Ensuring Access Security

In every database, it is important to maintain security and access control. Ingres has a built-in hierarchical security system that any privileged user (such as the system administrator, database administrator, or security administrator) can use to fully control access to the database. A privileged user is any user with the necessary privileges to perform security-related operations.

This chapter discusses the following security features available in Ingres:

Subject privileges
Object permissions
Security alarms
Security auditing
Database procedures

Note: Databases are protected from user access by the permissions on the directories containing the database files and the permissions on the database files themselves. Users cannot look at the files in a database except through Ingres. Even in Ingres, files are protected from access except from the privileged accounts (the installation owner account and the system administrator account). The binary files are in a special format, making decoding of any information difficult.

Subject Privileges

Subject privileges define the general capabilities of a user session, and are assigned when a user object is created for an individual user login or when an existing user object is modified.

For information on the procedures for creating and modifying users (and profiles on which user definitions can be based), see the chapter "Authorizing User Access."

The subject privileges are as follows:

Auditor
Enables the user to query the security audit log.
Create Database (also called createdb)
Enables the user to create and destroy databases.
Maintain Audit (also called maintain_audit)
Enables the user to control what information is written to the security audit log.
Maintain Locations (also called maintain_locations)
Enables the user to manage database and file locations.
Maintain Users (also called maintain_users)
Enables the user to perform various user-related functions, such as creating users and roles.
Operator
Enables the user to perform database backups and other maintenance operations.
Security
Enables the user to perform security-related operations, including impersonating other users, and to avoid certain security checks, such as database privilege checks.
Trace
Enables the user access to tracing and debugging features.

Important! Subject privileges allow many trusted operations to be performed. Therefore, assign privileges with care, especially the security privilege.

To set or change subject privileges for a user, you must have the maintain_users privilege.

Subject privileges can also be assigned to roles, as discussed in Groups and Roles.

Note: Object permissions define capabilities related to a specific object, such as a database or a table, and are assigned to selected groups, roles, or users, as discussed in Object Permissions.

Auditor Privilege

The auditor privilege allows a user to obtain information from the audit log. A user with this privilege can:

Register the audit log file to a virtual table using the register table statement, or perform the equivalent operation in VDBA.
Remove the registration for an audit log file using the remove table statement, or perform the equivalent operation in VDBA.
Query the audit log once it has been registered as a virtual table.
Obtain the audit log file name by calling dbmsinfo('security_audit_log').

The privilege required to control what information is written to the audit log is described in Maintain_Audit Privilege. Working with audit logs is described in Security Auditing.

Createdb Privilege

The createdb privilege is required to create a database. For example, this privilege is required to use the createdb system command or to use the equivalent operation in VDBA. This subject privilege is granted by default to the system administrator, who in turn can grant it to other users, such as database administrators.

Maintain_Audit Privilege

The maintain_audit privilege allows a user to manage auditing features, including determining the security audit activity level for profiles, users, and roles, and the ability to turn security auditing on and off. A user with this privilege can:

Issue the enable and disable security_audit statements, or perform the equivalent operations in VDBA.
Change the current audit state using the alter security_audit statement, or perform the equivalent operation in VDBA.
Specify the security_audit clause for alter/create profile, alter/create user, and alter/create role statements, or similarly determine the security audit activity level when working with profile, user, and role objects in VDBA.

The privilege required to obtain information from the audit log is described in Auditor Privilege. Working with audit logs is described in Security Auditing.

Maintain_Locations Privilege

The maintain_locations privilege allows a user to control the allocation of disk space, create new locations or allow new locations to be created, and allow existing locations to be modified or removed. This privilege is needed to issue the create, alter, and drop location statements, or to perform the equivalent operations on location objects in VDBA.

Maintain_Users Privilege

The maintain_users privilege allows a user to perform various user-related functions. A user with this privilege can:

Issue create/alter/drop profile statements to maintain profiles, or perform the equivalent operations on profile objects in VDBA.
Issue create/alter/drop user statements to maintain users, or perform the equivalent operations on user objects in VDBA.
Issue create/alter/drop group statements to maintain groups, or perform the equivalent operations on group objects in VDBA.
Issue create/alter/drop role statements to maintain roles, or perform the equivalent operations on role objects in VDBA.

Note: To assign and change security audit attributes for a profile, user, or role, the user must have the maintain_audit privilege.

Operator Privilege

A user who is responsible for running Ingres requires the operator privilege. Users with this privilege can run the following system commands:

ckpdb
rollforwarddb
auditdb
sysmod
verifydb
relocatedb
fastload
alterdb
infodb

These commands can alternatively be run through the Remote Command (rmcmd) Server, by a (client) user who has the rmcmd privileges rather than the Operator privilege (assuming that the user who launched rmcmd on the server side has the Operator privileges). The sysmod command, however, requires the client user to have the security privilege or be the user who launched rmcmd on the server side. For details, see Grant Access to Remote Users and How Remote Commands Are Executed in the System Administration Guide.

Security Privilege

The security privilege allows a user to monitor the security of the system and the activities of its users. A user with this privilege can:

Use the u flag on commands to impersonate other users, or perform the equivalent using the Users branch of the Virtual Nodes toolbar in VDBA.
Connect to any database with unlimited database privileges (in effect, database privileges are not enforced for users with the security privilege).
Issue create/drop security_alarm statements to configure database and installation security alarms, or perform the equivalent operations in VDBA.

Important! Remember that the security privilege is very powerful because it allows the holder to impersonate any other user. At least one security holder is required (this and all other privileges are automatically bestowed on the installation owner), but the privilege can be restricted as tightly as possible so that your system security is not compromised.

Trace Privilege

The trace privilege allows a user to perform tracing, troubleshooting, and debugging operations. This privilege enables the user to set the debugging trace flags using the following statements:

set [no]printqry
set [no]rules
set [no]printrules
set [no]io_trace
set [no]lock_trace
set [no]log_trace
set trace point

For details on tracing, see the chapter "Using Monitoring and Tracing Tools" in the System Administrator Guide.

Default Privilege

In addition to defining the subject privileges that a user is allowed to have, Ingres provides the ability to define a default set of subject privileges available at session startup. In addition, any privilege that the user has been allowed can be added or dropped during the life of the session, which enables the effective application of the principle of least privilege. This principle asserts that a subject must have the minimum privileges required to perform an operation, and that these privileges must be active for the minimum amount of time necessary to perform that operation.

Thus, a session has three sets of privileges associated with it:

The default privilege set contains those privileges that become active when an Ingres connection is initiated.
The working privilege set contains those privileges that are active at any particular time (at session startup, the working privilege set is equivalent to the default privilege set).
The maximum privilege set contains all privileges that a particular user is allowed to have.

Using VDBA, the maximum privilege set consists of all the privileges enabled in the Users column of the Create User or Alter User dialog. The default privilege set, which is a subset of the maximum privilege set, consists of all the privileges enabled in the Default column of the Create User or Alter User dialog.

The working privilege set is determined during the life of the session, when privileges can be made active as necessary to allow a privileged operation to be performed and made inactive on completion of the task. This is accomplished using the set session statement, as described in the entry for the set statement in the SQL Reference Guide. Using set session, you can:

Add allowed privileges to the working privilege set
Drop privileges from the working privilege set
Replace the working privilege set with specified allowed privileges
Set the working privilege set to all allowed privileges
Reset the working privilege set to the default privilege set
Remove all privileges from the working privilege set