Dear Steve,

> IMHO I think it would be a nightmare having permissions down to that level.  Do other databases do this?  I've never seen it in MS SQL Server or Oracle.

Nope, the mechanism/code is already ready, just an extensions of it.

--
Charalampos Michael - [Creation Power] - http://www.creationpower.gr

Roy,

<< Tim it might be a good idea when cross referencing manuals to make it
clear. >>

The PDFs are notoriously a pain in the butt to deal with due to their format
limitations compared to HTML or something with proper hyper-linking support
in a URL format.  Revamping the way that the PDFs are generated is pretty
low on the list right now.

--
Tim Young
Elevate Software
www.elevatesoft.com

Michael,

<< Thanks for the link. My point was that this security system doesn't
support operators/conditions eg, "Like". (IOW to block the user to use the
"Like" operator) >>

What are you trying to accomplish ?  IOW, what is the reasoning behind not
allowing a user to user LIKE ?  Is it a performance consideration ?

--
Tim Young
Elevate Software
www.elevatesoft.com

Tim

><< Tim it might be a good idea when cross referencing manuals to make it
>clear. >>
>
>The PDFs are notoriously a pain in the butt to deal with due to their format
>limitations compared to HTML or something with proper hyper-linking support
>in a URL format. Revamping the way that the PDFs are generated is pretty
>low on the list right now.
>

Fair enough. However, just to make it clear, I wasn't suggesting anything sophisticated like automatically jumping to the correct PDF just a simple "(see the sql manual)" after the reference to user security.

Roy Lambert

Dear Tim,

> What are you trying to accomplish ? IOW, what is the reasoning behind
> not allowing a user to user LIKE ? Is it a performance consideration ?

For someone to steal the whole data of the Table.

Eg, i use the following SQL to get a particular customer data:
SELECT *
FROM CUSTOMER_DATA
WHERE CUSTOMERID = 10

Now, if someone hack this SQL and Delete's WHERE it will give him
access to all the Data on the table, right ?

That's what i want to prevent!

--
Charalampos Michael - [Creation Power] - http://www.creationpower.gr

Charalampos

Blocking access to LIKE would not prevent the scenario you just described.


<rant on>

I work in an industry which is very datacentric - recruitment. The reason I started using Delphi (version 1) was to develop systems for myself initially and then for my staff as I got some. Initially I had a cheap printer hooked up to everyone's PC. I had to remove them because one individual was quietly printing out the whole database - one contact (= customer or potential customer) and one candidate at a time.

I mention that because you can't stop people stealing the data the best you can do is make it difficult. At some point the cost of making it any more difficult in terms of time & money spent and hair pulled out just isn't worth the benefit.

I would use ElevateDB's built in encryption and engine signature, build in functionality that requires users to alter passwords monthly, delete the built in Administrator account and leave it at that.

Bear in mind that anyone who has the skills to hack sql resident in memory before its transferred to the server is liable to have the skills to have the server itself and just grab the tables.
<rant off>

Roy Lambert

Dear Roy,

> Blocking access to LIKE would not prevent the scenario you just described.
>
>
> <rant on>
>
> I work in an industry which is very datacentric - recruitment. The reason I started using Delphi (version 1) was to develop systems for myself initially and then for my staff as I got some. Initially I had a cheap printer hooked up to everyone's PC. I had to remove them because one individual was quietly printing out the whole database - one contact (= customer or potential customer) and one candidate at a time.
>
> I mention that because you can't stop people stealing the data the best you can do is make it difficult. At some point the cost of making it any more difficult in terms of time&  money spent and hair pulled out just isn't worth the benefit.
>
> I would use ElevateDB's built in encryption and engine signature, build in functionality that requires users to alter passwords monthly, delete the built in Administrator account and leave it at that.
>
> Bear in mind that anyone who has the skills to hack sql resident in memory before its transferred to the server is liable to have the skills to have the server itself and just grab the tables.
> <rant off>
>
> Roy Lambert

I guess you forgot that the end-user will connect to a EDB Server and
it will not have access to a physical database file.

So, the only way to steal other or all data is to alter SQL statements.

--
Charalampos Michael - [Creation Power] - http://www.creationpower.gr

Charalampos


>I guess you forgot that the end-user will connect to a EDB Server and
>it will not have access to a physical database file.

Not at all. I just assume anyone with the capability of hacking sql statements in memory ("Well, everything can be cracked if it's loaded into memory.") will be able to hack a remote server. Remember its not the EDBServer they'd hack its the actual server machine.

>So, the only way to steal other or all data is to alter SQL statements.

Tell me how much the data is likely to be worth. If its enough I'll give you a number of approaches

Years ago a company I was dealing with were supplying GCHQ (UK secret service hq) with VDUs. They had to be built into a mesh cage so that radio emissions from them couldn't be picked up and decoded remotely.

Roy Lambert

Michael,

<< Now, if someone hack this SQL and Delete's WHERE it will give him access
to all the Data on the table, right ?

That's what i want to prevent! >>

If that's what you want to prevent, then the only way to do so is to have
your application only use views/stored procedures for data retrieval, and to
not give any user SELECT (read) access on any table, rather only give them
SELECT (read) access to the desired views or EXECUTE access to the desired
stored procedures.

--
Tim Young
Elevate Software
www.elevatesoft.com