Security example v16
In this example, a new database is created along with two users:
– hr_mgr
, who owns a copy of the entire sample application in schemahr_mgr
sales_mgr
, who owns a schema namedsales_mgr
that has a copy of only theemp
table containing only the employees who work in sales
The procedure list_emp
, function hire_clerk
, and package emp_admin
are used in this example. All of the default privileges that are granted upon installation of the sample application are removed and then explicitly regranted so as to present a more secure environment.
Programs list_emp
and hire_clerk
are changed from the default of definer’s rights to invoker’s rights. Then, when sales_mgr
runs these programs, they act on the emp
table in the sales_mgr
schema since the sales_mgr
search path and privileges are used for name resolution and authorization checking.
Programs get_dept_name
and hire_emp
in the emp_admin
package are then executed by sales_mgr
. In this case, the dept
table and emp
table in the hr_mgr
schema are accessed as hr_mgr
is the owner of the emp_admin
package which is using definer’s rights. Since the default search path is in effect with the $user
placeholder, the schema matching the user (in this case, hr_mgr
) is used to find the tables.
Step 1: Create database and users
As user enterprisedb
, create the hr
database:
Switch to the hr database and create the users:
Step 2: Create the sample application
Create the entire sample application, owned by hr_mgr
, in the hr_mgr
schema.
Step 3: Create the emp table in schema sales_mgr
Create a subset of the emp
table owned by sales_mgr
in the sales_mgr
schema.
The GRANT USAGE ON SCHEMA
command allows sales_mgr
access into the hr_mgr
’s schema to make a copy of the hr_mgr
emp
table. This step is required in EDB Postgres Advanced Server and isn't compatible with Oracle databases. Oracle doesn't have the concept of a schema that's distinct from its user.
Step 4: Remove default privileges
Remove all privileges to later illustrate the minimum required privileges needed.
Step 5: Change list_emp to invoker’s rights
While connected as user hr_mgr
, add the AUTHID CURRENT_USER
clause to the list_emp
program and resave it in EDB Postgres Advanced Server. When performing this step, be sure you're logged in as hr_mgr
. Otherwise the modified program might end up in the public
schema instead of in the hr_mgr
schema.
Step 6: Change hire_clerk to invoker’s rights and qualify call to new_empno
While connected as user hr_mgr
, add the AUTHID CURRENT_USER
clause to the hire_clerk
program.
Also, after the BEGIN
statement, fully qualify the reference new_empno
to hr_mgr.new_empno
to ensure the hire_clerk
function call to the new_empno
function resolves to the hr_mgr
schema.
When resaving the program, be sure you're logged in as hr_mgr
. Otherwise the modified program might end up in the public
schema instead of in the hr_mgr
schema.
Step 7: Grant required privileges
While connected as user hr_mgr
, grant the privileges needed so sales_mgr
can execute the list_emp
procedure, hire_clerk
function, and emp_admin
package. The only data object sales_mgr
has access to is the emp
table in the sales_mgr
schema. sales_mgr
has no privileges on any table in the hr_mgr
schema.
Step 8: Run programs list_emp and hire_clerk
Connect as user sales_mgr
, and run the following anonymous block:
The table and sequence accessed by the programs of the anonymous block are shown in the following diagram. The gray ovals represent the schemas of sales_mgr
and hr_mgr
. The current user during each program execution is shown in parenthesis in bold red font.
Selecting from the sales_mgr
emp
table shows that the update was made in this table.
The following diagram shows that the SELECT
command references the emp
table in the sales_mgr
schema. However, the dept
table referenced by the get_dept_name
function in the emp_admin
package is from the hr_mgr
schema since the emp_admin
package has definer’s rights and is owned by hr_mgr
. The default search path setting with the $user
placeholder resolves the access by user hr_mgr
to the dept
table in the hr_mgr
schema.
Step 9: Run program hire_emp in the emp_admin package
While connected as user sales_mgr
, run the hire_emp
procedure in the emp_admin
package.
This diagram shows that the hire_emp
procedure in the emp_admin
definer’s rights package updates the emp
table belonging to hr_mgr
. The object privileges of hr_mgr
are used and the default search path setting with the $user
placeholder resolves to the schema of hr_mgr
.
Now connect as user hr_mgr
. The following SELECT
command verifies that the new employee was added to the hr_mgr
emp
table since the emp_admin
package has definer’s rights and hr_mgr
is the emp_admin
owner.
- On this page
- Step 1: Create database and users
- Step 2: Create the sample application
- Step 3: Create the emp table in schema sales_mgr
- Step 4: Remove default privileges
- Step 5: Change list_emp to invoker’s rights
- Step 6: Change hire_clerk to invoker’s rights and qualify call to new_empno
- Step 7: Grant required privileges
- Step 8: Run programs list_emp and hire_clerk
- Step 9: Run program hire_emp in the emp_admin package