privileges grant and revoke grant diagrams a file system
play

Privileges Grant and Revoke Grant Diagrams A file system: - PowerPoint PPT Presentation

Sep 07, 2022 •418 likes •722 views

Privileges Grant and Revoke Grant Diagrams A file system: Identifies certain privileges on the objects (files) it manages. Typically read, write, execute. Identifies certain participants to whom

  1.  Privileges �  Grant and Revoke �  Grant Diagrams �

  2.  A file system: �  Identifies certain privileges on the objects (files) it manages. �  Typically read, write, execute. �  Identifies certain participants to whom privileges may be granted. �  Typically the owner, a group, all users. �

  3.  SQL identifies a more detailed set of privileges on objects (relations) than the typical file system. �  Nine privileges in all are defined, some of which can be restricted to specific attributes of a relation. �

  4. Some important privileges on a relation (see the text for the  complete list): � SELECT = right to query the relation. � 1. INSERT = right to insert tuples. � 2. DELETE = right to delete tuples. � 3. UPDATE = right to update tuples. � 4. SELECT, INSERT, and UPDATE may apply to only a specified  subset of the attributes. � A relation may be either a base table or view � 

  5.  Consider the statement below: � beers that do not appear in � INSERT INTO Beers(name) � Beers but are in Sells. We add � � SELECT beer FROM Sells � them to Beers with a NULL � manufacturer. � � WHERE NOT EXISTS � � � (SELECT * FROM Beers � � � WHERE name = beer); �  We require privileges SELECT on Sells and Beers, and INSERT on Beers or Beers.name. �

  6.  The objects on which privileges exist include stored tables and views. �  Other privileges give the right to create objects of a type, e.g., triggers. �  Views are another important tool for access control. �

  7.  We might not want to give the SELECT privilege for salary on � � � Emps(name, addr, salary). �  It is safer to give SELECT on: � � � CREATE VIEW SafeEmps AS � � � � SELECT name, addr FROM Emps; �  Queries on SafeEmps do not require SELECT on Emps, just on SafeEmps. �

  8.  Triggers can be tricky wrt privileges �  A user with a TRIGGER privilege for a relation can attempt to create any trigger for that relation �  However the condition and action part of a trigger may refer to other relations �  The user needs the appropriate privileges for those relations also �  But when someone does something that awakens a trigger, they don ʼ t need the privileges for the condition and action parts of the trigger �  E.g.: Recall the INSTEAD OF example for inserting into a view. �

  9.  A user is referred to by authorization ID , typically their login name. �  There is an authorization ID called PUBLIC . �  Granting a privilege to PUBLIC makes it available to any authorization ID. �

  10.  A user has all possible privileges on the objects (such as relations) that they create. �  The object owner may grant privileges to other users (authorization ID ʼ s), including PUBLIC. �  The object owner may also grant privileges WITH GRANT OPTION, which lets the grantee also grant this privilege. �

  11.  To grant privileges: � � � GRANT � <list of privileges> � � � ON � <relation or other object> � � � TO � <list of authorization ID ʼ s>; �  If you want the recipient(s) to be able to pass the privilege(s) to others add: � � � WITH GRANT OPTION �

  12.  Suppose you are the owner of Sells. You may say: � � � GRANT SELECT, UPDATE(price) � � � ON Sells � � � TO sally; �  Now Sally has the right to issue any query on Sells �  She can update the price component only. �

  13.  Suppose we also grant: � � � GRANT UPDATE ON Sells TO sally � � � WITH GRANT OPTION; �  Now, Sally not only can update any attribute of Sells, but she can grant to others the privilege � � � � UPDATE ON Sells. �  Also, she can grant more specific privileges like � � � � UPDATE(price) ON Sells. �

  14.  Form: � � � REVOKE <list of privileges> � � � ON � <relation or other object> � � � FROM � <list of authorization ID ʼ s>; �  Your granting of these privileges can no longer be used by these users to justify their use of the privilege. �  But they may still have the privilege because they obtained it from elsewhere. �

  15. We must append to the REVOKE statement either: �  CASCADE. Now, any grants made by a revokee are also not in 1. force, no matter how far the privilege was passed. � RESTRICT. If the privilege has been passed to others, the 2. REVOKE fails as a warning that something else must be done to “chase the privilege down.” �

  16.  It is useful to represent grants and privileges by means of a graph called a grant diagram. �  Nodes = user / privilege / grant option (y/n) / is owner (y/n) �  Note that: � � � UPDATE ON R, � � � UPDATE(a) ON R, and � � � UPDATE(b) ON R � � are represented by different nodes. �  Also: � � � SELECT ON R and � � � SELECT ON R WITH GRANT OPTION � � similarly are represented by different nodes. �  Edge X -> Y means that node X was used to grant Y . �

