473,287 Members | 1,868 Online
Bytes | Software Development & Data Engineering Community
Post Job

Home Posts Topics Members FAQ

Join Bytes and contribute your articles to a community of 473,287 developers and data experts.

High security of openGauss - access control

19
Access control

⚫ Manage users' access control rights to the database, including database system rights and object rights.

⚫ Support role-based access control mechanism, associate roles and permissions, and manage user access control permissions by assigning permissions to corresponding roles and then granting roles to users. Among them, the login access control is realized through user identification and authentication technology, and the object access control is based on the user's rights on the object, and the object access control is realized through the object rights inspection. Users are assigning the relevant database users the minimum privileges required to complete their tasks to minimize the risk of database usage.

⚫ Supports the access control model of three rights separation authority, database roles can be divided into system administrator, security administrator and audit administrator. The security administrator is responsible for creating and managing users, the system administrator is responsible for granting and revoking user rights, and the audit administrator is responsible for auditing the behavior of all users.

⚫ By default, a role-based access control model is used. Customers can choose whether to open the three-weight separation control model by setting parameters.



role-based access control

⚫ What is role-based user management?

 The role-based user management (Role-Based Access Control, referred to as RBAC) is to assign permissions to roles, and users get the permissions of these roles by becoming appropriate roles.

 Using RBAC can greatly simplify the management of permissions.

⚫ What is the RBAC model?

 Give the role the appropriate permissions.

 Assign the user to the corresponding role.



⚫ RBAC authorization is actually a relationship between Who, What, and How triples.

 Who: the owner or subject of the permission (such as a user);

 What: the object (such as table, function) for which the permission is directed;

 How: specific permissions (positive authorization, negative authorization).

⚫ The relationship between users, roles, and permissions in the RBAC model.

 A user can correspond to multiple roles;

 A role can correspond to multiple users;

 A role can have multiple permissions;

 A privilege can be assigned to many roles.

⚫ Other access control models  Access control lists (ACL)

 Attribute-Based access control (ABAC)

 Policy-Based Access Control (PBAC)

⚫ Features and advantages of RBAC

 Indirect relationship

 Separation of duties

 Easy authorization management

 Can support the principle of least privilege, separation of responsibilities, and data abstraction



Row-level access control

⚫ The row-level access control feature makes the database access control precise to the row level of the data table, so that the database can achieve the capability of row-level access control.

⚫ Different users execute the same SQL query operation, and the read results are different.

⚫ Users can create a row access control (Row Level Security) policy in the data table, which is an expression that takes effect for a specific database user and specific SQL operations:

 When the database user accesses the data table, if the SQL satisfies the specific Row Level Security policy of the data table, in the query optimization stage, the expressions that meet the conditions will be spliced ​​by AND or OR according to the attribute (PERMISSIVE | RESTRICTIVE) type, and applied. to the execution plan.

⚫ The purpose of row-level access control is to control the visibility of row-level data in the table. By pre-defining Filter on the data table, the expression that meets the conditions is applied to the execution plan in the query optimization stage, which affects the final execution result.

⚫ Currently affected SQL statements include SELECT, UPDATE, DELETE.

⚫ Turn on the row access control policy switch:

ALTER TABLE tablename ENABLE ROW LEVEL SECURITY;

⚫ Create a row access control policy, the current user can only view the user's own data:

CREATE ROW LEVEL SECURITY POLICY tablename_rls ON tablename USING(role = CURRENT_USER);

 Note: tablename is the name of the created table, and tablename_rls is the name of the created row-level access control policy.
Sep 27 '22 #1
0 4640

Sign in to post your reply or Sign up for a free account.

Similar topics

0
by: Clifford Heath | last post by:
We've set up an SQL Server 2000 (build 8.0.761 - I think that's SP3) access control scenario like the one described in this article:...
0
by: Petr PALAS | last post by:
Hi, being a regular reader of these groups for more than year I would like to inform you about our new component PortSight Secure Access 1.1 for ASP.NET. It solves many issues discussed here -...
0
by: William F. Zachmann | last post by:
A web site that will run on Windows Server 2003 and IIS 6.0 needs to provide three levels of access, one for the public and two others for two levels of subscribers. This is a port of a prior site...
4
by: JimC | last post by:
On my main form in a C# program, I create an instance of another form that contains a ListView control, in the usual way, that is: public class frmMain : System.Windows.Forms.Form { // ...
6
by: Notgiven | last post by:
I am considering a large project and they currently use LDAP on MS platform. It would be moved to a LAMP platform. OpenLDAP is an option though I have not used it before. I do feel fairly...
5
by: Suresh | last post by:
Hi All I am designing DB2 database. I have some entities each has nearly 40-60 attributes. Each of these entity (table) have password, some other information as high security attribute. So...
1
by: Smoothj | last post by:
Hello all, when connecting to an IRC server with my java applet some of my members get this error code. java.security.AccessControlException : access denied (java.net.SocketPermission...
2
by: Emmi | last post by:
Once again on the db I have inherited... I have read numerous posts about how to set up security in access and have printed out the step by step instructions I found a link for from another post...
8
by: xz | last post by:
Why C++ (as well as Java) adopts class-based access control instead of instance-based access control? I had never paid attention to whether an access-control is class-based or instance-based but...
1
by: samvb | last post by:
Hey Fellas, I am seriously in despair. I have a CI driven app in domaina.com. I need to send cross domain request to a SINGLE controller in it from domainb.com. It will be an ajax call using POST...
2
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 7 Feb 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:30 (7.30PM). In this month's session, the creator of the excellent VBE...
0
by: MeoLessi9 | last post by:
I have VirtualBox installed on Windows 11 and now I would like to install Kali on a virtual machine. However, on the official website, I see two options: "Installer images" and "Virtual machines"....
0
by: Aftab Ahmad | last post by:
Hello Experts! I have written a code in MS Access for a cmd called "WhatsApp Message" to open WhatsApp using that very code but the problem is that it gives a popup message everytime I clicked on...
0
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: marcoviolo | last post by:
Dear all, I would like to implement on my worksheet an vlookup dynamic , that consider a change of pivot excel via win32com, from an external excel (without open it) and save the new file into a...
1
isladogs
by: isladogs | last post by:
The next Access Europe meeting will be on Wednesday 6 Mar 2024 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM). In this month's session, we are pleased to welcome back...
0
by: jfyes | last post by:
As a hardware engineer, after seeing that CEIWEI recently released a new tool for Modbus RTU Over TCP/UDP filtering and monitoring, I actively went to its official website to take a look. It turned...
0
by: ArrayDB | last post by:
The error message I've encountered is; ERROR:root:Error generating model response: exception: access violation writing 0x0000000000005140, which seems to be indicative of an access violation...
1
by: PapaRatzi | last post by:
Hello, I am teaching myself MS Access forms design and Visual Basic. I've created a table to capture a list of Top 30 singles and forms to capture new entries. The final step is a form (unbound)...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.