Introduction to Vector Security
Security Features
Data security is a concern for everyone. The need to ensure the safety of personal information and to protect vital corporate assets stored electronically is of paramount importance.
Vector has a built-in hierarchical security system that any privileged user can use to fully control access to the database.
Security in Vector is provided through the following features:
• Directory and file permissions
• User-related security features, including:
– Users
– Groups
– Roles
– Profiles
– Subject privileges
• Object permissions
• Security alarms
• Security auditing
• Data at rest encryption
Level of Security
Understanding Vector Security Mechanisms
Vector provides a variety of security methods. The default method is DBMS Authentication.
• Access control methods, which include Kerberos and user authentication
• User authentication methods, which include DBMS Authentication, INGRES mechanism, and NULL mechanism
• Encryption methods, which include Kerberos and AES.
Kerberos
Allows access through private key and requires a trusted third party. Kerberos is a dynamic mechanism because it uses third-party software and is loaded into the Vector executable image at runtime. Kerberos is a highly secure alternative to OS security, and optionally allows encryption of the entire data stream between the DBMS Server and the client.
DBMS Authentication
(Default) Allows user authentication against the DBMS users and passwords defined in the installation, without having to use any external or OS security mechanism. The DBMS Server provides the authentication.
INGRES mechanism
Allows user authentication against the operating system.
NULL mechanism
Allows users to authenticate without providing passwords or other types of authentication. Use of the Null security mechanism is strongly discouraged.
AES
Provides encryption of the network data stream between the DBMS Server and the client. This mechanism does not provide user authentication. AES is a dynamic mechanism because it uses OS encryption libraries and is loaded into the Vector executable image at runtime.
Except for DBMS Authentication, all these methods are performed before the connection is made to the DBMS Server.
The NULL, INGRES, KERBEROS, and AES mechanisms are listed under the Security component in Configuration-By-Forms (or Configuration Manager, if available). The default configuration setting for security mechanisms rarely needs to be changed. Multiple mechanisms are supported concurrently.
The DBMS Authentication method is controlled in Configuration-By-Forms, DBMS Server component, dbms_authentication.
Directory and File Permissions
Databases are protected from user access by the permissions on the directories containing the database files and the permissions on the database files themselves. Users cannot look at the files in a database except through Vector. Even in Vector, files are protected from access except from the privileged accounts. The binary files are in a special format, making decoding of any information difficult.
User Authentication
For each Vector user, a user object must be defined in the master database.
Vector authenticates users:
• Through the operating system account and password, which must correspond with the user object definition in the master database. Additional passwords can also be set on users and roles.
or
• Directly through the DBMS Server, in which the user name and password must match the user object definition in the master database. This method is known as DBMS authentication. If DBMS_AUTHENTICATION is enabled for the server, the user does not have to be defined as an operating system user.
Remote Users
Ingres Net allows access to databases on local or remote nodes. Users can only access data for which they are authorized.
Ingres Net can be configured to allow users access to remote nodes directly (through an installation password) or by providing a user name and password. The user name and password can be authenticated by the DBMS (if the server has DBMS authentication enabled), or against a local OS user account. The password is encrypted as it is sent across the network.
Installation Passwords
Ingres Net allows you to set up an Installation Password to authorize access to a server installation from a remote client installation without setting up an operating system account on the server; the user retains his identity as defined on the client instance.
The main advantage of using installation passwords is that users on the client do not require a login account on the server.
A valid Vector user object must be created in the master database using the same operating system user ID as on the remote client. OS authentication is done on the remote client, where the user must have a login and password.
For details of Ingres Net setup, see the Connectivity Guide.
The ingvalidpw Utility
In some environments, Vector uses the ingvalidpw program to validate user passwords. Ingvalidpw is used depending on the requirements of the platform where the password is validated. For example, the DBMS Server uses the ingvalidpw program to validate shadow passwords on Linux or to enforce C2 security in some Linux environments.
Ingvalidpw is used for authentication against OS users; it is not used when DBMS authentication is enabled.
DBMS Authentication
Vector allows DBMS level authentication in addition to the other supported methods (which include operating system authentication, installation passwords, and Kerberos authentication). The DBMS authentication feature removes the need to add an operating system user every time a new user needs to access a database.
