Problem solve Get help with specific problems with your technologies, process and projects.

Closed vs. open security policies and permissions in an RBAC role hierarchy

In database security, can you please explain to me why closed security policies provide better protection than open security policies? And can you please evaluate the assumption that an unconstrained upward inheritance of positive permissions in an RBAC role hierarchy is too strong?

To explain why closed security policies are better protection than open ones, let me give you an example. Let's suppose that my company has determined that the Oracle listener will listen on port 1599 (a non-default port) and that all database passwords will contain 8 letters followed by 2 numbers. If I publish this information on the Web, I now let any hacker know exactly which port to point to and exactly how my database passwords are composed. Do you want to give this information to a potential hacker? It's better to safeguard this information within your company.

I'm no expert on Role-Based Access Control outside of the Oracle arena. So I'll give you the information that I know and leave it at that. I'm not convinced that unconstrainted upward inheritence is entirely a bad thing. For instance, I might have a role called APPL_USER which is assigned to all of my application users. This role lets the user perform read only, or SELECT, operations on specific tables. Then I have a APPL_ADMIN role for application administrators. This role lets the admins change the tables, and it also inherits the APPL_USER role so that the admin can read the tables as well. This is an easy way to transfer all of the rights of one role to another. Unfortunately, the APPL_ADMIN role (which has been granted the APPL_USER role) inherits *all* of the APPL_USER role's rights. You can't give APPL_ADMIN just some of the rights granted to APPL_USER. It's an all or nothing proposition. This may be too strong for your system. It may be better to code specific rights to APPL_ADMIN and specific rights to APPL_USER. This will separate the two functionalities.

For More Information

Dig Deeper on Oracle database design and architecture

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.