In this chapter, we describe the features that SQL offers for protecting data in the tables against deliberate or accidental unauthorized use. For the security of data, SQL users, passwords, and privileges are required.
SQL users must be known to SQL before they can access the database data. In Chapter 3, “Installing the Software,” we showed you how one user is created automatically during SQL installation. In Chapter 4, “SQL in a Nutshell,” we showed how a new SQL user called BOOKSQL was introduced. Logging on to SQL without an existing user name is just not possible.
To each SQL user, a password can be assigned. When a password is required, accessing the database data becomes even more difficult because the name of an SQL user is no longer sufficient. After following the procedure to install the sample database as described in this book, the user BOOKSQL has the password BOOKSQLPW. You have probably entered this password many times, and you already have discovered what happens if you make a typing error: no access!
New SQL users are not allowed to access tables belonging to other SQL users, even with the SELECT statement. Nor can they create their own tables. New SQL users must explicitly be granted privileges. We can indicate, for example, that an SQL user is allowed to query a certain table or change specific columns of a table. Another SQL user might be allowed to create tables, and the third to create and remove complete databases.
The privileges that can be granted are divided into four groups:
Column privileges relate to one specific column of a table—for example, the privilege to update the values in the
AMOUNTcolumn of thePENALTIEStable withUPDATEstatements.Table privileges relate to all data of one specific table—for example, the privilege to query all the data of the
PLAYERStable withSELECTstatements.Database privileges relate to all tables of one specific database—for example, the privilege to create new tables in the existing
TENNISdatabase.User privileges relate to all databases that are known to SQL—for example, the privilege to remove existing databases or to create new ones.
In this chapter, we explain how new SQL users can be entered and how privileges can be assigned with the GRANT statement. All privileges are stored in the catalog, of course. We also describe how privileges can be recalled with the REVOKE statement and how SQL users can be removed from the catalog.
Note
In the following sections of this chapter, we use the term user instead of the somewhat longer SQL user, for convenience; see Section 4.3, in Chapter 4, to find out the difference between the two.
Besides BOOKSQL, we can add other users. In Section 4.13, in Chapter 4, we used an example to show how a new user can be added. In this section, we explain it in more detail.
To add new users in the catalog, SQL uses the simple CREATE USER statement.
<create user statement> ::= CREATE USER <user name> IDENTIFIED BY <password> <user name> ; <password> ::= <name> |
In a CREATE USER statement, a username and a password are entered. In most SQL products, the username is just a name consisting of letters and numbers. The password is a simple name as well.
Example 23.1. Introduce two new users: CHRIS with the password CHRISSEC, and PAUL with the password LUAP.
CREATE USER CHRIS IDENTIFIED BY CHRISSEC CREATE USER PAUL IDENTIFIED BY LUAP
Products such as DB2 and Oracle can process both statements without any problem. On the other hand, they do not work with MySQL because the definitions of the concepts username and password differ; see the following definition:
<user name> ::= <name> | '<name>' | '<name>'@'<host name>' <password> ::= <alphanumeric literal> |
The first difference is that, in MySQL, the password must be placed between quotation marks. The second difference is that if the username is specified as a name, for example as CHRIS, this name is changed to the specification 'CHRIS'@'%'. The first statement in the previous code could have been written in full as follows:
CREATE USER 'CHRIS'@'%' IDENTIFIED BY 'CHRISSEC'
The specification behind the @ sign represents the name of the host. Users log on from a certain machine. The machine on which the database server runs is called localhost. We used this specification in Chapter 4 for the user BOOKSQL. After the following CREATE USER statement, for example, user SAM can log on only from the machine called TEST. From the previous statement, CHRIS is allowed to log on from any machine.
CREATE USER 'SAM'@'TEST' IDENTIFIED BY 'CHRISSEC'
Users who have just been introduced do not have many privileges yet. They can log on to SQL and perform all operations for which no privileges are required. For example, they can use the HELP function or execute a COMMIT statement. However, whether they can access tables remains to be seen.
Each user has the right to use the ALTER USER statement to change his or her password.
