows:view is defined in SQL as follows:

create view create view cust-loan cust-loan asas select select branchnamebranchname, , customer-namecustomer-name from from borrower, loanborrower, loan where where borrower.loan-number borrower.loan-number == loan.loan- loan.loan-

numbernumber

View Example (Cont.)View Example (Cont.)

The clerk is authorized to see the result of The clerk is authorized to see the result of the query:the query:

selectselect **from from cust-loancust-loan

When the query processor translates the When the query processor translates the result into a query on the actual relations in result into a query on the actual relations in the database, we obtain a query on the database, we obtain a query on borrower borrower and and loanloan..

Authorization must be checked on the Authorization must be checked on the clerk’s query before query processing clerk’s query before query processing replaces a view by the definition of the view.replaces a view by the definition of the view.

Authorization on ViewsAuthorization on Views

Creation of view does not require Creation of view does not require resources resources authorization authorization since no real relation is being createdsince no real relation is being created

The creator of a view gets only those privileges that provide The creator of a view gets only those privileges that provide no additional authorization beyond that he already had.no additional authorization beyond that he already had.

E.g. if creator of view E.g. if creator of view cust-loancust-loan had only had only readread authorization authorization on on borrowerborrower and and loanloan, he gets only , he gets only readread authorization on authorization on custcust--loanloan

Granting of PrivilegesGranting of Privileges

The passage of authorization from one user The passage of authorization from one user to another may be represented by an to another may be represented by an authorization graph.authorization graph.

The nodes of this graph are the users.The nodes of this graph are the users. The root of the graph is the database The root of the graph is the database

administrator.administrator. Consider graph for update authorization on Consider graph for update authorization on

loan.loan. An edge UAn edge Uii UUjj indicates that user U indicates that user Uii has has

granted update authorization on loan to Ugranted update authorization on loan to Uj.j.

U1 U4

U2 U5

U3

DBA

Authorization Grant GraphAuthorization Grant Graph

RequirementRequirement: All edges in an authorization graph must be part : All edges in an authorization graph must be part of some path originating with the database administratorof some path originating with the database administrator

If DBA revokes grant from UIf DBA revokes grant from U11:: Grant must be revoked from UGrant must be revoked from U44 since U since U11 no longer has authorization no longer has authorization

Grant must not be revoked from UGrant must not be revoked from U55 since U since U55 has another authorization has another authorization path from DBA through Upath from DBA through U22

Must prevent cycles of grants with no path from the root:Must prevent cycles of grants with no path from the root: DBA grants authorization to UDBA grants authorization to U77

U7 grants authorization to UU7 grants authorization to U88

U8 grants authorization to UU8 grants authorization to U77

DBA revokes authorization from UDBA revokes authorization from U77

Must revoke grant UMust revoke grant U77 to U to U88 and from U and from U88 to U to U77 since there is no since there is no path from DBA to Upath from DBA to U77 or to U or to U88 anymore. anymore.

Security Specification in Security Specification in SQLSQL

The grant statement is used to confer authorizationThe grant statement is used to confer authorization

grantgrant <privilege list> <privilege list>

on on <relation name or view name> to <user list><relation name or view name> to <user list> <user list> is:<user list> is:

a user-ida user-id publicpublic, which allows all valid users the privilege granted, which allows all valid users the privilege granted A role (more on this later)A role (more on this later)

Granting a privilege on a view does not imply granting Granting a privilege on a view does not imply granting any privileges on the underlying relations.any privileges on the underlying relations.

The grantor of the privilege must already hold the The grantor of the privilege must already hold the privilege on the specified item (or be the database privilege on the specified item (or be the database administrator).administrator).

Privileges in SQLPrivileges in SQL

select:select: allows read access to relation,or the ability to query allows read access to relation,or the ability to query using the viewusing the view Example: grant users UExample: grant users U11, U, U22, and U, and U33 selectselect authorization on the authorization on the branch branch

relation:relation:

grant select on grant select on branch branch to to UU11, U, U22, U, U33

insertinsert: the ability to insert tuples: the ability to insert tuples updateupdate: the ability to update using the SQL update statement: the ability to update using the SQL update statement deletedelete: the ability to delete tuples.: the ability to delete tuples. referencesreferences: ability to declare foreign keys when creating : ability to declare foreign keys when creating

