* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Download Controlling User Layer’s Privilege Automatically in Information
Survey
Document related concepts
Extensible Storage Engine wikipedia , lookup
Microsoft SQL Server wikipedia , lookup
Ingres (database) wikipedia , lookup
Relational algebra wikipedia , lookup
Open Database Connectivity wikipedia , lookup
Entity–attribute–value model wikipedia , lookup
Microsoft Jet Database Engine wikipedia , lookup
Concurrency control wikipedia , lookup
Clusterpoint wikipedia , lookup
Functional Database Model wikipedia , lookup
Transcript
Controlling User Layer’s Privilege Automatically in Information System by Using DB2 Database , Qin Kai-Da Yang Bao-Jian (Faculty of Management and Economics ,Kunming university of Science &Technology ,Kunming,Yunnan 650093,China) : Abstract The Paper analyses the level of privilege control, introduces entity-relationship model, relational database model and structured query language. Then the paper mainly discusses how to control the user layer’s privilege automatically. And it introduces how to use entity-relationship model to build the data model of the user layer’s privilege control system. Finally, it presents how to use DB2 database to design and implement the system. Key words : E-R Model; User Layer’s Privilege; Trigger Instruction In all application systems, how to control user’s privilege is very important to systems securities. In fact, there are three levels about controlling user’s privilege. One is systems layer, which also is called data layer, to control its privilege can be achieved by controlling databases and operation systems’ privilege. You can assign different system and object’s privileges to different users by granting and revoking in database systems, and you can also divide different users into different groups and each group has their own privilege in operation systems. The second is called middle layer, which is also called application layer, to control its privilege can be implemented by some gateways and logical control. Some gateways include database’s gateway and network’s gateway (for example, some software firewall), and logical control may be achieved by application middleware or by user’s programs in middle layer. The last is user’s layer, traditionally, to control its privilege is mainly by providing different menu to different operator based on different subsystems. So application programmers need to modify their menu constantly because of business regulating and regrouping. The article introduces a new method to control user layer’s privilege automatically. It stores the structure of menu into database and use procedure and trigger to assign user layer’s privilege from a passive system to active one. 1 E-R Model, Relational Database Model and SQL 1.1 Introduction to Entity-Relationship Model There are two methods about application systems design, one is called process-oriented approach and another is called data-oriented approach. Process-oriented approach is mainly used to analyze system requirements and data-oriented approach depicts the ideal organization of data, independent of where and how data are used within a system. One of methods about data-oriented approach is called entity-relationship Model. The basic entity-relationship modeling notation uses three main constructs: data entities, relationships, and their associated attributes. An entity is an object that exists and is distinguishable from other objects, for example, specific person, company, and event can be called entity. An entity set is a set of entities of the same type that share the same properties, there are set of all persons, companies, and events corresponding foregoing examples. An entity is represented by a set of attributes, that is descriptive properties possessed by all members of an entity set, for example, a person may have his name, sex, telephone, and address. A relationship is an association among several entities, and A relationship set is a mathematical relation among n ≥ 2 entities, each taken from entity sets [1] {(e1, e2, … en) | e1 ∈ E1, e2 ∈ E2, …, en ∈ En} where (e1, e2, …, en) is a relationship. Entity-Relationship Model can be described by entity-relationship diagram (or E-R diagram). An E-R 1285 diagram is a detailed, logical, and graphical representation of the data for an organization or business area. There are several different E-R notation, we use rectangles represent entity sets, diamonds represent relationship sets, and lines link attributes to entity sets and entity sets to relationship sets in this article. 1.2 Introduction to Relational Database Model A database consists of multiple relations and information about an application is broken up into parts, with each relation storing one part of the information. The relational database model represents data in the form of related tables or relations. A relation is a named, two-dimensional table of data. Formally, given sets D1, D2, …. Dn a relation r is a subset of D1 x D2 x … x Dn Thus, a relation is a set of n-tuples (a1, a2, …, an) where each ai∈ Di So each relation consists of a set of attributes, the set of allowed values for each attribute is called the domain of the attribute. Attribute values are (normally) required to be atomic and the special value null is a member of every domain. There are six basic operators in relational algebra: 1. select σ; 2. project ∏; 3. union ∪; 4. set difference –; 5. Cartesian product x; 6. rename ρ. Normalization theory deals with how to design relational schemas and is based on well-accepted principles and rules. There are three frequently normalization rules: 1. A relational