Department of Mathematics

CS220: Database Systems

Class: BS Mathematics Semester 4

Lab 12: Authorization in SQL/DCL

Date: June 2nd, 2021

Time: 02:00-05:00
Instructor: Ms. Naheeda Parveen

Lab Engineer: Sundas Dawood

 Lab 12: Authorization in SQL/DCL
Introduction
Authorization comes under DCL part of SQL. It is the Data Control language that controls the
user access to data base objects.

Objectives
After preforming this lab, students will be able to define users and manage their access to
database objects.

Tools/Software Requirement
• MySQL Community Server 5.6
• MySQL Workbench 6.1

Description
Read the following description and execute the example commands to understand the concept.
Create the users that are referred in the example and in the lab task using the following SQL
statement:

CREATE USER x; where, x = user name

If you want to create a user and assign a password to the user, the following syntax is used:

CREATE USER x Identified by ‘password’;

Privileges

Privileges control access to the data and restrict the actions users can perform. Through proper
privileges, users can create, drop, or modify objects in their own schema or in another user’s
schema. Privileges also determine what data a user should have access to.

Privileges can be assigned directly to the user using the GRANT privilege command.

GRANT {privilegeList | ALL [PRIVILEGES]}

ON ObjectName

TO {AuthorizationIdList |

The privileges list is as follows:

SELECT [(columnName [,...]]

DELETE

INSERT [(columnName [,...]]

UPDATE [(columnName [,...]]

REFERENCES [(columnName [,...]]

USAGE

The ALL PRIVILEGES keyword grants all privileges to the user except the ability to grant
privileges to other users. The PUBLIC keyword grants access to all users (present and future) of
the database. The WITH GRANT OPTION allows users to grant privileges to other users. A user
can only grant privileges that they themselves hold.

There are two types of privileges:

Object privileges

Object privileges are granted on a specific object. The owner of the object has all the privileges
on the object. The privileges can be on data (to read, modify, delete, add, or reference), on a
program (to execute), or to modify an object (to change the structure).

System privileges

System privileges are the privileges that enable the user to perform an action on any schema in
the database. They do not specify an object, but are granted at the database level. Like object
privileges, system privileges also can be granted to a user. They are usually granted by DBA.
Both system privileges and object privileges can be granted to a role.

PUBLIC is a user group defined in the database; it is not a database user or a role. Every user in
the database belongs to this group. So if privileges are granted to PUBLIC, they are available to
all users of the database.

Granting Object Privileges

Suppose user AHMED owns tables CUSTOMER (Customer_ID, Name, Address) and ORDER
(Order_ID, Date, Customer_ID). AHMED wants to grant read and update privileges on
CUSTOMER table to user YASIR. When multiple privileges are specified, they are separated by
comma:

GRANT SELECT, UPDATE ON CUSTOMER TO YASIR;

The INSERT and UPDATE privileges can be granted on columns also:

GRANT INSERT(Customer_id, Name), DELETE ON CUSTOMER

TO YASIR WITH GRANT OPTION;

The WITH GRANT OPTION clause allows YASIR to grant the privileges to others.

Note: Create necessary tables in the database to execute above statements.

Allow all users to query the Dept relation:

GRANT SELECT ON dept TO PUBLIC;

Only allow users Manager and Director to access and change Salary in Emp:

GRANT SELECT, UPDATE(salary) ON Emp TO Manager,Director;

Allow the Director full access to Proj and the ability to grant

privileges to other users:

GRANT ALL PRIVILEGES ON Proj TO Director WITH GRANT OPTION;

Revoking privileges

Object privileges and system privileges can be revoked from a user by using the REVOKE
statement. To revoke the UPDATE privilege granted to YASIR from AHMED on AHMED’s

CUSTOMER table:

REVOKE UPDATE ON CUSTOMER FROM YASIR;

If the same privilege was granted twice to the same user by different grantees, the user may
retain the privilege after the revocation. All privileges that depend on the privilege being revoked
are also revoked.

In MYSQL workbench, first of all you need to have root access (admin access) to have ALL
privileges of the DB. If you are using your laptops in which you have installed workbench
yourself with admin rights reserved to you and with a username and password then there
will not be any problem to execute the commands of Grant and Revoke.

However in the lab, you do not have root access to the DB. In this case, you connect to the
workbench as a user of the system with a username and password. The connection you
make, is based on the user credentials. Check your connection first and then start the lab.
Carefully observe the connections given below. They include the root user and other users
created on the system.

If you have root access then you can create many users specified by the syntax below.

create user u1

identified by 'abc';

To check all the users present in the system you can execute the following command.

select user from mysql.user;

Now creating a view on a table employees and granting priveleges to users.

create view myView

as select employee_id

from employees;

Grant select on myView to user2;

GRANT SELECT, UPDATE(first_name) ON employees TO user2;

You can check the permissions for a user using the following command.

show grants for u3;

-- Create a new user u3. Check his already assigned rights. Assign him delete rights on a
table.

create user u3
identified by 'abc';

grant select on employees to u3;

GRANT ALL PRIVILEGES ON * . * TO u3;

Database.tables (*.* notation specifies to all databases and all tables)

Privileges give users the right to perform operations on database objects. The set of privileges
are:

 SELECT-the user can retrieve data from table

 INSERT-the user can insert data into table

 UPDATE-the user can modify data in the table

 DELETE-the user can delete data (rows) from the table

 REFERENCES-the ability to reference columns of a named table in integrity constraints

 USAGE-the ability to use domains, character sets, and translations (i.e. other database objects
besides tables)

Notes:

INSERTand UPDATEcan be restricted to certain columns.

When a user creates a table, they become the owner and have full privileges on the table.
Lab Task
1. Read the concept and syntax details of DCL including GRANT, REVOKE options and
practice them. (http://dev.mysql.com/doc/refman/5.7/en/grant.html,
http://dev.mysql.com/doc/refman/5.7/en/revoke.html)
2. Write and execute the SQL statements to grant select, update (only on address) and delete
privileges on CUSTOMER table (create schema first) to ASAD and SOFIA. Also grant
select, insert and update privileges on ORDER to ASAD. SOFIA should also be able to
grant her privileges to others.
3. Create users John and Smith. Use the syntax (*.*, database.*) to assign global level and
database level privileges to users that have been created. Assign select privilege to both
users for all tables of a database. After assigning the privileges, use the revoke command
to revoke a few of the assigned privileges. Test whether the privileges have been actually
assigned and revoked from the user.
4. Create two users user1 and user2 first and check their separate connections like the ones
given below.
Now create some tables for both the users using each connections.Grant and revoke rights
to these users and check the permissions accordingly.

Deliverable
Submit the pdf/word file containing the query as well as the execution screen shots on teams.