relations.relations. usageusage: In SQL-92; authorizes a user to use a specified domain: In SQL-92; authorizes a user to use a specified domain all privilegesall privileges: used as a short form for all the allowable : used as a short form for all the allowable

privilegesprivileges

Privilege To Grant Privilege To Grant PrivilegesPrivileges

with grant optionwith grant option: allows a user who is : allows a user who is granted a privilege to pass the privilege on granted a privilege to pass the privilege on to other users. to other users. Example:Example:

grant select on grant select on branch branch to to UU11 with grant optionwith grant option

gives Ugives U11 the the select select privileges on branch and allows Uprivileges on branch and allows U11 to grant thisto grant this

privilege to othersprivilege to others

RolesRoles Roles permit common privileges for a class of users Roles permit common privileges for a class of users

can be specified just once by creating a corresponding can be specified just once by creating a corresponding “role”“role”

Privileges can be granted to or revoked from roles, Privileges can be granted to or revoked from roles, just like userjust like user

Roles can be assigned to users, and even to other Roles can be assigned to users, and even to other rolesroles

SQL:1999 supports rolesSQL:1999 supports roles create role create role teller teller

create role create role managermanager

grant select on grant select on branch branch to to teller tellergrant update (grant update (balancebalance) on ) on accountaccount to to tellertellergrant all privileges on grant all privileges on accountaccount to to managermanager

grant grant teller teller to to managermanager

grantgrant teller teller to to alice, bobalice, bobgrant grant managermanager to to aviavi

Revoking Authorization in Revoking Authorization in SQLSQL

The The revoke revoke statement is used to revoke authorization.statement is used to revoke authorization.revokerevoke<privilege list><privilege list>

on on <relation name or view name> <relation name or view name> from from <user list> [<user list> [restrictrestrict||cascadecascade]]

Example:Example:revoke select on revoke select on branch branch from from UU11, U, U22, U, U33 cascadecascade

Revocation of a privilege from a user may cause other Revocation of a privilege from a user may cause other users also to lose that privilege; referred to as cascading users also to lose that privilege; referred to as cascading of the of the revokerevoke..

We can prevent cascading by specifying We can prevent cascading by specifying restrictrestrict::revoke select on revoke select on branch branch from from UU11, U, U22, U, U33 restrictrestrict

With With restrictrestrict, the , the revoke revoke command fails if cascading command fails if cascading revokes are required.revokes are required.

Revoking Authorization in Revoking Authorization in SQL (Cont.)SQL (Cont.)

<privilege-list> may be <privilege-list> may be all toall to revoke all revoke all privileges the revokee may hold.privileges the revokee may hold.

If <revokee-list> includes If <revokee-list> includes public public all users lose all users lose the privilege except those granted it explicitly.the privilege except those granted it explicitly.

If the same privilege was granted twice to the If the same privilege was granted twice to the same user by different grantees, the user may same user by different grantees, the user may retain the privilege after the revocation. retain the privilege after the revocation.

All privileges that depend on the privilege All privileges that depend on the privilege being revoked are also revoked.being revoked are also revoked.

Limitations of SQL Limitations of SQL AuthorizationAuthorization SQL does not support authorization at a tuple levelSQL does not support authorization at a tuple level

E.g. we cannot restrict students to see only (the tuples storing) E.g. we cannot restrict students to see only (the tuples storing) their own gradestheir own grades

With the growth in Web access to databases, database With the growth in Web access to databases, database accesses come primarily from application servers.accesses come primarily from application servers. End users don't have database user ids, they are all mapped to End users don't have database user ids, they are all mapped to

the same database user idthe same database user id All end-users of an application (such as a web All end-users of an application (such as a web

application) may be mapped to a single database userapplication) may be mapped to a single database user The task of authorization in above cases falls on the The task of authorization in above cases falls on the

application program, with no support from SQLapplication program, with no support from SQL Benefit: fine grained authorizations, such as to individual tuples, Benefit: fine grained authorizations, such as to individual tuples,

can be implemented by the application.can be implemented by the application. Drawback: Authorization must be done in application code, and Drawback: Authorization must be done in application code, and

may be dispersed all over an applicationmay be dispersed all over an application Checking for absence of authorization loopholes becomes very Checking for absence of authorization loopholes becomes very

difficult since it requires reading large amounts of application difficult since it requires reading large amounts of application codecode

Audit TrailsAudit Trails An audit trail is a log of all changes An audit trail is a log of all changes

(inserts/deletes/updates) to the database along (inserts/deletes/updates) to the database along with information such as which user performed with information such as which user performed the change, and when the change was the change, and when the change was performed.performed.