<alter user statement> ::= ALTER USER <user name> IDENTIFIED BY <password> |
Portability
If the removed user has created tables and indexes, what happens next depends on the product. SQL removes only users who are not the owner of any database object. Therefore, these objects have to be removed first. Many other SQL products work like this. Other products drop the user but keep all tables and indexes of this user. Finally, some products remove the user together with all his or her database objects.
SQL supports the following table privileges.
SELECT—. This privilege gives a user the right to access the specified table with theSELECTstatement. He or she can also include the table in a view formula. However, a user must have theSELECTprivilege for every table (or view) specified in a view formula.INSERT—. This privilege gives a user the right to add rows to the specified table with theINSERTstatement.DELETE—. This privilege gives a user the right to remove rows from the specified table with theDELETEstatement.UPDATE—. This privilege gives a user the right to change values in the specified table with theUPDATEstatement.REFERENCES—. This privilege gives a user the right to create foreign keys that refer to the specified table.ALTER—. This privilege gives a user the right to change the table with theALTER TABLEstatement.INDEX—. This privilege gives a user the right to define indexes on the table.ALLorALL PRIVILEGES—. This privilege is a shortened form for all the privileges just named.
A table privilege may be granted only by users who have enough privileges themselves.
<grant statement> ::=
<grant table privilege statement>
<grant table privilege statement> ::=
GRANT <table privileges>
ON <table specification>
TO <grantees>
[ WITH GRANT OPTION ]
<table privileges> ::=
ALL [ PRIVILEGES ] |
<table privilege> [ { , <table privilege> }... ]
<table privilege> ::=
SELECT |
INSERT |
DELETE |
UPDATE [ <column list> ] |
REFERENCES [ <column list> ] |
ALTER |
INDEX
<column list> ::=
( <column name> [ { , <column name> }... ] )
<grantees> ::=
PUBLIC |
<user name> [ { , <user name> }... ]
|
Here are a few examples of how table privileges must be granted. We assume, unless otherwise mentioned, that the user called BOOKSQL enters the statements.
Explanation. After this GRANT statement has been processed, JAMIE may use any SELECT statement to query the PLAYERS table, regardless of who has created the table.
Multiple table privileges can be granted to multiple users simultaneously.
Example 23.5. Give JAMIE and PETE the INSERT and UPDATE privilege for all columns of the TEAMS table.
GRANT INSERT, UPDATE ON TEAMS TO JAMIE, PIET
A certain table privilege does not automatically lead to another. If we grant an INSERT privilege to a user, he or she does not automatically receive the SELECT privilege; it has to be granted separately.
A privilege can be granted to one user, to a number of users, or to PUBLIC (MySQL does not support this feature). If a privilege is granted to PUBLIC, each user who has been introduced gets that privilege. This also applies to all users introduced after the granting of the privilege, so after a user is entered into the system, he or she automatically receives all the privileges granted to PUBLIC.
Example 23.6. Give all users the SELECT and INSERT privileges on the PENALTIES table.
GRANT SELECT, INSERT ON PENALTIES TO PUBLIC
With several privileges, including UPDATE and REFERENCES, you can indicate the columns to which the privilege applies. In that case, we call it column privileges. When you do not specify a column, as in the previous examples, it means that the privilege applies to all columns of the table.
Example 23.7. Give PETE the UPDATE privilege for the columns PLAYERNO and DIVISION of the TEAMS table.
GRANT UPDATE (PLAYERNO, DIVISION) ON TEAMS TO PETE
Table privileges are effective for a certain table. SQL also supports privileges for an entire database, such as the privilege to create tables or views in a certain database.