A user who is appropriately defined in the database can access the database using a valid Vector user name and password. The user does not have to be defined at the operating system level or in a global directory.
DBMS authentication must be enabled for the DBMS Server on which the database resides. It is on by default (dbms_authentication=on in config.dat). Such authentication can be enabled at the server level only, not at the database level.
Database administrators can configure DBMS authentication for each user by using new WITH options on the CREATE USER and ALTER USER statements or by using Actian Director or accessdb.
A user can be defined on the CREATE USER statement as either WITH DBMS_AUTHENTICATION='REQUIRED' or WITH DBMS_AUTHENTICATION='OPTIONAL' (the default).
A user who is defined WITH DBMS_AUTHENTICATION='REQUIRED' must connect to the database using his DBMS user name and password. All other connection attempts will fail. Such a user cannot connect to a server configured as dbms_authentication=no.
System administration users must be defined as DBMS_AUTHENTICATION='OPTIONAL.' All users with the "security" privilege, including the installation owner, are forced to be DBMS_AUTHENTICATION='OPTIONAL'.
If a user is created or altered with DBMS_AUTHENTICATION='REQUIRED', the user must also have a DBMS password or an error is issued. A user defined with no DBMS password can connect to dbms_authentication enabled servers only through a local connection, installation password, or Kerberos authentication.
Users can set and modify their own DBMS passwords if they have the CHANGE_PASSWORD privilege (the default). DBMS passwords are encrypted on disk and when passed over the network.
DBMS authentication is backward compatible. An older remote client will work with new remote dbms_authentication enabled servers assuming that the DBMS password (defined by the CREATE USER statement and stored in iiuser catalog) is compatible with the vnode password.
When an existing installation is upgraded, existing user definitions are modified to DBMS_AUTHENTICATION='OPTIONAL'.
For more information, see the CREATE USER, ALTER USER, and CONNECT statements in the SQL Reference Guide.
Authorization Identifiers
Access can be granted to four authorization identifiers.
Identifiers are listed here from highest to lowest precedence, which determines the privilege enforced for a session if a particular privilege is defined for more than one authorization identifier associated with a session.
• Role
Roles simplify access to the database by associating subject privileges and permissions with an application. Roles can be created with the option of an additional password. The EXTERNAL_PASSWORD option allows a role’s password to be passed to an external authentication server for authentication.
• User
For each valid Vector user, a user object must be created in the Vector master database iidbdb. The user object specifies the user name, default group, default profile, subject privileges, and other attributes.
• Group
Groups simplify the managing of permissions because individual users can be added or removed from groups as required. Being a member of a group does not automatically give the user the permissions granted to the group. The user must have the group specified as default group or specify the group name in the session startup.
• Public
Granting permissions on objects to PUBLIC allows any user, group, or role access to those objects. The use of grants to PUBLIC should be limited.
Subject Privileges
Subject privileges define the operations a user can perform, and are assigned to a user or a role. Subject privileges include: Auditor, Create Database, Maintain Audit, Maintain Locations, Maintain Users, Operator, Security, and Trace.
Object Permissions
Data access can be restricted through the granting of permissions on objects. Permissions can be granted on the following objects: database, table, view, procedure, database event, role, and current installation.
Security Alarms
Security alarms can be set up to monitor events against a database or individual tables. Such triggers on important databases and tables are useful in detecting unauthorized access.
Security alarms can monitor success or failure of connecting or disconnecting from a database, and selecting, deleting, inserting, or updating data in a table.
Security alarms can raise a database event (dbevent), which can be monitored by background programs that respond accordingly. Security alarms can be assigned to specific authorization identifiers to limit the monitoring to selected users, groups, or roles.
Security Auditing
Security events can be recorded for the entire Vector installation. All objects or certain classes of objects can be targeted. Information in the audit logs can grow quickly, so you should carefully plan what events to audit.
Database Procedures
Database procedures provide an extra level of control over data access and modification. Database procedures can be used with security alarms to enhance security auditing.
Data at Rest Encryption
Data can be encrypted at the database level to enhance data security, ensure privacy, and protect media that contains database records holding sensitive information. Data is stored on disk or other media in encrypted form and can only be accessed if the encryption passphrase is known.
Data at rest encryption protects table information, transaction information, and full database backups.