Used to track erroneous/fraudulent updates.Used to track erroneous/fraudulent updates. Can be implemented using triggers, but many Can be implemented using triggers, but many

database systems provide direct support.database systems provide direct support.

EncryptionEncryption

Data may be Data may be encryptedencrypted when database when database authorization provisions do not offer authorization provisions do not offer sufficient protection.sufficient protection.

Properties of good encryption technique:Properties of good encryption technique: Relatively simple for authorized users to encrypt Relatively simple for authorized users to encrypt

and decrypt data.and decrypt data. Encryption scheme depends not on the secrecy of Encryption scheme depends not on the secrecy of

the algorithm but on the secrecy of a parameter the algorithm but on the secrecy of a parameter of the algorithm called the encryption key.of the algorithm called the encryption key.

Extremely difficult for an intruder to determine Extremely difficult for an intruder to determine the encryption key.the encryption key.

Encryption (Cont.)Encryption (Cont.) Data Encryption StandardData Encryption Standard (DES) (DES) substitutes characters and substitutes characters and

rearranges their order on the basis of an encryption key rearranges their order on the basis of an encryption key which is provided to authorized users via a secure which is provided to authorized users via a secure mechanism. Scheme is no more secure than the key mechanism. Scheme is no more secure than the key transmission mechanism since the key has to be shared.transmission mechanism since the key has to be shared.

Advanced Encryption Standard (AES)Advanced Encryption Standard (AES) is a new standard is a new standard replacing DES, and is based on the Rijndael algorithm, but is replacing DES, and is based on the Rijndael algorithm, but is also dependent on shared secret keysalso dependent on shared secret keys

Public-key encryptionPublic-key encryption is based on each user having two keys: is based on each user having two keys: public keypublic key – publicly published key used to encrypt data, but cannot be – publicly published key used to encrypt data, but cannot be

used to decrypt dataused to decrypt data private keyprivate key -- key known only to individual user, and used to decrypt -- key known only to individual user, and used to decrypt

data.data.Need not be transmitted to the site doing encryption.Need not be transmitted to the site doing encryption.

Encryption scheme is such that it is impossible or extremely Encryption scheme is such that it is impossible or extremely hard to decrypt data given only the public key.hard to decrypt data given only the public key.

The RSA public-key encryption scheme is based on the The RSA public-key encryption scheme is based on the hardness of factoring a very large number (100's of digits) hardness of factoring a very large number (100's of digits) into its prime components.into its prime components.

AuthenticationAuthentication Password based authentication is widely used, but is Password based authentication is widely used, but is

susceptible to sniffing on a networksusceptible to sniffing on a network Challenge-responseChallenge-response systems avoid transmission of systems avoid transmission of

passwordspasswords DB sends a (randomly generated) challenge string to userDB sends a (randomly generated) challenge string to user User encrypts string and returns result. User encrypts string and returns result. DB verifies identity by decrypting resultDB verifies identity by decrypting result Can use public-key encryption system by DB sending a message Can use public-key encryption system by DB sending a message

encrypted using user’s public key, and user decrypting and encrypted using user’s public key, and user decrypting and sending the message backsending the message back

DigitalDigital signaturessignatures are used to verify authenticity of data are used to verify authenticity of data E.g. use private key (in reverse) to encrypt data, and anyone can E.g. use private key (in reverse) to encrypt data, and anyone can

verify authenticity by using public key (in reverse) to decrypt verify authenticity by using public key (in reverse) to decrypt data. Only holder of private key could have created the data. Only holder of private key could have created the encrypted data.encrypted data.

Digital signatures also help ensure Digital signatures also help ensure nonrepudiation: nonrepudiation: sendersendercannot later claim to have not created the datacannot later claim to have not created the data

Digital CertificatesDigital Certificates Digital certificates Digital certificates are used to verify authenticity of are used to verify authenticity of

public keys. public keys. Problem: when you communicate with a web site, how do Problem: when you communicate with a web site, how do

you know if you are talking with the genuine web site or you know if you are talking with the genuine web site or an imposter?an imposter? Solution: use the public key of the web siteSolution: use the public key of the web site Problem: how to verify if the public key itself is genuine?Problem: how to verify if the public key itself is genuine?

