Download Controlling User Layer’s Privilege Automatically in Information

Controlling User Layer’s Privilege Automatically in Information
System by Using DB2 Database
，
Qin Kai-Da Yang Bao-Jian
(Faculty of Management and Economics ,Kunming university of Science
&Technology ,Kunming,Yunnan 650093,China)
：
Abstract The Paper analyses the level of privilege control, introduces entity-relationship model,
relational database model and structured query language. Then the paper mainly discusses how to
control the user layer’s privilege automatically. And it introduces how to use entity-relationship model to
build the data model of the user layer’s privilege control system. Finally, it presents how to use DB2
database to design and implement the system.
Key words : E-R Model; User Layer’s Privilege; Trigger
Instruction
In all application systems, how to control user’s privilege is very important to systems securities. In
fact, there are three levels about controlling user’s privilege. One is systems layer, which also is called
data layer, to control its privilege can be achieved by controlling databases and operation systems’
privilege. You can assign different system and object’s privileges to different users by granting and
revoking in database systems, and you can also divide different users into different groups and each
group has their own privilege in operation systems. The second is called middle layer, which is also
called application layer, to control its privilege can be implemented by some gateways and logical
control. Some gateways include database’s gateway and network’s gateway (for example, some software
firewall), and logical control may be achieved by application middleware or by user’s programs in
middle layer. The last is user’s layer, traditionally, to control its privilege is mainly by providing
different menu to different operator based on different subsystems. So application programmers need to
modify their menu constantly because of business regulating and regrouping.
The article introduces a new method to control user layer’s privilege automatically. It stores the
structure of menu into database and use procedure and trigger to assign user layer’s privilege from a
passive system to active one.
1 E-R Model, Relational Database Model and SQL
1.1 Introduction to Entity-Relationship Model
There are two methods about application systems design, one is called process-oriented approach and
another is called data-oriented approach. Process-oriented approach is mainly used to analyze system
requirements and data-oriented approach depicts the ideal organization of data, independent of where
and how data are used within a system. One of methods about data-oriented approach is called
entity-relationship Model.
The basic entity-relationship modeling notation uses three main constructs: data entities, relationships,
and their associated attributes. An entity is an object that exists and is distinguishable from other objects,
for example, specific person, company, and event can be called entity. An entity set is a set of entities of
the same type that share the same properties, there are set of all persons, companies, and events
corresponding foregoing examples. An entity is represented by a set of attributes, that is descriptive
properties possessed by all members of an entity set, for example, a person may have his name, sex,
telephone, and address. A relationship is an association among several entities, and A relationship set is
a mathematical relation among n ≥ 2 entities, each taken from entity sets [1]
{(e1, e2, … en) | e1 ∈ E1, e2 ∈ E2, …, en ∈ En}
where (e1, e2, …, en) is a relationship.
Entity-Relationship Model can be described by entity-relationship diagram (or E-R diagram). An E-R
1285
diagram is a detailed, logical, and graphical representation of the data for an organization or business
area. There are several different E-R notation, we use rectangles represent entity sets, diamonds
represent relationship sets, and lines link attributes to entity sets and entity sets to relationship sets in
this article.
1.2 Introduction to Relational Database Model
A database consists of multiple relations and information about an application is broken up into parts,
with each relation storing one part of the information. The relational database model represents data in
the form of related tables or relations. A relation is a named, two-dimensional table of data. Formally,
given sets D1, D2, …. Dn a relation r is a subset of
D1 x D2 x … x Dn
Thus, a relation is a set of n-tuples (a1, a2, …, an) where each ai∈ Di
So each relation consists of a set of attributes, the set of allowed values for each attribute is called the
domain of the attribute. Attribute values are (normally) required to be atomic and the special value null
is a member of every domain. There are six basic operators in relational algebra: 1. select σ; 2. project ∏;
3. union ∪; 4. set difference –; 5. Cartesian product x; 6. rename ρ.
Normalization theory deals with how to design relational schemas and is based on well-accepted
principles and rules. There are three frequently normalization rules: 1. A relational schema R is in First
Normal Form if the domains of all attributes of R are atomic; 2. A relational schema R is called Second
Normal Form if each non-primary key attribute is identified by the whole key; 3. A relational schema R
is called Third Normal Form if each non-primary key attribute do not depend on each other.
