Submodule 2: Access Control for DBMS

Assignment 1
Discretionary Access Control

Created: February 6, 2004
Last Updated: February 10, 2004

Assignment version number: Version 0.1
Author of the Assignment: Author: Dr. Morris Liaw


Level of Difficulty: Moderate

Completion Time: 2weeks

Progaramming involved: No


Objectives

In this project, students will investigate the Discretionary Access Control for a company and use SQL to enforce it.

Note:

1. Discretionary Access Control is based on the concept of access rights, or privileges, and mechanism for giving users such privileges.
2. A privilege allows a user to access some data object in a certain manner (e.g., to read or to modify).
3. A user who creates a database object such as a table or a view automatically gets all applicable privileges on that object.
4. The DBMS subsequently keeps track of how these privileges are granted to other users, and possibly revoked, and ensures that at all times only users with the necessary privileges can access an object.
5. SQL supports Discretionary Access Control through the GRANT and REVOKE commands.

Description

You are the DBA for the VeryFine Toy Company, and you create a relation called Employees with fields ename, dept, and salary. For authorization reasons, you also define views EmployeeNames (with ename as the only attribute) and DeptInfo with fields dept and avgsalary. The latter lists the average salary for each depart. You are allowed to use SQL to do the project if needed.

The Project

1. Show the view definition statements for EmployeeNames and DeptInfo.
2. What privileges should be granted to a user who needs to know only average department salaries for the Toy and CS departments?
3. You want to authorize your assistant to five people (you will probably tell him who to fire, but you want to be able to delegate this task), to check on who is an employee, and to check on average department salaries. What privileges should you grant?
4. Continuing with the preceding scenario, you want your assistant to be able to look at the salaries of individuals. Does your answer to the previous question ensure this? Be specific: Can your assistant possibly find out salaries of some individuals (depending on the actual set of tuples), or can your assistant always find out the salary of any individual that he wants to?
5. You want to give your assistant the authority to allow other people to read the EmployeeNames view. Show the appropriate commands.
6. Your assistant defines two new views using the EmployeeNames view. The first is called AtoRNames and simply selects names that begin with a letter in the range A to R. The second view is called HowManyNames and counts the number of names. You are so pleased with this achievement that you decide to give your assistant the right to insert tuples into the EmployeeName view. Show the appropriate command, and describe what privileges your assistant has after this command is executed.
7. Your assistant allows Todd to read the EmployeeNames relation and later quits. You then revoke the assistant's privileges. What happens to Todd's privileges?
8. Give an example of a view update on the above schema that cannot be implemented through updates to Employees.
9. You decide to go on an extended vacation, and to make sure that emergencies can be handled, you want to authorize your boss Joe to read and modify the Employees relation and the EmployeeName relation (and Joe must be able to delegate authority, of course, since he is too far up the management hierarchy to actually do any work). Show the appropriate SQL statements. Can Joe read DeptInfo view?
10. After returning from your (wonderful) vacation, you see a note from Joe, indicating that he authorized his assistant Mike to read the Employees relation. You want to revoke Mike's SELECT privilege on Employees, but you don't want to revoke the rights that you gave to Joe, even temporarily. Can you do this in SQL?
11. Later you realize that Joe has been quite busy. He has defined a view called AllNames using the view EmployNames, defined another relation called StaffNames that he has access to (but that you cannot access), and given his assistant Mike the right to read from the AllNames view. Mike has passed this right on to his friend Susan. You decide that even at the cost of annoying Joe by revoking some of his privileges, you simply have to take away Mike and Susan's rights to see your data. What REVOKE statement would you execute? What rights does Joe have on Employees after this statement is executed? What views are dropped as a consequence?

Resources

Books
Articles
Links

Glossary

Privilege
-- Abandoned
-- Descriptor
User
Subject
Object
Grant
Revoke
Authorization
-- Graph
-- Role-based