schema R is in First Normal Form if the domains of all attributes of R are atomic; 2. A relational schema R is called Second Normal Form if each non-primary key attribute is identified by the whole key; 3. A relational schema R is called Third Normal Form if each non-primary key attribute do not depend on each other. The most important thing for your application systems is transforming E-R diagrams into relational database model. Mapping cardinality constraints is very important to transform E-R Diagrams into Relations. In general, it can be accomplished in four steps: 1. represent entities; 2. represent relationships; 3. normalize the relation; 4. merge the relations. [2] 1.3 Introduction to Structured Query Language (SQL) SQL originated IBM Sequel language. At first, IBM Sequel language developed as part of System R project at the IBM San Jose Research Laboratory. It was renamed Structured Query Language subsequently. There are several ANSI and ISO standard SQL and commercial systems offer most, if not all, SQL-92 features, plus varying feature sets from later standards and special proprietary features. SQL is based on set and relational operations with certain modifications and enhancements. A typical SQL query has the form: select A1, A2, ..., An from r1, r2, ..., rm where P where Ai represents an attribute, Ri represents a relation, and P is a predicate. This query is equivalent to the relational algebra expression. ∏ A , A ,K, A (σ P (r1 × r2 × K × rm )) 1 2 n SQL can be divided into three components: 1.Data Definition Language (DDL). 2. Data Manipulation Language (DML). 3. Data Control Language (DCL). DDL can define the logical structure of database. It allows the specification of not only a set of relations but also information about each relation, including the schema for each relation, the domain of values associated with each attribute, integrity constraints and so on. DML is used to retrieve, insert and modify database information. These commands will be used by all database users during the routine operation of the database. The basic DML commands include INSERT, UPDATE, SELECT, and DELETE statements. DCL is one of category of SQL statements that control access to the data and to the database. Examples are the GRANT, REVOKE, and BEGIN TRANSACTION statements. 2 The Design of Controlling of User Layer’s Privilege 2.1 Presumes In fact, every application system has its general framework, also called functional framework. So the structure of every information system can be organized to a tree which is shown in Figure 1. Every node 1286 of this tree is called menu items (or privileges) in the article. The root of this tree is your application system. And the main branches of this tree are subsystems. At the end of this tree is leafs which can provide some operations to operators for manipulating database. In order to convenience for discussing, we give the following presumes: FIGURE 1: The Functional Structure of Information System 1. Presume the structure of all of application systems has only three levels and height of tree is the same. One is the name of application system. The second level is the name subsystems. And the third is leafs which can manipulate database. 2. Presume each user can see the level one and two, that is, each user can own the privilege or menu items of these two levels. The difference among them is every user has different operating privileges in level 3. 3. The difference of privileges among users is not relied on who he or she is, but on the roles which he or she possesses. The role is a set of some privileges or menu items. For example, a supply management operator role may have some of privileges about supply management subsystem. 4. Each user can not gain privileges directly. The privileges or menu items which the user has only rely on roles which he or she possesses. So he can gain their privileges by assigning one or more roles to him. 2.2 The E-R Diagram of this Privilege Controlling System According to the previous presume, the privilege controlling system has three entities: menu, user, and role. The menu entity describes the structure of application system. The user entity describes all of users of the application system. And the role entity describes all of roles of the application system. Each role has one or more menu items and each user can have one or more menu items indirectly. Each user has one or more roles. So we can get the E-R diagram like the following: [3] FIGURE 2: The E-R Diagram of this Privilege Controlling System Which use B_MenuInfo describe menu entity, use B_RoleInfo describe role entity, and use B_UserInfo describe user entity. 2.3 The Table Structure of this Privilege Controlling System According to the E-R diagram of the privilege controlling system, we can design the table structure of 1287 the system. The system has six tables, which are shown in Figure 3. The PK in the figure shows the primary key of the table and the FK represents the foreign key of the table. And the arrows in the figure show relationship between two tables, the foreign key is an attribute in his host table and as a primary key attribute in another referential table. 