|
|
|
|
|
|
Access Security
Through the advanced security facilities of Mimer SQL, the database can be protected from any unauthorized access. Database privileges authorize users to perform certain SQL operations, such as insert, update, or delete, on selected database objects. The extremely flexible security system provided by Mimer SQL enables data to be protected down to a single element (row/column); allowing you to precisely enforce database security policies, ensuring users have only the privileges they need.
A unique feature of Mimer SQL is the "role concept", where the access rights for a user can be increased under password protection. The role concept allows Mimer SQL's security system to distinguish between users who are accessing the database from the controlled environment of an application, and users who are using ad-hoc tools. Mimer SQL provides the role concept through the PROGRAM ident.
By utilizing Mimer SQL's advanced facilities for access control and security much coding in applications is avoided and all applications utilize a consistent set of controls.
Within Mimer SQL an Ident is an authorized user of the system. It can also be a collective identity of a group of users sharing common privileges. Four types of idents are supported:
- USER idents - authorized to log on to Mimer SQL. User idents are generally associated with specific individuals authorized to use the system.
- OS_USER idents - a type of User ident with the same user name as in the Operating System. If a user who has logged onto the Operating System is also defined to Mimer SQL as an OS_USER, then that user may log into Mimer SQL without providing an additional user name and password. This is sometimes referred to as integrated login.
- PROGRAM idents - may not log directly onto Mimer SQL, but instead an ident who has already logged on may adopt the role of a Program ident by using the ENTER statement. Typically, a user is given EXECUTE privilege on a Program Ident and the ENTER statement is performed by the application code. Once a Program ident is entered, the privileges held by the Program ident apply. Program idents are generally associated with specific functions like running an application, rather than with physical individuals. This allows end users to carry out updates to the data in the controlled environment of an application, without being able to do the same using an interactive tool. The use of Program Idents can significantly reduce the burden of security management.
- GROUP idents - are collective identities for groups of idents. Any privileges granted to or revoked from a Group ident automatically apply to all members of the Group. Group idents provide a facility for organizing the privilege structure in the database system.
When an Ident connects to Mimer SQL in a client/server environment, the password for the ident is encrypted on the client side. This means that only encrypted passwords are sent over the network, to assure that no unauthorized users can get a hold on a password by tapping the network.
Each ident is given privileges within the system defining the operations that ident is allowed to perform. An ident receiving a privilege 'WITH GRANT OPTION' may pass the privilege on to another ident.
System privileges give the right to create global objects within the database:
- BACKUP - gives the right to perform databank backup and restore operations
- DATABANK - gives the right to create databanks
- IDENT - gives the right to create idents
- SCHEMA - give the right to create schema
- SHADOW - gives the right to create and manage databank shadows
- STATISTICS - gives the right to execute the UPDATE STATISTICS statement
Object privileges give rights over certain specified objects in the system. Mimer SQL supports the following object privileges:
- TABLE - gives the right to create tables in a given databank
- EXECUTE - gives the right to execute a specified stored routine, or to enter a given program ident
- MEMBER - grants membership in a specified group ident
- USAGE - gives the right to use a given domain or a specified sequence
Object privileges are initially granted only to the creator of the object. Their grantor may revoke privileges.
Access privileges give rights of access to the contents of a specified table or view. There are five access privileges:
- SELECT - gives the right to read the table or view contents
- INSERT - gives the right to add new rows to the table or view
- DELETE - gives the right to remove rows from the table or view
- UPDATE - gives the right to update existing rows in the table or view
- REFERENCES - gives the right to use the primary or unique key of the table as a foreign key from another table
Access privileges are initially granted only to the creator of the table or view. The privilege may be passed on to other idents with or without grant option
 Upright Database Technology AB Voice: +46 18 780 92 00 Fax: +46 18 780 92 40 dbtechnology@upright.se |
|
|
|
|
|
|