Developing a Security Plan

Like the security assessment, a security plan needs to be developed after the structure of the database system is known. For existing systems, the structure is already known, but for new systems, the security plan needs to wait until the system structure plan is complete. As soon as all the tables and field structures have been determined, then you can go through that structure and determine the different levels of access that need to be used with each table and field.

System roles often match up well to job titles in an organization, but it often happens that two people with the same title need to have different roles within the system. Job titles are a good starting point for developing user categories, but don't overlook role differences just because two people have the same title.

You'll need to evaluate user categories in the context of each table. For example, members of a Sales category might need a high level of access in a Contacts table so that they can add, modify, and delete contacts, but they may have view-only access to an Accounts Receivable table. A great way to represent these table-by-table details of a security plan is to construct an access grid for each table. An example is shown in Table 12.1.

Table 12.1. Access Grid

After you've developed access grids for each table in the database system, you're ready to implement the security plan.

Start by first setting up the privilege sets you're going to need, then the accounts and the extended privileges. After those pieces are in place, you can create or modify scripts and calculations that test for the various security configurations.