Database Security

and
Authorization
Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 Types of Security
– Legal and ethical issues: some information is private
and cannot be accessed by unauthorized persons

– Policy issues: governmental, institutional or corporate

level as to what kind of information should not be made
publicly available

– System-related issues: security function should be

handled at OS level or DBMS level security

– multiple security levels

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 There are security classifications or security levels

o Users/principals/subjects have security clearances

o Objects have security classifications

 Example – TOP SECRET – SECRET – CONFIDENTIAL

– UNCLASSIFIED

 In this case TOP SECRET > SECRET > CONFIDENTIAL

> UNCLASSIFIED

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
Threats to databases
- Loss of integrity
- Loss of availability
- Loss of confidentiality

To protect databases against these types of threats four

kinds of countermeasures can be implemented :
 access control
 inference control
 flow control
 encryption.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
Access Control:
– The security mechanism of a DBMS must
include provisions for restricting access to the
database as a whole; this function is called access
control and is handled by creating user accounts
and passwords to control login process by the
DBMS.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
Inference Control:
– controlling the access to a statistical database,
which is used to provide statistical information
or summaries of values based on various
criteria.

– It is sometimes possible to deduce facts from

queries involving summary. This must be
controlled

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
Flow Control:
– prevents information from flowing in such a way that it
reaches unauthorized users.

– Channels that are pathways for information to flow

implicitly in ways that violate the security policy of an
organization are called covert channels.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
Data Encryption:
– used to protect sensitive data (such as credit card
numbers) that is being transmitted via some type
communication network.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
Security Mechanisms

Two types of database security mechanisms:

 Discretionary security mechanisms: used to grant

or revoke privileges to users

 Mandatory security mechanisms: used to enforce

multilevel security

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 1.2 Database Security and the DBA

The database administrator (DBA) is the central

authority for managing a database system. The
DBA’s responsibilities include
– granting privileges to users who need to use the system
– classifying users and data in accordance with the policy
of the organization.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
The DBA has a DBA account in the DBMS, sometimes
called a system or superuser account, which provides
powerful capabilities :

1. Account creation
2. Privilege granting
3. Privilege revocation
4. Security level assignment

Action 1 is access control, whereas 2 and 3 are

discretionary and 4 is used to control mandatory
authorization.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 Access Protection, User Accounts, and
Database Audits
Whenever a person or group of persons need to access a database
system, the individual or group must first apply for a user account.
The DBA will then create a new account number and password
for the user if there is a legitimate need to access the database.

The user must log in to the DBMS by entering account number

and password whenever database access is needed.

The database system must also keep track of all operations on the
database that are applied by a certain user throughout each login
session.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
To keep a record of all updates applied to the database and of the
particular user who applied each update, we can modify system log,
which includes an entry for each operation applied to the database that
may be required for recovery from a transaction failure or system crash.

If any tampering with the database is suspected, a database audit is

performed, which consists of reviewing the log to examine all accesses
and operations applied to the database during a certain time period.

A database log that is used mainly for security purposes is sometimes

called an audit trail.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 Discretionary Access
Control Based on Granting
and Revoking Privileges
The typical method of enforcing discretionary access
control in a database system is based on the granting and
revoking privileges.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 2.1Types of Discretionary Privileges
 The account level: At this level, the DBA specifies the
particular privileges that each account holds independently of
the relations in the database.
– Create schema, create table, create view,

 The relation (or table level): At this level, the DBA can control
the privilege to access each individual relation or view in the
database.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 Access Control Matrix
The access control matrix is a matrix with
each subject represented by a row, and each
object represented by a column
The entry M[s, o] lists the operations that
subject s may carry out on object o
OS Accounting Accounting Insurance Payroll
Program Data Data Data
Bob Rx Rx R - -
Alice Rx Rx R Rw Rw
Sam Rwx Rwx R Rw Rw
Acct. Rx Rx Rw Rw r
Program

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 GRANTING OF
PRIVILEGES
 A system privilege is the right to perform a
particular action, or to perform an action on
any schema objects of a particular type.
 An authorized user may pass on this
authorization to other users. This process is
called as granting of privileges
Syntax
Grant <privilege list> on <relation name or view
name> to <user>
Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition
NEHA J MENDJOGE
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
The following grant statement grants user U1,
U2 and U3 the select privilege on Emp_Salary
relation:
Grant select on Emp_Salary to U1, U2 and U3
following grant statement gives all users all
authorization on the amount attributes of the
Emp_Salary relation using public keyword;
GRANT ALL PRIVILEGES ON
Emp_Salary TO PUBLIC

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

NEHA J MENDJOGE
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 UPDATE PRIVILEGE
The update authorization may be given either
on all attributes of relation or on only some.
The list of attributes on which update
authorization is to be granted appears in ()
immediately after the update keyword.
If list of attributes is not given , the update
privilege will be granted for on all attributes.
Grant update(amount) on loan to U1, U2,U3

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

NEHA J MENDJOGE
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 Create Table privilege
Assume DBA creates users A1, A2, A3, A4
and wants only A1 to be able to create
tables then
Grant CREATETAB to A1

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 THE PRIVILEGE TO GRANT
PRIVILEGES
To allow an authorized user to pass on the
privileges to other users, we append the with
grant option clause to the appropriate grant
command
Eg: grant update on branch to U1 with grant
option

