CSC 327 (DBMS II)

Tuesday 2nd of August, 2022

Tuesday 16th of August, 2022

Page 52 new material

1. Views and security 52

2. Integrity constraint 54
3. Data security 4-5
4. Security page 77
5. Introduction to data warehousing and data mining page
6. Distributed database (not in the material)

Views and security

What are views?

What are tables?

A table is a collection of related data held in a table format within a data. A table consists of
rows and columns.

In database, you may not want all information in a database available to everyone. So you create
a view which can impose certain restrictions on what users can see.

So anytime a user views the database, only selected items, which is the view.

The view doesn’t create a new table, rather it displays a virtual table.
Views is a logical or virtual table.

Definition

A view is a database object which is created over an SQL query. Views does not store any
data, rather, it is a virtual table.

How to create a view?

Note, name_db = name of the database table.

CREATE VIEW name_db AS

query

Table name: employee_number

ID Name Dob Address SSN Acct_no

CREATE VIEW employee_number AS

SELECT ID, Name, add FROM employee_number
WHERE Name is not NULL

Advantages of view
. Security - provides security for sensitive information in a database
. Simplicity - provides a cleaner table with only required information
. Consistency -
INTEGRITY CONSTRAINTS

Constraints can be rules or restrictions that is put in place.

Integrity constraints provide a means that ensures changes/modifications made to the database
by a authorized user do not result in a loss of data consistency.

Thus integrity constraints guard against accidental or malicious attacks with the database.

Security constraints on the other hand guide against accidental or malicious loss of data.

Question?
What is the difference between integrity and security constraints.

Database security

Database security refers to the collective measures used to protect and secure a database from
illegitimate use and malicious threats and attacks. Database security protects the
confidentiality, integrity and availability(CIA) of an organization database.

CIAs what are they?

Confidentiality

Confidentiality is keeping data secret, such that only authorized users have access to the
database.
Integrity

Integrity refers to maintaining the consistency, accuracy and trustworthiness of data over its
entire lifecycle.

Availability

Availability Refers to ensuring that authorized users are able to access information when
needed.

SECURITY THREATS TO DATABASE

. SQL injection -
. Buffer overflow -
. D.O.S(denial of service) -
. Weak authentication -

SQL injection
an unauthorized user can write an sql user query into a database. Attacks insert malicious
queries into the database to explore the vulnerabilities in the application.

Buffer overflow
Buffer overflow exists when a program attempts to put more data in the buffer more than it can
hold.

D.O.S(denial of service)

This is another cyber attack where the attackers make the machine or part of the resources of
the database unavailable to its intended users. By flooding the machine or the database system
with several requests in an attempt to overload them.
Weak authentication

Attackers can steal the identity of a legitimate user gaining access to confidential data in the
database.

Some of of the measures discussed in the materials they’re at different levels.

Security Measures to be put in place in a database includes…

. Access control - we need to ensure that only authorized users have access to our
database.
. Auditing - To check for loop holes and integrity.
. Encryption - encryption is one of the most sophisticated access control one can have.
. Backup - backups are needed in case of system failure.

CSC 327

23rd of August, 2022

Authentication

Authentication are the controls incorporated in the DBMS system to restrict access to data and/
or actions performed by certain users.

Forms of Authentication

. Read - This means what you allow a certain user to see or read from your database
. Insert- This allows insertion of new data into the DBMS, but not modification existing
data.
. Update- This allows modification but not deletion.
. Delete- This allows deletion
Page 77 pdf

The SQL standard include the privileges select, insert, update and delete. The select privilege
authorizes a user to read data. In addition to these forms of privileges for access to data, SQL
supports several other privileges, such as privilege to create, delete or modify relations, and the
privilege to execute procedures. The privilege all privileges can be used as a short form for all
the allowable privileges. A user who creates a new relation is given all privileges on that relation
automatically.

Two forms
. GRANT (select update delete)

REVOKE - This removes the authorization given to the user

Customer Order
SELECT Yes Yes
INSERT Yes Yes
UPDATE Yes No
DELETE No No

The Ideal thing is to GRANT privileges on procedures with no direct access to the database
(VIEWS). Rather than allow user to have access to the database, you create a VIEW.

How to do this?

We need to have a ROW level access control.

What is ROW LEVEL access control?

A ROW LEVEL access control is restricting access to data contained in an individual record. By
using views we can provide this kind of access using the SQL query.

SQL QUERY.

GRANT Select, Insert, Update ON view_name To user

So the user can only perform this updates to the view.

CREATE VIEW expensive_view AS SELECT product_id,

product_description, product_price
FROM Product
WHERE product_price > 300;

(GRANT Select, Insert, Update ON view_name To user)

can be placed

The second thing to do is get to create authentication application access