Permission Management - Part 1
Permission Management - Part 1
CT069-3-3-DBS (VE1.0)
Topic 4
Permission Management – Part 1
Learning
Outcomes
Developers
People
• Individuals who have been granted privileges and permissions to
access applications, networks, servers, databases, data files and
data.
How to Secure
• Establishment of security policies/procedures
• Physical limits on access to HW and documents
• Training on the importance of security and how to protect
information assets
• Authentication & Authorization of Users
Authentication Authorization
Determines whether users are who they claim to be. If Determines which objects users can and cannot
account exists, the user is allowed to connect. access and manipulate. 4 levels of access – View,
Add, Update and Delete.
Implemented using several types/techniques – single Implemented through policies and rules - by
factor (password) , 2FA, SSO, MFA - Challenges the configuring id, object that the id can access and
user to validate credentials (for example, through actions that the id can perform on the action
passwords, answers to security questions, or facial
recognition)
Besides the common way of creating SQL Login and then SQL user,
we can also cut short the steps by creating only the SQL user without
creating the SQL Login. This is usually done for testing purposes.
• Server
• Database
• Schema
• Table, View
• Column
Managers, Clerks Deny Column: <table name> (<column Select, Insert, Update
names>)
Auditors Grant Database: <db name> Select – Able to see all values but <col1> and <col2> must be
masked
Ref: https://learn.microsoft.com/en-us/sql/t-sql/statements/grant-database-permissions-transact-sql?view=sql-server-ver16
Module Code & Module Title Slide Title SLIDE 19
Roles-Users Mapping Table
Sample table
Roles Users
DBSLab_Admins A0001
Managers M0001
Customers U100, U200
Clerks CL001, CL002
1. Subject: Can be individual users or roles who perform some activity on the
database.
2. Objects: Database units that require authorization in order to manipulate, eg. DB,
Table, Columns, View
3. Privileges: Any action that are allowed to be performed on an object by the subject.
Eg. Select, Update, Insert, Delete, Create, Drop, Alter, Execute
• Grant or Deny the permission to the roles starting with the high-level objects first
• The solution is to
• Req #1.1
– Let’s say we need to grant permission to a clerk named Sam to view all the contents in the
Customer table
– Code below shows how we can achieve the specific requirements
• Req #1.2
– Let’s say sam and all the clerks should not be allowed to see the contents of the
passport and password columns
– Code below shows how we can achieve the specific requirements
• Req #2.1
– Let’s say we need to grant permission to a database user named John to view all
the contents in the Customer table including the ability to decrypt the password
column (assume it is encrypted with the ASYMMETRIC KEY MyAsymKey)
SQL Login
• Alter login <login name> disable
• Drop login <login name>
SQL User
• Deny connect to <db user name>
• Revoke connect to <db user name>
• Drop user <db user name>