1 access control. 2 grant statement 3 access control grant statement grant statement may be used by...

1

Access controlAccess control

2

Access controlAccess control

• GRANT statement• GRANT statement

3

Access controlAccess control

• GRANT statement

GRANT statement may be used by

a user to authorise various kinds

of access to his/her tables by another

user or class of users

• GRANT statement

GRANT statement may be used by

a user to authorise various kinds

of access to his/her tables by another

user or class of users

4

Access controlAccess control

• Syntax

GRANT

• Syntax

GRANT ALL<list of privileges>

5

Access controlAccess control

• Syntax

GRANT ON

• Syntax

GRANT ONALL<list of privileges>

<table name><view name>

6

Access controlAccess control

• Syntax

GRANT ON

TO

• Syntax

GRANT ON

TO

ALL<list of privileges>

<table name><view name>

PUBLIC<list of users>

7

Access controlAccess control

• Syntax

GRANT ON

TO [WITH GRANT OPTION];

• Syntax

GRANT ON

TO [WITH GRANT OPTION];

ALL<list of privileges>

<table name><view name>

PUBLIC<list of users>

8

Access controlAccess control

• Privileges• Privileges

9

Access controlAccess control

• Privileges

SELECTGrantee is allowed to select data from a table determined by a grantor

• Privileges

SELECTGrantee is allowed to select data from a table determined by a grantor

10

Access controlAccess control

• Privileges

SELECTGrantee is allowed to selected data from a table determined by a grantor

DELETEGrantee is allowed to delete data from a table determined by a grantor

• Privileges

SELECTGrantee is allowed to selected data from a table determined by a grantor

DELETEGrantee is allowed to delete data from a table determined by a grantor

11

Access controlAccess control

• Privileges

SELECTGrantee is allowed to selected data from a table determined by a grantor

DELETEGrantee is allowed to delete data from a table determined by a grantor

INSERTGrantee is allowed to insert data into a table determined by a grantor

• Privileges

SELECTGrantee is allowed to selected data from a table determined by a grantor

DELETEGrantee is allowed to delete data from a table determined by a grantor

INSERTGrantee is allowed to insert data into a table determined by a grantor

12

Access controlAccess control

• Privileges

SELECTGrantee is allowed to selected data from a table determined by a grantor

DELETEGrantee is allowed to delete data from a table determined by a grantor

INSERTGrantee is allowed to insert data into a table determined by a grantor

• Privileges

SELECTGrantee is allowed to selected data from a table determined by a grantor

DELETEGrantee is allowed to delete data from a table determined by a grantor

INSERTGrantee is allowed to insert data into a table determined by a grantor

13

Access controlAccess control

• Privileges

UPDATE [<list of columns>]Grantee is allowed to update the columns from a table determined by a grantor

• Privileges

UPDATE [<list of columns>]Grantee is allowed to update the columns from a table determined by a grantor

14

Access controlAccess control

• Privileges

UPDATE [<list of columns>]Grantee is allowed to update the columns from a table determined by a grantor

REFERENCES [<list of columns]Grantee is allowed to reference the columns from a table specified by a grantor

• Privileges

UPDATE [<list of columns>]Grantee is allowed to update the columns from a table determined by a grantor

REFERENCES [<list of columns]Grantee is allowed to reference the columns from a table specified by a grantor

15

Access controlAccess control

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

16

Access controlAccess control

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

privilege

17

Access controlAccess control

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

privilege

table (view) name

18

Access controlAccess control

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

privilege

table (view) name

user

19

Access controlAccess control

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

Then user Janusz can say: SELECT * FROM Scott.Supplier;

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

Then user Janusz can say: SELECT * FROM Scott.Supplier;

20

Access controlAccess control

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

Then user Janusz can say: SELECT * FROM Scott.Supplier;

• Granting privileges

User Scott says:GRANT SELECT ON Supplier TO Janusz;

Then user Janusz can say: SELECT * FROM Scott.Supplier;

user.table

21

Access controlAccess control

• Granting privileges

User Janusz says:CREATE SYNONYM Ssupplier

FOR Scott.Supplier;

• Granting privileges

User Janusz says:CREATE SYNONYM Ssupplier

FOR Scott.Supplier;

22

Access controlAccess control

• Granting privileges

User Janusz says:CREATE SYNONYM Ssupplier

FOR Scott.Supplier;

Then user Janusz can say:SELECT * FROM Ssupplier;

• Granting privileges

User Janusz says:CREATE SYNONYM Ssupplier

FOR Scott.Supplier;

Then user Janusz can say:SELECT * FROM Ssupplier;

23

Access controlAccess control

• Granting privileges

User Scott says:GRANT UPDATE pname, price ON Part

TO Janusz;