Solution:Solution: Every client (e.g. browser) has public keys of a few root-level Every client (e.g. browser) has public keys of a few root-level

certification authoritiescertification authorities A site can get its name/URL and public key signed by a A site can get its name/URL and public key signed by a

certification authority: signed document is called a certification authority: signed document is called a certificatecertificate Client can use public key of certification authority to verify Client can use public key of certification authority to verify

certificatecertificate Multiple levels of certification authorities can exist. Each Multiple levels of certification authorities can exist. Each

certification authority certification authority presents its own public-key certificate signed by a presents its own public-key certificate signed by a

higher level authority, and higher level authority, and Uses its private key to sign the certificate of other web sites/authoritiesUses its private key to sign the certificate of other web sites/authorities

04/19/23

End of ChapterEnd of Chapter

Statistical DatabasesStatistical Databases

Problem: how to ensure privacy of individuals while Problem: how to ensure privacy of individuals while allowing use of data for statistical purposes (e.g., allowing use of data for statistical purposes (e.g., finding median income, average bank balance etc.)finding median income, average bank balance etc.)

Solutions: Solutions: System rejects any query that involves fewer than some System rejects any query that involves fewer than some

predetermined number of individuals.predetermined number of individuals.

Still possible to use results of multiple overlapping Still possible to use results of multiple overlapping queries to queries to deduce data about an individual deduce data about an individual

Data pollutionData pollution -- random falsification of data provided in -- random falsification of data provided in response to a query.response to a query.

Random modification of the query itself.Random modification of the query itself. There is a tradeoff between accuracy and security.There is a tradeoff between accuracy and security.

An An n-n-ary Relationship Setary Relationship Set

Authorization-Grant GraphAuthorization-Grant Graph

Attempt to Defeat Attempt to Defeat Authorization RevocationAuthorization Revocation

Authorization GraphAuthorization Graph

Physical Level SecurityPhysical Level Security

Protection of equipment from floods, power failure, etc.Protection of equipment from floods, power failure, etc. Protection of disks from theft, erasure, physical damage, Protection of disks from theft, erasure, physical damage,

etc.etc. Protection of network and terminal cables from wiretaps Protection of network and terminal cables from wiretaps

non-invasive electronic eavesdropping, physical damage, non-invasive electronic eavesdropping, physical damage, etc.etc.

Solutions:Solutions:

Replicated hardware:Replicated hardware: mirrored disks, dual busses, etc.mirrored disks, dual busses, etc. multiple access paths between every pair of devisesmultiple access paths between every pair of devises

Physical security: locks,police, etc.Physical security: locks,police, etc. Software techniques to detect physical security breaches.Software techniques to detect physical security breaches.

Human Level SecurityHuman Level Security

Protection from stolen passwords, sabotage, etc.Protection from stolen passwords, sabotage, etc. Primarily a management problem:Primarily a management problem:

Frequent change of passwordsFrequent change of passwords Use of “non-guessable” passwordsUse of “non-guessable” passwords Log all invalid access attemptsLog all invalid access attempts Data auditsData audits Careful hiring practicesCareful hiring practices

Operating System Level Operating System Level SecuritySecurity

Protection from invalid loginsProtection from invalid logins

File-level access protection (often not very helpful for File-level access protection (often not very helpful for

database security)database security)

Protection from improper use of “superuser” authority.Protection from improper use of “superuser” authority.

Protection from improper use of privileged machine Protection from improper use of privileged machine

intructions.intructions.

Network-Level SecurityNetwork-Level Security

Each site must ensure that it communicate with Each site must ensure that it communicate with trusted sites (not intruders).trusted sites (not intruders).

Links must be protected from theft or Links must be protected from theft or modification of messages modification of messages

Mechanisms:Mechanisms: Identification protocol (password-based),Identification protocol (password-based), Cryptography.Cryptography.

Database-Level SecurityDatabase-Level Security

Assume security at network, operating Assume security at network, operating system, human, and physical levels.system, human, and physical levels.

Database specific issues:Database specific issues: each user may have authority to read only part of each user may have authority to read only part of

the data and to write only part of the data.the data and to write only part of the data. User authority may correspond to entire files or User authority may correspond to entire files or

relations, but it may also correspond only to parts relations, but it may also correspond only to parts of files or relations.of files or relations.

Local autonomy suggests site-level Local autonomy suggests site-level authorization control in a distributed database.authorization control in a distributed database.

Global control suggests centralized control.Global control suggests centralized control.