1. B_MenuInfo: stores the structure of menu items or privileges. It includes five attributes: (1) MenuID is the number of menu item. (2) MenuName shows the name of this menu item. (3) PreMenuID is the previous level menu number. (4) WebURL shows this menu item address in your application server. (5) Note is description of this menu item. 2. B_RoleInfo: stores basic information about all of roles which are divided by business application. It includes three attributes: (1) RoleID is the number of the role. (2) RoleName is the name of this role. (3) Note is description of this role. 3. B_RoleRight: stores privileges or menu items possessed by every role. It includes four attributes: (1) RoleRightNo is the number of this record which is automatically generated by system. (2) RoleID is the number of the role. (3) MenuID is the number of the menu item. (4) Assign shows whether the menu item is assigned to the role or not. 4. B_UserInfo: stores basic information about all of users. It includes five attributes: (1) UserID is the number of the user. (2) RoleName is the name of this user. (3) UserType shows the type of the user. (4) Password represents password of this user which is invisible. (5) State represents whether the user is valid or not. 5. B_UserToRole: assign some roles to a specific user. It includes four attributes: (1) UserRoleNo is the number of this record which is automatically generated by system. (3) UserID is the number of the user. (3) RoleID is the number of the role. (4) Assign shows whether the role is assigned to the user or not. 6. B_UserRight: if one user has some roles, he may gain all of privileges or menu items possessed by these roles. It includes four attributes: (1) UserRightNo is the number of this record which is automatically generated by system. (2) UserID is the number of the user. (3) MenuID is the number of the menu item. (4) Assign shows whether the menu item is possessed by the user or not. FIGURE 3: The Table Structure of the Privilege Controlling System 3 The Implementation of the User Layer’s Privilege control system by Using DB2 Database 1288 3.1 The Stored Procedure and the Trigger in DB2 In order to change your database manager from a passive system to an active one, use the capabilities embodied in a trigger function. A trigger defines a set of actions that are activated or triggered by a modify operation (insert, update, or delete) on a specified base table. You can create stored procedures, Methods, User-Defined Functions (UDFs) on the server and call it in a trigger in DB2 environment. A stored procedure serves as an extension to clients that it runs on the database server. Scalar UDFs enable you to extend and customize SQL. They can be invoked in the same manner as built-in DB2® functions. Methods enable you to define behaviors for structured types. [4] 3.2 The Implementation of Privilege Controlling System by Using DB2 In the privilege controlling system, we can gain all of functions by triggers. It exist five triggers or logical transactions in the privilege controlling system. We use pseudo code to describe each trigger (The syntax is DB2 control structure). [5] 1. Trigger on table B_MenuInfo After insert into B_MenuInfo for each row FOR all of roles in B_RoleInfo DO IF NEW MenuID is in level 1 or 2 then INSERT INTO B_RoleRight with new MenuID and Assign=’Y’; ELSE INSERT INTO B_RoleRight with new MenuID and Assign=’N’; END IF; END FOR; FOR all of users in B_UserInfo DO IF NEW MenuID is in level 1 or 2 then INSERT INTO B_UserRight with new MenuID and Assign=’Y’; ELSE INSERT INTO B_UserRight with new MenuID and Assign=’N’; END IF; END FOR; 2. Trigger on table B_RoleInfo After insert into B_RoleInfo for each row FOR all of users in B_UserInfo DO INSERT INTO B_UserToRole with new RoleID and Assign=’N’; END FOR; FOR all of menu items in B_MenuInfo DO IF MenuID is in level 1 or 2 then INSERT INTO B_RoleRight with new RoleID and Assign=’Y’; ELSE INSERT INTO B_RoleRight with new RoleID and Assign=’N’; END IF; END FOR; 3. Trigger on table B_UserInfo after insert for each row After insert into B_UserInfo for each row FOR all of roles in B_RoleInfo DO INSERT INTO B_UserToRole with new UserID and Assign=’N’; END FOR; FOR all of menu items in B_MenuInfo DO IF MenuID is in level 1 or 2 then INSERT INTO B_UserRight with new MenuID and Assign=’Y’; ELSE INSERT INTO B_UserRight with new MenuID and Assign=’N’; END IF; END FOR; 1289 4. Trigger on table B_RoleRight After update on B_RoleInfo for each row FOR all of users who possess the new role DO UPDATE B_UserRight SET Assign=NEW.Assign WHERE UserID= B_UserToRole.UserID and MenuID=NEW.MenuID END FOR 5. Trigger on table B_UserToRole After update on B_UserToRole for each row IF NEW.Assign=’Y’ THEN FOR all of menu items possessed by this role in B_RoleRight Assign it to the new user END FOR ELSE FOR all of menu items possessed by this role in B_RoleRight DO IF the menu item is not possessed by other role assigned to NEW.UserID Cancel them to the new user. END IF END FOR END FOR 4 Conclusions It can be achieved automatically by the database and its triggers to control the user layer’s privilege. It is used DB2 database to define tables and design triggers. And it is used Eclipse as developing tools and Tomcat as web server to manipulate data in clients. It is found that it can help the system administrator to assign privileges to operator very conveniently. In fact, you can define more than three levels in menu tree and the height of tree may not be the same. You can use recursive query to get the leaves of the tree and can use database and trigger to control operator’s privileges in all types of menu tree. References: [1] Database System Concepts, 5th ED. @Silberschatz,Korth and Sudarshan [2] Essential of Systems Analysis and design, 1st ED. @Joseph,Joey and Jeffrey [3] System Analysis and Design, 5th ED. @Shelly,Cashman and Rosenblatt [4] IBM DB2 Universal Database™ Application Development Guide: Building and Running Applications [5] IBM DB2 Universal Database™ Application Development Guide: Programming Server Applications Management Assignment Name: QIN Kaida Email: [email protected] 1290