  17.  Use AP for the node representing authorization ID A with privilege P . �  P * = privilege P with grant option. �  P ** = the owner/source of the privilege P . �  I.e., A is the owner of the object on which P is a privilege. �  Note ** implies grant option. �

  18.  When A grants P to B , we draw an edge from AP * or AP ** to BP . �  Or to BP * if the grant is with grant option. �  If A grants a subprivilege Q of P to B (say, UPDATE(a) on R when P is UPDATE ON R) then the edge goes to BQ or BQ *, instead. �

  19.  Fundamental rule: � User C has privilege Q as long as � 1. there is a path from XP ** to CQ , CQ *, or CQ **, and � 2. P is a superprivilege of Q . �  P is a superprivilege of Q if having P implies a user has Q �  Remember that P could be Q , and X could be C . �

  20.  If A revokes P from B with the CASCADE option, delete the edge from AP to BP . �  But if A uses RESTRICT instead, and there is an edge from BP to anywhere, then reject the revocation and make no change to the graph. �

  21.  Having revised the edges, we must check that each node has a path from some ** node, representing ownership. �  This strategy also handles cycles in granting. �  Any node with no such path represents a revoked privilege and is deleted from the diagram. �

  22. AP** A owns the � object on � which P is � a privilege �

  23. AP** BP* A owns the � A: � object on � GRANT P � which P is � TO B WITH � a privilege � GRANT OPTION �

  24. B: � GRANT P � TO C WITH � GRANT OPTION � AP** BP* CP* A owns the � A: � object on � GRANT P � which P is � TO B WITH � a privilege � GRANT OPTION �

  25. B: � GRANT P � TO C WITH � GRANT OPTION � AP** BP* CP* A owns the � A: � CP object on � GRANT P � which P is � TO B WITH � a privilege � GRANT OPTION � A: � GRANT P � TO C �

  26. A executes � REVOKE P FROM B CASCADE; � AP** BP* CP* CP Not only does B lose � P*, but C loses P*. � Delete BP* and CP*. � However, C still � has P without grant � option because of � the direct grant. �

  27. A executes � Even had � REVOKE P FROM B CASCADE; � C passed P � to B, both � AP** BP* CP* nodes are � still cut off. � CP Not only does B lose � P*, but C loses P*. � Delete BP* and CP*. � However, C still � has P without grant � option because of � the direct grant. �

  28.  Consider the sequence: � U: GRANT INSERT ON R TO V � U: GRANT INSERT(A) ON R TO V � U: REVOKE INSERT ON R FROM V RESTRICT �  V retains INSERT(A) privilege from U �

  29.  Consider the sequence: � U: GRANT p TO V WITH GRANT OPTION � V: GRANT p TO W � U: REVOKE GRANT OPTION FOR p FROM V CASCADE �  V retains p privilege, but W does not. �  When U revokes the grant option, a new node is created for V having the p privilege but without the grant option. �  Then the arc from U/p** to V/p* is deleted, disconnecting the W/p node �

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

GRANT AWARDS UPDATE A Report on Current and Potential Grant Awards RECENT GRANT AWARDS 2

GRANT AWARDS UPDATE A Report on Current and Potential Grant Awards RECENT GRANT AWARDS 2

GRANT AWARDS UPDATE A Report on Current and Potential Grant Awards RECENT GRANT AWARDS 2 ECONOMIC DEVELOPMENT GRANT AWARDS Cross Rhodes Spec Building: Two Recent Grant Awards First grant was a LocateSC Fund Grant Award Second grant was a

243 views • 22 slides
RESOURCES FOR STUDENTS AND FAMILIES COLLEGE ACCESS CHALLENGE GRANT Grant Implementation led

RESOURCES FOR STUDENTS AND FAMILIES COLLEGE ACCESS CHALLENGE GRANT Grant Implementation led

RESOURCES FOR STUDENTS AND FAMILIES COLLEGE ACCESS CHALLENGE GRANT Grant Implementation led by The University System of Georgia on behalf of the Governors Office. Grant Partners Include: 1. Technical College System of Georgia 2.