SQL supports the following database privileges:
SELECT—. This privilege gives the user the right to access all tables of the specified database with theSELECTstatement.INSERT—. This privilege gives the user the right to add rows to all tables of the specified database with theINSERTstatement.DELETE—. This privilege gives the user the right to remove rows from all tables of the specified database with theDELETEstatement.UPDATE—. This privilege gives the user the right to update values in all tables of the specified database with theUPDATEstatement.REFERENCES—. This privilege gives the user the right to create foreign keys that point to tables of the specified database.CREATE—. This privilege gives the user the right to create new tables in the specified database with theCREATE TABLEstatement.ALTER—. This privilege gives the user the right to alter all tables of the specified database with theALTER TABLEstatement.DROP—. This privilege gives the user the right to remove all tables of the specified database.INDEX—. This privilege gives the user the right to define and remove indexes on all tables of the specified database.CREATE TEMPORARY TABLES—. This privilege gives the user the right to create temporary tables in the specified database.CREATE VIEW—. This privilege gives the user the right to create new views in the specified database with theCREATE VIEWstatement.CREATE ROUTINE—. This privilege gives the user the right to create new stored procedures and functions for the specified database; see Chapters 30, “Stored Procedures” and 31, “Stored Functions.”ALTER ROUTINE—. This privilege gives the user the right to update and remove existing stored procedures and functions of the specified database.EXECUTE ROUTINE—. This privilege gives the user the right to invoke existing stored procedures and functions of the specified database.LOCK TABLES—. This privilege gives the user the right to block existing tables of the specified database; see Section 27.10, in Chapter 27, “Transactions and Multiuser Usage.”ALLorALL PRIVILEGES—. This privilege is a shortened form for all the privileges just named.
The definition of this GRANT statement resembles the one for granting table privileges. However, there are two important differences. First, the list with privileges is longer and the ON clause looks different.
<grant statement> ::=
<grant database privilege statement>
<grant database privilege statement> ::=
GRANT <database privileges>
ON [ <database name> . ] *
TO <grantees>
[ WITH GRANT OPTION ]
<database privileges> ::=
ALL [ PRIVILEGES ] |
<database privilege> [ { , <database privilege>
|
}... ]
<database privilege> ::=
SELECT |
INSERT |
DELETE |
UPDATE |
REFERENCES |
CREATE |
ALTER |
DROP |
INDEX |
CREATE TEMPORARY TABLES |
CREATE VIEW |
CREATE ROUTINE |
ALTER ROUTINE |
EXECUTE ROUTINE |
LOCK TABLES
Example 23.8. Give PETE the SELECT privilege for all tables in the TENNIS database.
GRANT SELECT ON TENNIS.* TO PETE
Explanation: So, this privilege is effective for all existing tables and also the tables that will be added to the TENNIS database later.
Example 23.9. Give JIM the privilege to create, update, and remove new tables and views in the TENNIS database.
GRANT CREATE, ALTER, DROP, CREATE VIEW ON TENNIS.* TO JIM
Note that one database privilege does not imply the other here as well. JIM is allowed to create new tables and views now, but he may not access them yet. For that, he needs to be granted a separate SELECT privilege or more privileges.
Example 23.10. Give PETE the SELECT privilege to query all catalog tables in the INFORMATION_SCHEMA database.
GRANT SELECT ON INFORMATION_SCHEMA.* TO PETE
Example 23.11. Give ALYSSA the SELECT and INSERT privileges for all tables in the current database.
GRANT SELECT, INSERT ON * TO ALYSSA
Explanation: The asterisk represents the current database here.
The most effective privileges are the user privileges. For all statements for which database privileges need to be granted, user privileges can be defined as well. For example, by granting someone the privilege CREATE on the user level, this user can create tables in all databases (instead of in one specific database). In addition, SQL supports the following additional user privileges:
CREATE USER—. This privilege gives a user the right to create and remove new users.
<grant statement> ::=
<grant user privilege statement>
<grant user privilege statement> ::=
GRANT <user privileges>
ON *.*
TO <grantees>
[ WITH GRANT OPTION ]
<user privileges> ::=
ALL [ PRIVILEGES ] |
<user privilege> [ { , <user privilege> }... ]
<user privilege> ::=
SELECT |
INSERT |
DELETE |
UPDATE |
REFERENCES |
CREATE |
ALTER |
DROP |
INDEX |
CREATE TEMPORARY TABLES |
CREATE VIEW |
CREATE ROUTINE |
ALTER ROUTINE |
EXECUTE ROUTINE |
LOCK TABLES |
CREATE USER
|
Example 23.12. Give MAX the CREATE, ALTER, and DROP privileges for all tables of all databases.
