Summary

SQL by itself provides only limited security mechanisms. It essentially uses GRANT and REVOKE statements to control access to the database objects through system privileges. Relational Database Systems needed more robust security, which have been implemented in a variety of nonstandard ways by the RDBMS vendors.

There are several different macro-layers of security: authentication, authorization, and audit. There are also different techniques used to protect data on the most basic levels.

All RDBMS consider the notion of a user as some entity that connects to a database and performs actions. Further, all three vendors discussed in this book implement, in one way or another, roles, which is a method to manage sets of privileges. Roles can be system-defined (fixed) or user-defined.

The user gets authenticated either through RDBMS itself, or through the operating system on which the RDBMS is installed. Once authenticated, the user can perform authorized actions on the database objects. The authorization is handled through a system of privileges.

Using GRANT or REVOKE, authorization (privileges) can be assigned or denied to users or roles, and there are rules that govern the process.

Additional security can be implemented through various mechanisms supplied by the database itself: constraints, views, stored procedures, and triggers. The lowest level of defense is vested in the data itself, via encryption, which renders data unreadable by humans.

There are national and international security standards, which are recommended (but not required); some database vendors choose to get certified, while some do not.