473,549 Members | 2,708 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

High security of openGauss - access control

19 New Member
Access control

⚫ Manage users' access control rights to the database, including database system rights and object rights.

⚫ Support role-based access control mechanism, associate roles and permissions, and manage user access control permissions by assigning permissions to corresponding roles and then granting roles to users. Among them, the login access control is realized through user identification and authentication technology, and the object access control is based on the user's rights on the object, and the object access control is realized through the object rights inspection. Users are assigning the relevant database users the minimum privileges required to complete their tasks to minimize the risk of database usage.

⚫ Supports the access control model of three rights separation authority, database roles can be divided into system administrator, security administrator and audit administrator. The security administrator is responsible for creating and managing users, the system administrator is responsible for granting and revoking user rights, and the audit administrator is responsible for auditing the behavior of all users.

⚫ By default, a role-based access control model is used. Customers can choose whether to open the three-weight separation control model by setting parameters.



role-based access control

⚫ What is role-based user management?

 The role-based user management (Role-Based Access Control, referred to as RBAC) is to assign permissions to roles, and users get the permissions of these roles by becoming appropriate roles.

 Using RBAC can greatly simplify the management of permissions.

⚫ What is the RBAC model?

 Give the role the appropriate permissions.

 Assign the user to the corresponding role.



⚫ RBAC authorization is actually a relationship between Who, What, and How triples.

 Who: the owner or subject of the permission (such as a user);

 What: the object (such as table, function) for which the permission is directed;

 How: specific permissions (positive authorization, negative authorization).

⚫ The relationship between users, roles, and permissions in the RBAC model.

 A user can correspond to multiple roles;

 A role can correspond to multiple users;

 A role can have multiple permissions;

 A privilege can be assigned to many roles.

⚫ Other access control models  Access control lists (ACL)

 Attribute-Based access control (ABAC)

 Policy-Based Access Control (PBAC)

⚫ Features and advantages of RBAC

 Indirect relationship

 Separation of duties

 Easy authorization management

 Can support the principle of least privilege, separation of responsibilitie s, and data abstraction



Row-level access control

⚫ The row-level access control feature makes the database access control precise to the row level of the data table, so that the database can achieve the capability of row-level access control.

⚫ Different users execute the same SQL query operation, and the read results are different.

⚫ Users can create a row access control (Row Level Security) policy in the data table, which is an expression that takes effect for a specific database user and specific SQL operations:

 When the database user accesses the data table, if the SQL satisfies the specific Row Level Security policy of the data table, in the query optimization stage, the expressions that meet the conditions will be spliced ​​by AND or OR according to the attribute (PERMISSIVE | RESTRICTIVE) type, and applied. to the execution plan.

⚫ The purpose of row-level access control is to control the visibility of row-level data in the table. By pre-defining Filter on the data table, the expression that meets the conditions is applied to the execution plan in the query optimization stage, which affects the final execution result.

⚫ Currently affected SQL statements include SELECT, UPDATE, DELETE.

⚫ Turn on the row access control policy switch:

ALTER TABLE tablename ENABLE ROW LEVEL SECURITY;

⚫ Create a row access control policy, the current user can only view the user's own data:

CREATE ROW LEVEL SECURITY POLICY tablename_rls ON tablename USING(role = CURRENT_USER);

 Note: tablename is the name of the created table, and tablename_rls is the name of the created row-level access control policy.
Sep 27 '22 #1
0 4667

Sign in to post your reply or Sign up for a free account.