The most important thing for your application systems is transforming E-R diagrams into relational
database model. Mapping cardinality constraints is very important to transform E-R Diagrams into
Relations. In general, it can be accomplished in four steps: 1. represent entities; 2. represent
relationships; 3. normalize the relation; 4. merge the relations. [2]
1.3 Introduction to Structured Query Language (SQL)
SQL originated IBM Sequel language. At first, IBM Sequel language developed as part of System R
project at the IBM San Jose Research Laboratory. It was renamed Structured Query Language
subsequently. There are several ANSI and ISO standard SQL and commercial systems offer most, if not
all, SQL-92 features, plus varying feature sets from later standards and special proprietary features. SQL
is based on set and relational operations with certain modifications and enhancements. A typical SQL
query has the form:
select A1, A2, ..., An
from r1, r2, ..., rm
where P
where Ai represents an attribute, Ri represents a relation, and P is a predicate. This query is equivalent to
the relational algebra expression.
∏ A , A ,K, A (σ P (r1 × r2 × K × rm ))
1 2
n
SQL can
be divided
into three components: 1.Data Definition Language (DDL). 2. Data Manipulation
Language (DML). 3. Data Control Language (DCL). DDL can define the logical structure of database. It
allows the specification of not only a set of relations but also information about each relation, including
the schema for each relation, the domain of values associated with each attribute, integrity constraints
and so on. DML is used to retrieve, insert and modify database information. These commands will be
used by all database users during the routine operation of the database. The basic DML commands
include INSERT, UPDATE, SELECT, and DELETE statements. DCL is one of category of SQL
statements that control access to the data and to the database. Examples are the GRANT, REVOKE, and
BEGIN TRANSACTION statements.
2 The Design of Controlling of User Layer’s Privilege
2.1 Presumes
In fact, every application system has its general framework, also called functional framework. So the
structure of every information system can be organized to a tree which is shown in Figure 1. Every node
1286
of this tree is called menu items (or privileges) in the article. The root of this tree is your application
system. And the main branches of this tree are subsystems. At the end of this tree is leafs which can
provide some operations to operators for manipulating database. In order to convenience for discussing,
we give the following presumes:
FIGURE 1: The Functional Structure of Information System
1. Presume the structure of all of application systems has only three levels and height of tree is the
same. One is the name of application system. The second level is the name subsystems. And the third is
leafs which can manipulate database.
2. Presume each user can see the level one and two, that is, each user can own the privilege or menu
items of these two levels. The difference among them is every user has different operating privileges in
level 3.
3. The difference of privileges among users is not relied on who he or she is, but on the roles which he
or she possesses. The role is a set of some privileges or menu items. For example, a supply management
operator role may have some of privileges about supply management subsystem.
4. Each user can not gain privileges directly. The privileges or menu items which the user has only
rely on roles which he or she possesses. So he can gain their privileges by assigning one or more roles to
him.
2.2 The E-R Diagram of this Privilege Controlling System
According to the previous presume, the privilege controlling system has three entities: menu, user,
and role. The menu entity describes the structure of application system. The user entity describes all of
users of the application system. And the role entity describes all of roles of the application system. Each
role has one or more menu items and each user can have one or more menu items indirectly. Each user
has one or more roles. So we can get the E-R diagram like the following: [3]
FIGURE 2: The E-R Diagram of this Privilege Controlling System
Which use B_MenuInfo describe menu entity, use B_RoleInfo describe role entity, and use B_UserInfo
describe user entity.
2.3 The Table Structure of this Privilege Controlling System
According to the E-R diagram of the privilege controlling system, we can design the table structure of
1287
the system. The system has six tables, which are shown in Figure 3. The PK in the figure shows the
primary key of the table and the FK represents the foreign key of the table. And the arrows in the figure
show relationship between two tables, the foreign key is an attribute in his host table and as a primary
key attribute in another referential table.
1. B_MenuInfo: stores the structure of menu items or privileges. It includes five attributes: (1)
MenuID is the number of menu item. (2) MenuName shows the name of this menu item. (3) PreMenuID
is the previous level menu number. (4) WebURL shows this menu item address in your application
server. (5) Note is description of this menu item.
2. B_RoleInfo: stores basic information about all of roles which are divided by business application.
It includes three attributes: (1) RoleID is the number of the role. (2) RoleName is the name of this role.
(3) Note is description of this role.
3. B_RoleRight: stores privileges or menu items possessed by every role. It includes four attributes:
(1) RoleRightNo is the number of this record which is automatically generated by system. (2) RoleID is
the number of the role. (3) MenuID is the number of the menu item. (4) Assign shows whether the menu
item is assigned to the role or not.
4. B_UserInfo: stores basic information about all of users. It includes five attributes: (1) UserID is the
number of the user. (2) RoleName is the name of this user. (3) UserType shows the type of the user. (4)
Password represents password of this user which is invisible. (5) State represents whether the user is
valid or not.
5. B_UserToRole: assign some roles to a specific user. It includes four attributes: (1) UserRoleNo is
the number of this record which is automatically generated by system. (3) UserID is the number of the
user. (3) RoleID is the number of the role. (4) Assign shows whether the role is assigned to the user or
not.