• Granting privileges

User Scott says:GRANT UPDATE pname, price ON Part

TO Janusz;

24

Access controlAccess control

• Granting privileges

User Scott says:GRANT UPDATE pname, price ON Part

TO Janusz;

Then user Janusz can say:UPDATE Scott.Part SET price = price + 10

WHERE pname =‘bolt’;

• Granting privileges

User Scott says:GRANT UPDATE pname, price ON Part

TO Janusz;

Then user Janusz can say:UPDATE Scott.Part SET price = price + 10

WHERE pname =‘bolt’;

25

Access controlAccess control

• Granting privileges

User Scott says:GRANT ALL ON Supplier TO PUBLIC;

• Granting privileges

User Scott says:GRANT ALL ON Supplier TO PUBLIC;

26

Access controlAccess control

• Granting privileges

User Scott says:GRANT ALL ON Supplier TO PUBLIC;

Then anyone can say:SELECT * FROM Scott.Supplier;

UPDATE Scott.Part SET price = price + 10

WHERE pname =‘bolt’;

INSERT INTO Scott.Supplier VALUES( ... );

DELETE FROM Scott.Supplier;

• Granting privileges

User Scott says:GRANT ALL ON Supplier TO PUBLIC;

Then anyone can say:SELECT * FROM Scott.Supplier;

UPDATE Scott.Part SET price = price + 10

WHERE pname =‘bolt’;

INSERT INTO Scott.Supplier VALUES( ... );

DELETE FROM Scott.Supplier;

27

Access controlAccess control

• Granting privileges

User Scott says:GRANT REFERENCE s# ON Supplier

TO Janusz;

• Granting privileges

User Scott says:GRANT REFERENCE s# ON Supplier

TO Janusz;

28

Access controlAccess control

• Granting privileges

User Scott says:GRANT REFERENCE s# ON Supplier

TO Janusz;

Then user Janusz can say:CREATE TABLE MySP( s# …

CONSTRAINT MySP_fkey FOREIGN KEY(s#) REFERENCES Scott.SP(s#);

• Granting privileges

User Scott says:GRANT REFERENCE s# ON Supplier

TO Janusz;

Then user Janusz can say:CREATE TABLE MySP( s# …

CONSTRAINT MySP_fkey FOREIGN KEY(s#) REFERENCES Scott.SP(s#);

29

Access controlAccess control

• Granting privileges

User Scott says:GRANT REFERENCE s# ON Supplier

TO Janusz;

Then user Janusz can say:CREATE TABLE MySP( s# …

CONSTRAINT MySP_fkey FOREIGN KEY(s#) REFERENCES Scott.SP(s#);

• Granting privileges

User Scott says:GRANT REFERENCE s# ON Supplier

TO Janusz;

Then user Janusz can say:CREATE TABLE MySP( s# …

CONSTRAINT MySP_fkey FOREIGN KEY(s#) REFERENCES Scott.SP(s#);

30

Access controlAccess control

• Granting privileges

User Scott says:CREATE VIEW SuppliersFrom London AS

SELECT *

FROM Supplier

WHERE city = ‘London;

• Granting privileges

User Scott says:CREATE VIEW SuppliersFrom London AS

SELECT *

FROM Supplier

WHERE city = ‘London;

31

Access controlAccess control

• Granting privileges

User Scott says:CREATE VIEW SuppliersFromLondon AS

SELECT *

FROM Supplier

WHERE city = ‘London;

GRANT DELETE ON SuppliersFromLondon TO Janusz;

• Granting privileges

User Scott says:CREATE VIEW SuppliersFromLondon AS

SELECT *

FROM Supplier

WHERE city = ‘London;

GRANT DELETE ON SuppliersFromLondon TO Janusz;

32

Access controlAccess control

• Granting privileges

Then user Janusz can say:DELETE FROM Scott.SuppliersFromLondon

WHERE dob < ‘1-JAN-38’;

• Granting privileges

Then user Janusz can say:DELETE FROM Scott.SuppliersFromLondon

WHERE dob < ‘1-JAN-38’;

33

Access controlAccess control

• Granting privileges

User Scott says:CREATE VIEW PartShort AS

SELECT p#, pname

FROM Part;

• Granting privileges

User Scott says:CREATE VIEW PartShort AS

SELECT p#, pname

FROM Part;

34

Access controlAccess control

• Granting privileges

User Scott says:CREATE VIEW PartShort AS

SELECT p#, pname

FROM Part;

GRANT SELECT ON PartShort TO Janusz;

• Granting privileges

User Scott says:CREATE VIEW PartShort AS

SELECT p#, pname

FROM Part;