Similar topics
0
1359
Security and access rights using local and global groups
by: Clifford Heath | last post by:
We've set up an SQL Server 2000 (build 8.0.761 - I think that's SP3) access control scenario like the one described in this article: <http://www.microsoft.com/technet/prodtechnol/sql/2000/maintain/sp3sec01.mspx>, but can't get it to work in all the cases we have need for. Specifically, we have a domain controller with two objects defined: *...
Microsoft SQL Server
0
1146
User Management and Access Control Component for ASP.NET
by: Petr PALAS | last post by:
Hi, being a regular reader of these groups for more than year I would like to inform you about our new component PortSight Secure Access 1.1 for ASP.NET. It solves many issues discussed here - user management, authentication, access control to both application and content (role-based and resource-based security), delegated administration,...
ASP.NET
0
2064
IIS 6/ASP.NET Website Forms Authentication and Access Control Question
by: William F. Zachmann | last post by:
A web site that will run on Windows Server 2003 and IIS 6.0 needs to provide three levels of access, one for the public and two others for two levels of subscribers. This is a port of a prior site that runs on an old version of the Netscape Web server (which manages user authentication and access). The three levels of access are currently...
ASP.NET
4
2045
Trying to access control on one from from another form
by: JimC | last post by:
On my main form in a C# program, I create an instance of another form that contains a ListView control, in the usual way, that is: public class frmMain : System.Windows.Forms.Form { // InfoForm myInfoForm = new InfoForm( ); myInfoForm.Show ( );
C# / C Sharp
6
2993
is using LDAP or SESSION more secure for authentication and access control?
by: Notgiven | last post by:
I am considering a large project and they currently use LDAP on MS platform. It would be moved to a LAMP platform. OpenLDAP is an option though I have not used it before. I do feel fairly confortable with my ability to use SESSIONS for authentication and access control. Would it better to learn and use LDAP or can you REALLY have just as...
PHP
5
1581
about high security field
by: Suresh | last post by:
Hi All I am designing DB2 database. I have some entities each has nearly 40-60 attributes. Each of these entity (table) have password, some other information as high security attribute. So should i create new entity which hold password data for all entity or should I place password data in respective entity.In each case i will encrypt...
DB2 Database
1
6629
java.security.AccessControlException : access denied (java.net.SocketPermission
by: Smoothj | last post by:
Hello all, when connecting to an IRC server with my java applet some of my members get this error code. java.security.AccessControlException : access denied (java.net.SocketPermission irc.xxx.xxx resolve) What can I do to solve this? Regards,
Java
2
2816
Security MS Access 2003 - create a new user group?
by: Emmi | last post by:
Once again on the db I have inherited... I have read numerous posts about how to set up security in access and have printed out the step by step instructions I found a link for from another post and will try it. My question is, I have inherited a MS 2003 db that had user groups and users set up, I have found the .mdw file and can get...
Microsoft Access / VBA
8
2142
class-based access control VS instance-based access control
by: xz | last post by:
Why C++ (as well as Java) adopts class-based access control instead of instance-based access control? I had never paid attention to whether an access-control is class-based or instance-based but only intuitively thought that the latter was the one being used. Since it does not seem to make sense to let an instance "a1" of Class "A" to...
C / C++
1
4265
JQ/CodeIgniter App: CORS header 'Access-Control-Allow-Origin' does not match *
by: samvb | last post by:
Hey Fellas, I am seriously in despair. I have a CI driven app in domaina.com. I need to send cross domain request to a SINGLE controller in it from domainb.com. It will be an ajax call using POST method. It sends a single number and get a text reply from domaina.com. htaccess is not really an option as I only call a single controller...
Javascript
0
7524
marktang
What is ONU?
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main...
General
0
7451
Changing the language in Windows 10
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language...
Windows Server
0
7720
Oralloy
Problem With Comparison Operator <=> in G++
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. ...
C / C++
0
7960
jinu1996
Maximizing Business Potential: The Nexus of Website Design and Digital Marketing
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that...
Online Marketing
1
7475
The easy way to turn off automatic updates for Windows 10/11
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For...
Windows Server
1
5372
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes...
Microsoft Access / VBA
0
3501
Trying to create a lan-to-lan vpn between two differents networks
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in...
Networking - Hardware / Configuration
1
1061
muto222
How to add payments to a PHP MySQL app.
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.
PHP
0
766
bsmnconsultancy
Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating...
General

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.

BYTES.COM © 2024
About Bytes
Terms Of Use
Privacy Policy
Sitemap
Advertise on Bytes
How to Post and Respond on Bytes
How to Promote and Link on Bytes
How to increase your Ranking on Bytes
Become a Recognized Expert on Bytes
Feedback Welcomed! Contact Us