615 views • 45 slides
RESOURCES FOR STUDENTS AND FAMILIES COLLEGE ACCESS CHALLENGE GRANT Grant Implementation led by

RESOURCES FOR STUDENTS AND FAMILIES COLLEGE ACCESS CHALLENGE GRANT Grant Implementation led by

RESOURCES FOR STUDENTS AND FAMILIES COLLEGE ACCESS CHALLENGE GRANT Grant Implementation led by The University System of Georgia on behalf of the Governors Office. Grant Partners Include: 1. Technical College System of Georgia 2. Georgia

320 views • 28 slides
Grant Closeout 1 What is grant closeout? The closeout of a grant is a process in which HUD

Grant Closeout 1 What is grant closeout? The closeout of a grant is a process in which HUD

Grant Closeout 1 What is grant closeout? The closeout of a grant is a process in which HUD determines that all applicable administrative and program requirements of the applicable Grant Agreement between HUD and the grantee have been

299 views • 15 slides
Best Practices in Best Practices in Grant Writing Grant Writing The Bayer Fund What is a Grant

Best Practices in Best Practices in Grant Writing Grant Writing The Bayer Fund What is a Grant

Best Practices in Best Practices in Grant Writing Grant Writing The Bayer Fund What is a Grant Proposal? A grant proposal is a clear statement of need, the plan to serve that need, and a specific request for funds to support the successful

662 views • 23 slides
How TSA created a successful grant program Why grant income? There is $80b in funding for

How TSA created a successful grant program Why grant income? There is $80b in funding for

How TSA created a successful grant program Why grant income? There is $80b in funding for NFPs in Australia each year. 1,000% increase in grant revenue in a year. o From $8,000p.a to $100,000 TSAs recent grant funded projects

598 views • 14 slides
Grants for Women/Minorities Intercity Bus Security Grant (IBSGP) 5311(f) Grant Grant Writing

Grants for Women/Minorities Intercity Bus Security Grant (IBSGP) 5311(f) Grant Grant Writing

Grants for Women/Minorities Intercity Bus Security Grant (IBSGP) 5311(f) Grant Grant Writing Process Tips - Response to RFPs What is a grant? a sum of money given by a government or other organization for a particular purpose All

540 views • 36 slides
A Control Point for Reducing Root Abuse of File-System Privileges Glenn Wurster , Paul C. van

A Control Point for Reducing Root Abuse of File-System Privileges Glenn Wurster , Paul C. van

Introduction Solution for the Desktop A Control Point for Reducing Root Abuse of File-System Privileges Glenn Wurster , Paul C. van Oorschot School of Computer Science Carleton University, Canada 6 Oct 2010 Glenn Wurster, Paul C. van Oorschot

527 views • 25 slides
Grant Workshop Lutheran Congregations Welcome to The Lutheran Foundations online grant

Grant Workshop Lutheran Congregations Welcome to The Lutheran Foundations online grant

Grant Workshop Lutheran Congregations Welcome to The Lutheran Foundations online grant workshop instructions. 1 Grant Cycle: Summer 2020 Workshop The attendance requirement for the June 1 grant application deadline has been

727 views • 31 slides
NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team ACL basics (for file system) ACLs is a

NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team ACL basics (for file system) ACLs is a

NFSv4.1, ACL and Co. Tigran Mkrtchyan For dCache Team ACL basics (for file system) ACLs is a list of Access Control Entries attached to a file or a directory ACEs grant or deny a principal an action on a file or a directory ACL basics

379 views • 34 slides
Grant Writing Grant Writing Our Stories Our Stories Intro on Grant Writing Experiences in

Grant Writing Grant Writing Our Stories Our Stories Intro on Grant Writing Experiences in

Grant Writing Grant Writing Our Stories Our Stories Intro on Grant Writing Experiences in Kalamazoo and Boulder Who Gives Money Who Gives Money Examples from each phase: 2009 Data: From Amt in Billions Percentage Individuals 227.41 75%

568 views • 15 slides
After the Grant is Over: Grant Close Out and Retention Kelly Shipp Simone Deputy General

After the Grant is Over: Grant Close Out and Retention Kelly Shipp Simone Deputy General

After the Grant is Over: Grant Close Out and Retention Kelly Shipp Simone Deputy General Counsel, Council on Foundations Sue Fulton Grants/Financial Manager, Endowment for Health Grant Close Out Process Grant Close Out and Retention

213 views • 18 slides
USDA Grant Funding Webinar Reconnect Rural Broadband Grant and RUS-DLT Grant Dana Satterwhite,

USDA Grant Funding Webinar Reconnect Rural Broadband Grant and RUS-DLT Grant Dana Satterwhite,

USDA Grant Funding Webinar Reconnect Rural Broadband Grant and RUS-DLT Grant Dana Satterwhite, Grant Consultant Learn Design Apply, Inc. Learn Design Apply, Inc. (LDA) is a grants consulting and management company with 50+ years combined

625 views • 36 slides
Coleman Action Grant HCC Entrepreneurial Eco-System In Action Five Fabulous Programs! Sandra

Coleman Action Grant HCC Entrepreneurial Eco-System In Action Five Fabulous Programs! Sandra