GRANT CREATE, ALTER, DROP ON *.* TO MAX
Explanation: So, these privileges apply to all existing databases and also to all future databases.
Example 23.13. Give ALYSSA the privilege to create new users.
GRANT CREATE USER ON *.* TO ALYSSA
The user called root gets the following privilege during the installation of MySQL:
GRANT ALL PRIVILEGES ON *.* TO ROOT
By way of conclusion, Table 23.1 lists the levels at which privileges for certain SQL statements can be granted.
Table 23.1. Overview of Privileges
Statement | User Privilege | Database Privilege | Table Privilege | Column Privilege |
|---|---|---|---|---|
| Yes | Yes | Yes | No |
| Yes | Yes | Yes | No |
| Yes | Yes | Yes | Yes |
| Yes | Yes | Yes | Yes |
| Yes | Yes | Yes | Yes |
| Yes | Yes | Yes | No |
| Yes | Yes | Yes | No |
| Yes | Yes | Yes | No |
| Yes | Yes | Yes | Yes |
| Yes | Yes | No | No |
| Yes | Yes | No | No |
| Yes | Yes | No | No |
| Yes | Yes | No | No |
| Yes | Yes | No | No |
| Yes | Yes | No | No |
| Yes | No | No | No |
A GRANT statement can be concluded with the WITH GRANT OPTION. This means that all users specified in the TO clause can themselves pass on the privilege (or part of the privilege) to other users. In other words, if a user is given a table privilege via the WITH GRANT OPTION, he or she can grant that privilege on the table without being the owner of it.
Example 23.14. Give JIM the REFERENCES privilege on the TEAMS table and allow him to pass it on to other users:
GRANT REFERENCES ON TEAMS TO JOHN WITH GRANT OPTION
Because of the WITH GRANT OPTION clause, JIM can pass on this privilege to PETE, for example:
GRANT REFERENCES ON TEAMS TO PETE
JIM can himself extend the statement with WITH GRANT OPTION so that PETE, in turn, can pass on the privilege.
Granting privileges to individual users is acceptable if there are not that many. But imagine that the database consists of 300 tables and has 500 users. If everyone is to be given privileges, at least 500 GRANT statements are required. However, it is likely that many more statements are necessary, and this is very difficult to manage. That is why the concept of role has been added to SQL.
A role is a defined set of privileges (the same privileges we have already described) that is granted to users. If the privileges of one role are altered (a table privilege is added, for example), the privileges of all users belonging to that role are changed automatically. It is easier to manage the privileges this way. A user may have several roles.
With the CREATE ROLE statement, new roles can be created.
<create role statement> ::= CREATE ROLE <role name> |
To assign privileges to roles, the definition of the concept grantees has been extended so that all kinds of privileges can be assigned to roles.
<grantees> ::=
PUBLIC |
<user name> [ { , <user name> }... ] |
<role name> [ { , <role name> }... ]
|
A special version of the GRANT statement has also been created to assign roles to users.
<grant statement> ::=
<grant role statement>
<grant role statement> ::=
GRANT <role name> [ { , <role name> }... ]
TO <grantees>
|
Example 23.15. Create the role SALES and give this role the SELECT and INSERT privileges on the PENALTIES table. Next, grant the SALES role to users ILENE, KELLY, JIM, and MARC.
CREATE ROLE SALES GRANT SELECT, INSERT ON PENALTIES TO SALES GRANT SALES TO ILENE, KELLY, JIM, MARC
Explanation: The first statement creates the new role. With the GRANT statement, table privileges are granted. The structure of this statement is the same as the one used for granting privileges to users. Next, with a special version of the GRANT statement, we give the role to the four users. It is now possible to extend the privileges of the SALES role with one statement instead of using an entire set of GRANT statements.
Roles can be removed with the DROP ROLE statement. And, of course, all privileges belonging to that role also are removed; in turn, the users lose their privileges.
Several catalog tables are used to record users, roles, and privileges:
Users are recorded in the
USERStable.Roles are stored in the
ROLEStable.The
USER_ROLEStable is used to record which user has which role.The
COLUMN_AUTHStable contains information about the privileges granted on specific columns.The
TABLE_AUTHStable contains information about privileges on specific tables.
