Controlling the access to data based on user credentials is a fundamental part of database management systems. In most cases, the level at which information is controlled extends only to a certain level of granularity. In some scenarios, however, there is a requirement to control access at a more granular way allowing the users to see only the data they are supposed to see in a database table. Fine-grained access control (FGAC) provides row-level security capabilities to secure information stored in modern relational database management systems. In case of creating the virtual networking infrastructure of virtual organizations, the security of the data stored in database management systems is a very important issue. Several models have been proposed by research community and database vendors for specifying and enforcing row-level access control at the database layer. This article reviews the most important facts of some significant FGAC models and current implementations of such in two commercial database management systems. We describe a novel concept of implementing FGAC in SQL Server 2005, which resembles Oracle 10g database management system’s FGAC solution virtual private databases (VPD).
Key Terms in this Chapter
Granularity (of access control): The size of individual data items that can be authorized to users.
Structured Query Language (SQL): It is a language for creating, modifying, and retrieving data from relational database management systems.
Oracle Grid: Oracle database running on group of low-cost servers connected by Oracle software.
Application Context: Oracle virtual private database (VPD)-specific set of variables that hold database user information in order to create a predicate.
Cell-Level Security (CLS): Allows restricted access to a particular cell based on a security policy implemented in PL/SQL.
Programming Language/SQL (PL/SQL): SQL language that has programming capabilities.
Predicate: Additional SQL statement(s) pasted after WHERE clause based on security policy.
Row Level Security (RLS): Allows restricted access to records based on a security policy implemented in PL/SQL.
Database Administrator (DBA): A person who is responsible for the environmental aspects such as recoverability, integrity, security, availability, performance, development, and testing support.
Virtual Private Database (VPD): Also known as fine-grained access control (FGAC). It allows defining which rows users may access.