Security Example v12
In the following example, a new database will be created along with two users – hr_mgr
who will own a copy of the entire sample application in schema, hr_mgr
; and sales_mgr
who will own a schema named, sales_mgr
, that will have a copy of only the emp
table containing only the employees who work in sales.
The procedure list_emp
, function hire_clerk
, and package emp_admin
will be used in this example. All of the default privileges that are granted upon installation of the sample application will be removed and then be explicitly re-granted so as to present a more secure environment in this example.
Programs list_emp
and hire_clerk
will be changed from the default of definer’s rights to invoker’s rights. It will be then illustrated that when sales_mgr
runs these programs, they act upon the emp
table in sales_mgr
’s schema since sales_mgr
’s search path and privileges will be used for name resolution and authorization checking.
Programs get_dept_name
and hire_emp
in the emp_admin
package will then be executed by sales_mgr
. In this case, the dept
table and emp
table in hr_mgr
’s schema will be accessed as hr_mgr
is the owner of the emp_admin
package which is using definer’s rights. Since the default search path is in effect with the $user
placeholder, the schema matching the user (in this case, hr_mgr
) is used to find the tables.
Step 1 – Create Database and Users
As user enterprisedb
, create the hr
database:
Switch to the hr database and create the users:
Step 2 – Create the Sample Application
Create the entire sample application, owned by hr_mgr
, in hr_mgr
’s schema.
Step 3 – Create the emp Table in Schema sales_mgr
Create a subset of the emp
table owned by sales_mgr
in sales_mgr
’s schema.
In the above example, the GRANT USAGE ON SCHEMA
command is given to allow sales_mgr
access into hr_mgr
’s schema to make a copy of hr_mgr
’s emp
table. This step is required in Advanced Server and is not compatible with Oracle databases since Oracle does not have the concept of a schema that is distinct from its user.
Step 4 – Remove Default Privileges
Remove all privileges to later illustrate the minimum required privileges needed.
Step 5 – Change list_emp to Invoker’s Rights
While connected as user, hr_mgr
, add the AUTHID CURRENT_USER
clause to the list_emp
program and resave it in Advanced Server. When performing this step, be sure you are logged on as hr_mgr
, otherwise the modified program may wind up in the public
schema instead of in hr_mgr
’s schema.
Step 6 – Change hire_clerk to Invoker’s Rights and Qualify Call to new_empno
While connected as user, hr_mgr
, add the AUTHID CURRENT_USER
clause to the hire_clerk
program.
Also, after the BEGIN
statement, fully qualify the reference, new_empno
, to hr_mgr.new_empno
in order to ensure the hire_clerk
function call to the new_empno
function resolves to the hr_mgr
schema.
When resaving the program, be sure you are logged on as hr_mgr
, otherwise the modified program may wind up in the public
schema instead of in hr_mgr
’s schema.
Step 7 – Grant Required Privileges
While connected as user, hr_mgr
, grant the privileges needed so sales_mgr
can execute the list_emp
procedure, hire_clerk
function, and emp_admin
package. Note that the only data object sales_mgr
has access to is the emp
table in the sales_mgr
schema. sales_mgr
has no privileges on any table in the hr_mgr
schema.
Step 8 – Run Programs list_emp and hire_clerk
Connect as user, sales_mgr
, and run the following anonymous block:
The table and sequence accessed by the programs of the anonymous block are illustrated in the following diagram. The gray ovals represent the schemas of sales_mgr
and hr_mgr
. The current user during each program execution is shown within parenthesis in bold red font.
Selecting from sales_mgr
’s emp
table shows that the update was made in this table.
The following diagram shows that the SELECT
command references the emp
table in the sales_mgr
schema, but the dept
table referenced by the get_dept_name
function in the emp_admin
package is from the hr_mgr
schema since the emp_admin
package has definer’s rights and is owned by hr_mgr
. The default search path setting with the $user
placeholder resolves the access by user hr_mgr
to the dept
table in the hr_mgr
schema.
Step 9 – Run Program hire_emp in the emp_admin Package
While connected as user, sales_mgr
, run the hire_emp
procedure in the emp_admin
package.
This diagram illustrates that the hire_emp
procedure in the emp_admin
definer’s rights package updates the emp
table belonging to hr_mgr
since the object privileges of hr_mgr
are used, and the default search path setting with the $user
placeholder resolves to the schema of hr_mgr
.
Now connect as user, hr_mgr
. The following SELECT
command verifies that the new employee was added to hr_mgr
’s emp
table since the emp_admin
package has definer’s rights and hr_mgr
is emp_admin
’s owner.