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

NEHA J MENDJOGE
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 The REVOKE Statement
To revoke an authorization, the revoke
statement is used.
SYNTAX:
revoke <privilege list> on <relation name>
From <user>

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

NEHA J MENDJOGE
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 EXAMPLES
revoke select on branch from U1,U2,U3

revoke grant option for select on branch

from U1

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

NEHA J MENDJOGE
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 Mandatory Access Control
Typical security classes are top secret (TS), secret (S),
confidential (C), and unclassified (U), where TS is the highest
level and U the lowest: TS ≥ S ≥ C ≥ U

The commonly used model for multilevel security, known as

the Bell-LaPadula model, classifies each subject (user,
account, program) and object (relation, tuple, column, view,
operation) into one of the security classifications, TS, S, C, or
U
clearance (classification) of a subject S as class(S) and
classification of an object O as class(O).

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 Simple Security Condition:

– Subject S can read object O if and only if class(O) ≤ class(S)

– Eg: So if you have a "Secret" clearance, then you can read "Secret"
and “Confidential" and “Unclassified” documents, but you can't read
"Top Secret" documents

 *-Property (Star Property)

– Subject S can write object O if and only if class(S) ≤ class(O) i.e

you cant write documents higher than your classification level

– Eg: So again if you have a "Secret" classification level, you can write
to "Secret," "Top Secret," but you can't write to “Confidential” and
“Unclassified” documents

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 3 Mandatory Access Control and Role-
Based Access Control for Multilevel
Security(4)
Each attribute A is associated with a classification attribute
C in the schema, and each attribute value in a tuple is
associated with a corresponding security classification. In
addition, in some models, a tuple classification attribute TC
is added to the relation attributes to provide a classification
for each tuple as a whole. Hence, a multilevel relation
schema R with n attributes would be represented as
R(A1,C1,A2,C2, …, An,Cn,TC)

where each Ci represents the classification attribute associated

with attribute Ai and TC is the classification of tuple

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 Role-Based Access Control

 permissions are associated with roles, and users are

assigned to appropriate roles.
 Roles can be created using the CREATE ROLE and
DESTROY ROLE commands.
 The GRANT and REVOKE commands discussed under
DAC can then be used to assign and revoke privileges
from roles.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 Introduction to Statistical
Database Security
• Statistical databases are used mainly to produce
statistics about various populations.
• The database may contain confidential data about
individuals, which should be protected from user access.
• However, users are permitted to retrieve statistical
information about the populations, such as averages,
sums, counts, maximums, minimums, and standard
deviations.
• The techniques that have been developed to protect the
privacy of individual information.
• Consider the example, a PERSON relation with the
attributes Name, Ssn, Income, Address, City, State, Zip,
Sex, and Last_degree.
Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
A population is a set of tuples of a relation
(table) that satisfy some selection condition.
 Hence, each selection condition on
the PERSON relation will specify a
particular population of PERSON tuples.
For example, the condition Sex = ‘M’
specifies the male population; the
condition ((Sex = ‘F’) AND (Last_degree =
‘M.S.’ OR Last_degree = ‘Ph.D.’)) specifies
the female population that has an M.S. or
Ph.D. degree as their highest degree; and
the condition City = ‘Houston’ specifies the
population that lives in Houston.
Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 Statistical queries involve applying statistical functions to
a population of tuples.
 For example, we may want to retrieve the number of
individuals in a population or the average income in the
population.
 However, statistical users are not allowed to retrieve
individual data, such as the income of a specific person.
 Statistical database security techniques must prohibit
the retrieval of individual data. This can be achieved by
prohibiting queries that retrieve attribute values and by
allowing only queries that involve statistical aggregate
functions such as COUNT, SUM, MIN, MAX, AVERAGE,
and STANDARD DEVIATION. Such queries are sometimes
called statistical queries.
Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
It is the responsibility of a database
management system to ensure the
confidentiality of information about
individuals, while still providing useful
statistical summaries of data about those
individuals to users.
Provision of privacy protection of users in
a statistical database is paramount; its
violation is illustrated in the following
example.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe
In some cases it is possible to infer the
values of individual tuples from a sequence
of statistical queries. This is particularly
true when the conditions result in a
population consisting of a small number of
tuples. As an illustration, consider the
following statistical queries:

Q1: SELECT COUNT (*) FROM PERSON

WHERE <condition>;

Q2: SELECT AVG (Income) FROM

PERSON
WHERE <condition>;
Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition
Copyright © 2004 Ramez Elmasri and Shamkant Navathe
 Now suppose that we are interested in finding the Salary of
Jane Smith, and we know that she has a Ph.D. degree and
that she lives in the city of Bellaire, Texas. We issue the
statistical query Q1 with the following condition:

(Last_degree=‘Ph.D.’ AND Sex=‘F’ AND

City=‘Bellaire’ AND State=‘Texas’)

If we get a result of 1 for this query, we can issue Q2 with

the same condition and find the Salary of Jane Smith. Even
if the result of Q1 on the preceding condition is not 1 but is a
small number—say 2 or 3—we can issue statistical queries
using the functions MAX, MIN, and AVERAGE to identify
the possible range of values for the Salary of Jane Smith.

Elmasri/Navathe, Fundamentals of Database Systems, Fourth Edition

Copyright © 2004 Ramez Elmasri and Shamkant Navathe