Contrary to many other SQL products, SQL does not remember who granted a privilege. When SQL has approved and processed a granted privilege, it does not record who granted the privilege. In the various catalog views, the column GRANTOR (the grantor of the privilege) has been included but has the value UNKNOWN everywhere. The GRANTEE (the person who receives the privilege), however, has been filled everywhere.
The USERS table contains only one column, the name of the user. This column also forms the primary key of this table.
Table 23.2. Columns of the USERS Catalog Table
Column Name | Data Type | Description |
|---|---|---|
|
| Name of the user. |
The ROLES table also consists of only one column, the name of the role.
Table 23.3. Columns of the ROLES Catalog Table
Column Name | Data Type | Description |
|---|---|---|
|
| Name of the role. |
The USER_ROLES table has the following structure. (The columns USER_NAME and ROLE_NAME form the primary key of this table.)
Table 23.4. Columns of the USER_ROLES Catalog Table
Column Name | Data Type | Description |
|---|---|---|
|
| Name of the user. |
|
| Name of the role. |
The column privileges are recorded in a separate catalog table, the COLUMN_AUTHS table. The primary key of this table is formed by the columns GRANTOR, TABLE_NAME, GRANTEE, and COLUMN_NAME. The table has the following structure:
Table 23.5. Columns of the COLUMN_AUTHS Catalog Table
Data Type | Description | |
|---|---|---|
|
| User who granted the privilege. |
|
| User who received the privilege. |
|
| Name of the owner of the table on which the privilege is granted. (In MySQL, this is the name of the database to which the table belongs.) |
|
| Table or view on which the privilege is granted. |
|
| Column name on which the |
|
| Indication of what kind of privilege it is. |
|
| If this column is filled with the value |
The TABLE_AUTHS table has the following structure. The primary key of this table is formed by the columns GRANTOR, GRANTEE, TABLE_CREATOR, TABLE_NAME, and PRIVILEGE. You can see that the column privileges are not recorded in this table.
Table 23.6. Columns of the TABLE_AUTHS Catalog Table
Column Name | Data Type | Description |
|---|---|---|
|
| User who granted the privilege. |
|
| User who received the privilege. |
|
| Name of the owner of the table on which the privilege is granted. (In MySQL, this is the name of the database to which the table belongs.) |
|
| Table or view on which the privilege is granted. |
|
| Indication of what kind of privilege it is. |
|
| If this column is filled with the value |
The DATABASE_AUTHS table has the following structure. The primary key of this table is formed by the columns GRANTOR, GRANTEE, DATABASE_NAME, and PRIVILEGE.
Table 23.7. Columns of the DATABASE_AUTHS Catalog Table
Data Type | Description | |
|---|---|---|
|
| User who granted the privilege. |
|
| User who received the privilege. |
|
| Database on which the privilege is granted. |
|
| Indication of what kind of privilege it is. |
|
| If this column is filled with the value |
The USER_AUTHS table has the following structure. The primary key of this table is formed by the columns GRANTOR, GRANTEE, and PRIVILEGE.
Table 23.8. Columns of the USER_AUTHS Catalog Table
Column Name | Data Type | Description |
|---|---|---|
|
| User who granted the privilege. |
|
| User who received the privilege. |
|
| Indication of what kind of privilege it is; if this column is filled with the value |
|
| If this column is filled with the value |
Example 23.17. Which users are allowed to query the PLAYERS table in the TENNIS database?
SELECT GRANTEE FROM USER_AUTHS WHERE PRIVILEGE = 'SELECT' UNION SELECT GRANTEE FROM DATABASE_AUTHS WHERE DATABASENAME = 'TENNIS' AND PRIVILEGE = 'SELECT' UNION SELECT GRANTEE FROM TABLE_AUTHS WHERE TABLE_CREATOR = 'TENNIS' AND PRIVILEGE = 'SELECT'
Explanation. This example requires a search in three tables because SELECT privileges can be defined on three levels.