GRANT SELECT ON PartShort TO Janusz;

35

Access controlAccess control

• Granting privileges

Then user Janusz can say:SELECT p#

FROM Scott.PartShort

WHERE pname = ‘bolt’;

• Granting privileges

Then user Janusz can say:SELECT p#

FROM Scott.PartShort

WHERE pname = ‘bolt’;

36

Access controlAccess control

• Grant propagation• Grant propagation

37

Access controlAccess control

• Grant propagation

User Scott says:GRANT SELECT ON SP TO JK02

• Grant propagation

User Scott says:GRANT SELECT ON SP TO JK02

38

Access controlAccess control

• Grant propagation

User Scott says:GRANT SELECT ON SP TO JK02

WITH GRANT OPTION;

• Grant propagation

User Scott says:GRANT SELECT ON SP TO JK02

WITH GRANT OPTION;

39

Access controlAccess control

• Grant propagation

User Scott says:GRANT SELECT ON SP TO JK02

WITH GRANT OPTION;

Then user JK02 says:CREATE VIEW SPShort AS

SELECT s#, p#

FROM SP;

• Grant propagation

User Scott says:GRANT SELECT ON SP TO JK02

WITH GRANT OPTION;

Then user JK02 says:CREATE VIEW SPShort AS

SELECT s#, p#

FROM SP;

40

Access controlAccess control

• Grant propagation

User Scott says:GRANT SELECT ON SP TO JK02

WITH GRANT OPTION;

Then user JK02 says:CREATE VIEW SPShort AS

SELECT s#, p#

FROM SP;

GRANT SELECT ON SPShort TO Janusz;

• Grant propagation

User Scott says:GRANT SELECT ON SP TO JK02

WITH GRANT OPTION;

Then user JK02 says:CREATE VIEW SPShort AS

SELECT s#, p#

FROM SP;

GRANT SELECT ON SPShort TO Janusz;

41

Access controlAccess control

• Grant propagation

Then user Janusz can say:SELECT *

FROM JK02.SPShort;

• Grant propagation

Then user Janusz can say:SELECT *

FROM JK02.SPShort;

42

Access controlAccess control

• Grant propagation

Then user Janusz can say:SELECT *

FROM JK02.SPShort;

User Janusz can’t say:GRANT SELECT ON SPShort TO Greg;

• Grant propagation

Then user Janusz can say:SELECT *

FROM JK02.SPShort;

User Janusz can’t say:GRANT SELECT ON SPShort TO Greg;

43

Access controlAccess control

• REVOKE statement• REVOKE statement

44

Access controlAccess control

• REVOKE statement

REVOKE statement may be used to revoke

a subset privileges granted to a user

• REVOKE statement

REVOKE statement may be used to revoke

a subset privileges granted to a user

45

Access controlAccess control

• Syntax

REVOKE ON

FROM ;

• Syntax

REVOKE ON

FROM ;

ALL<list of privileges>

<table name><view name>

PUBLIC<list of users>

46

Access controlAccess control

• Revoking privileges

User Scott says:REVOKE SELECT ON SP FROM JK02 ;

• Revoking privileges

User Scott says:REVOKE SELECT ON SP FROM JK02 ;

47

Access controlAccess control

• Revoking privileges

User Scott says:REVOKE SELECT ON SP FROM JK02 ;

Then user JK02 can’t say:SELECT * FROM Scott.SP;

• Revoking privileges

User Scott says:REVOKE SELECT ON SP FROM JK02 ;

Then user JK02 can’t say:SELECT * FROM Scott.SP;

48

Access controlAccess control

• Revoking privileges

User Scott says:REVOKE SELECT ON SP FROM JK02 ;

Then user JK02 can’t say:SELECT * FROM Scott.SP;

and user Janusz can’t say:SELECT * FROM JK02.SPShort;

• Revoking privileges

User Scott says:REVOKE SELECT ON SP FROM JK02 ;

Then user JK02 can’t say:SELECT * FROM Scott.SP;

and user Janusz can’t say:SELECT * FROM JK02.SPShort;

49

Access controlAccess control

• Bibliography

P. O’Neil, Database - Principles, Programming, Performance, chapter 6.3

R. Elmasri, S.B. Navathe, Fundamentals of Database Systems, chapter 20.1, 20.2

R. K. Stephens, et al. Teach Yourself SQL in 21 Days

• Bibliography

P. O’Neil, Database - Principles, Programming, Performance, chapter 6.3

R. Elmasri, S.B. Navathe, Fundamentals of Database Systems, chapter 20.1, 20.2

R. K. Stephens, et al. Teach Yourself SQL in 21 Days