Coleman Action Grant HCC Entrepreneurial Eco-System In Action Five Fabulous Programs! Sandra Louvier Director, Center for Entrepreneurship Evelyn V. Velasquez Interim Dean, Workforce &amp; Economic Development Coleman Action Grant Creating

280 views • 14 slides
Minutes To/Attention Notes to File Date October 10, 2019 From Rebecca Grant Project No

Minutes To/Attention Notes to File Date October 10, 2019 From Rebecca Grant Project No

IBI GROUP 907 SW Harvey Milk Street Portland OR 97205 USA tel 503 222 2045 fax 503 273 9192 ibigroup-edpnw.com Minutes To/Attention Notes to File Date October 10, 2019 From Rebecca Grant Project No 122287 Subject Conceptual Master

1.02k views • 74 slides
Grantober Workshop One In Introductio ion to Grant Writ itin ing A welcome to the

Grantober Workshop One In Introductio ion to Grant Writ itin ing A welcome to the

In Introduction to Grant Writ itin ing (Grant Writ iting 101) Grantober Workshop One In Introductio ion to Grant Writ itin ing A welcome to the wonderful world of grant writing Professor Christina Lee Associate Dean

259 views • 22 slides
Advanced Breakpointing Software Breakpoints INT 3 Memory

Advanced Breakpointing Software Breakpoints INT 3 Memory

Advanced Breakpointing Software Breakpoints INT 3 Memory Breakpoints Page guarding Hardware Breakpoints CPU hardware 2 Software Breakpoints

482 views • 35 slides
Heavy Hadron Hadron Spectroscopy Spectroscopy and and Heavy Production at Tevatron Tevatron

Heavy Hadron Hadron Spectroscopy Spectroscopy and and Heavy Production at Tevatron Tevatron

Heavy Hadron Hadron Spectroscopy Spectroscopy and and Heavy Production at Tevatron Tevatron Production at Igor V. Gorelov University of New Mexico, USA On behalf of CDF and D Collaborations XIV International Conference on Hadron

325 views • 29 slides
Easy, Scalable, Fault-tolerant Stream Processing with St Structured ed St Strea eamin ing

Easy, Scalable, Fault-tolerant Stream Processing with St Structured ed St Strea eamin ing

Easy, Scalable, Fault-tolerant Stream Processing with St Structured ed St Strea eamin ing Burak Yavuz DataEngConf NYC October 31 st 2017 Who am I Software Engineer Databricks - We make your

804 views • 66 slides
Point of Departure : Pnueli &amp; Shalevs 1991 paper Whats in a Step: On the semantics of

Point of Departure : Pnueli &amp; Shalevs 1991 paper Whats in a Step: On the semantics of

Point of Departure : Pnueli &amp; Shalevs 1991 paper Whats in a Step: On the semantics of Statecharts Pnueli and Shalev show how, while observing global consistency and causality, the synchronous language Statecharts can be given

494 views • 13 slides
S i l i c o n d e t e c t o r s : s t a t e o f t h e a r t &amp; p

S i l i c o n d e t e c t o r s : s t a t e o f t h e a r t &amp; p

S i l i c o n d e t e c t o r s : s t a t e o f t h e a r t &amp; p o s s i b l e o p t i o n s f o r MU o n E S t e f a n o Me r s i , C E R N T h e E v a l u a t i o

1.05k views • 66 slides
Theory of Computer Games: Concluding Remarks Tsan-sheng Hsu tshsu@iis.sinica.edu.tw

Theory of Computer Games: Concluding Remarks Tsan-sheng Hsu tshsu@iis.sinica.edu.tw

Theory of Computer Games: Concluding Remarks Tsan-sheng Hsu tshsu@iis.sinica.edu.tw http://www.iis.sinica.edu.tw/~tshsu 1 Abstract Introducing practical issues. The open book. The graph history interaction (GHI) problem. Smart

884 views • 28 slides
Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc

Hardware Operators for Pairing-Based Cryptography Part I: Because size matters Jean-Luc Beuchat Laboratory of Cryptography and Informantion Security University of Tsukuba, Japan jeanluc.beuchat@gmail.com Joint work with: enaire, LIP,

1.73k views • 139 slides
Multivariate Extreme Value models Michel Bierlaire michel.bierlaire@epfl.ch Transport and

Multivariate Extreme Value models Michel Bierlaire michel.bierlaire@epfl.ch Transport and

Multivariate Extreme Value models Michel Bierlaire michel.bierlaire@epfl.ch Transport and Mobility LAboratory Multivariate Extreme Value models p. 1/62 Logit Random utility: U in = V in + in in is i.i.d. EV (Extreme Value)

990 views • 62 slides

More recommend