The REVOKE statement withdraws privileges from a user without deleting that user from the USERS table. This statement has the opposite effect of the GRANT statement.
<revoke statement> ::=
<revoke table privilege statement> |
<revoke database privilege statement> |
<revoke user privilege statement> |
<revoke role statement>
<revoke table privilege statement> ::=
REVOKE <table privileges>
ON <table specification>
FROM <grantees>
<table privileges> ::=
ALL [ PRIVILEGES ] |
<table privilege> [ { , <table privilege> }... ]
<table privilege> ::=
SELECT |
INSERT |
DELETE |
UPDATE [ <column list> ] |
REFERENCES [ <column list> ] |
ALTER |
INDEX
<revoke database privilege statement> ::=
REVOKE <database privileges>
ON [ <database name> . ] *
FROM <user name> [ { , <user name> }... ]
<database privileges> ::=
ALL [ PRIVILEGES ] |
<database privilege> [ { , <database privilege>
|
Example 23.18. The SELECT privilege of JIM on the PLAYERS table is to be withdrawn. (We assume that the situation is as it was at the end of Section 23.8.)
REVOKE SELECT ON PLAYERS FROM JIM
The relevant privilege is now deleted from the catalog.
Example 23.19. Withdraw the REFERENCES privilege on the TEAMS table from JIM.
REVOKE REFERENCES ON TEAMS FROM JIM
This privilege is withdrawn, together with all the privileges that are directly or indirectly dependent on it. In the example, PETE also loses his REFERENCES privilege on the TEAMS table.
With the REVOKE statement, a role of a user can also be deleted and privileges of roles can be withdrawn. Examples of both features follow.
Example 23.21. Withdraw the SELECT privilege on the PENALTIES table of the role called SALES.
REVOKE SELECT ON PENALTIES FROM SALES
It could be that a user has been granted overlapping privileges. He received, for example, the table privilege UPDATE on the PLAYERS table and also the user privilege UPDATE for all tables in all databases. If one of the two is withdrawn, the other privilege remains.
A GRANT statement can refer not only to tables, but also to views. (See the definition of the GRANT statement in Section 23.3.) Let’s look at this more closely.
Because privileges can also be granted for views, you can provide users with access to only a part of a table or only to information derived or summarized from tables. The following are examples of both features.
Example 23.22. Give DIANE the privilege to read only the names and addresses of noncompetitive players.
First, DIANE must be entered with a CREATE USER statement.
CREATE USER DIANE IDENTIFIED BY 'SECRET'
Second, a view is created specifying which data she may see:
CREATE VIEW NAME_ADDRESS AS
SELECT NAME, INITIALS, STREET, HOUSENO,
TOWN
FROM PLAYERS
WHERE LEAGUENO IS NULL
The last step is to grant DIANE the SELECT privilege on the NAME_ADDRESS view:
GRANT SELECT ON NAME_ADDRESS TO DIANE
With this statement, DIANE has access to only that part of the PLAYERS table defined in the view formula of NAME_ADDRESS.
Example 23.23. Make sure that user GERARD can look at only the number of players in each town.
First, we introduce GERARD.
CREATE USER GERARD IDENTIFIED BY 'XYZ1234'
The view that we use looks like this:
CREATE VIEW RESIDENTS (TOWN, NUMBER_OF) AS SELECT TOWN, COUNT(*) FROM PLAYERS GROUP BY TOWN
Now we give GERARD the privilege for the previous view:
GRANT SELECT ON RESIDENTS TO GERARD
All types of table privilege can be granted on views.
GRANT SELECT, INSERT ON PLAYERS TO RONALDO | |
GRANT ALL ON COMMITTEE_MEMBERS TO PUBLIC | |
GRANT UPDATE(STREET, HOUSENO, POSTCODE, TOWN) ON PLAYERS TO RONALDO |
CREATE USER JOE IDENTIFIED BY 'JAZZ' CREATE USER JACO IDENTIFIED BY 'JAZZ' CREATE USER CHRIS IDENTIFIED BY 'JAZZ' CREATE ROLE ADMIN GRANT ALL ON COMMITTEE_MEMBERS TO ADMIN |