6. B_UserRight: if one user has some roles, he may gain all of privileges or menu items possessed by
these roles. It includes four attributes: (1) UserRightNo is the number of this record which is
automatically generated by system. (2) UserID is the number of the user. (3) MenuID is the number of
the menu item. (4) Assign shows whether the menu item is possessed by the user or not.
FIGURE 3: The Table Structure of the Privilege Controlling System
3 The Implementation of the User Layer’s Privilege control system by Using DB2
Database
1288
3.1 The Stored Procedure and the Trigger in DB2
In order to change your database manager from a passive system to an active one, use the capabilities
embodied in a trigger function. A trigger defines a set of actions that are activated or triggered by a
modify operation (insert, update, or delete) on a specified base table. You can create stored procedures,
Methods, User-Defined Functions (UDFs) on the server and call it in a trigger in DB2 environment. A
stored procedure serves as an extension to clients that it runs on the database server. Scalar UDFs enable
you to extend and customize SQL. They can be invoked in the same manner as built-in DB2® functions.
Methods enable you to define behaviors for structured types. [4]
3.2 The Implementation of Privilege Controlling System by Using DB2
In the privilege controlling system, we can gain all of functions by triggers. It exist five triggers or
logical transactions in the privilege controlling system. We use pseudo code to describe each trigger
(The syntax is DB2 control structure). [5]
1. Trigger on table B_MenuInfo
After insert into B_MenuInfo for each row
FOR all of roles in B_RoleInfo DO
IF NEW MenuID is in level 1 or 2 then
INSERT INTO B_RoleRight with new MenuID and Assign=’Y’;
ELSE
INSERT INTO B_RoleRight with new MenuID and Assign=’N’;
END IF;
END FOR;
FOR all of users in B_UserInfo DO
IF NEW MenuID is in level 1 or 2 then
INSERT INTO B_UserRight with new MenuID and Assign=’Y’;
ELSE
INSERT INTO B_UserRight with new MenuID and Assign=’N’;
END IF;
END FOR;
2. Trigger on table B_RoleInfo
After insert into B_RoleInfo for each row
FOR all of users in B_UserInfo DO
INSERT INTO B_UserToRole with new RoleID and Assign=’N’;
END FOR;
FOR all of menu items in B_MenuInfo DO
IF MenuID is in level 1 or 2 then
INSERT INTO B_RoleRight with new RoleID and Assign=’Y’;
ELSE
INSERT INTO B_RoleRight with new RoleID and Assign=’N’;
END IF;
END FOR;
3. Trigger on table B_UserInfo after insert for each row
After insert into B_UserInfo for each row
FOR all of roles in B_RoleInfo DO
INSERT INTO B_UserToRole with new UserID and Assign=’N’;
END FOR;
FOR all of menu items in B_MenuInfo DO
IF MenuID is in level 1 or 2 then
INSERT INTO B_UserRight with new MenuID and Assign=’Y’;
ELSE
INSERT INTO B_UserRight with new MenuID and Assign=’N’;
END IF;
END FOR;
1289
4. Trigger on table B_RoleRight
After update on B_RoleInfo for each row
FOR all of users who possess the new role DO
UPDATE B_UserRight SET Assign=NEW.Assign
WHERE UserID= B_UserToRole.UserID and MenuID=NEW.MenuID
END FOR
5. Trigger on table B_UserToRole
After update on B_UserToRole for each row
IF NEW.Assign=’Y’ THEN
FOR all of menu items possessed by this role in B_RoleRight
Assign it to the new user
END FOR
ELSE
FOR all of menu items possessed by this role in B_RoleRight DO
IF the menu item is not possessed by other role assigned to NEW.UserID
Cancel them to the new user.
END IF
END FOR
END FOR
4 Conclusions
It can be achieved automatically by the database and its triggers to control the user layer’s privilege.
It is used DB2 database to define tables and design triggers. And it is used Eclipse as developing tools
and Tomcat as web server to manipulate data in clients. It is found that it can help the system
administrator to assign privileges to operator very conveniently. In fact, you can define more than three
levels in menu tree and the height of tree may not be the same. You can use recursive query to get the
leaves of the tree and can use database and trigger to control operator’s privileges in all types of menu
tree.
References:
[1] Database System Concepts, 5th ED. @Silberschatz,Korth and Sudarshan
[2] Essential of Systems Analysis and design, 1st ED. @Joseph,Joey and Jeffrey
[3] System Analysis and Design, 5th ED. @Shelly,Cashman and Rosenblatt
[4] IBM DB2 Universal Database™ Application Development Guide: Building and Running
Applications
[5] IBM DB2 Universal Database™ Application Development Guide: Programming Server
Applications
Management Assignment
Name: QIN Kaida Email: [email protected]
1290