[SGVLUG] Database security for "sql" databases

[Mark Echeverri]

Since I don't know which database you're using, I'll assume it doesn't
support any sort of "review" SQL clause...though odds are there is some
way of getting at that data.

One approach would be to do something like a "REVOKE ALL for ..."
followed by a set of explicit GRANT statements.  This is a good
security, because it helps eliminate holes, and useful because it
documents exactly which privileges each role, user group, etc. is given.

	



On Fri, 2005-07-15 at 12:08 -0700, Emerson, Tom wrote:
> I'm trying to determine and/or validate that the proper permissions have been "granted" to the proper people for a particular SQL database, and, well, I'm running into "difficulties".
> 
> I don't know if this is true of "sql databases" in general, or just the one I'm using.  From the interactive SQL / query utility supplied by the vendor, I see I can issue "GRANT..." commands to allow other users and entities access (or REVOKE to remove those access rights)  What I cannot find is any command to REVIEW the current access rights.
> 
> I guess I'm kind of spoiled by the DB I've been using, but "security" for that database MUST be supplied as part of the "schema" and is defined in the most basic way: can you READ or can you WRITE to the table (or if you want to get fancy and shoot yourself in the foot, this can be extended down to the item level...)  This is just "simpler" than pondering the nuances of "update" vs "delete" [because if you can update but not delete something, you can conceivably change the values to nulls, zeroes, or otherwise "blank" data, which is almost indistinguishable from a record that doesn't exist...]
> 
> Any thoughts?