HCL OneDB security considerations for label-based access control
The wide range of HCL® OneDB® capabilities requires certain precautions and planning to ensure protected tables can be accessed appropriately.
The following actions require holding the DBSECADM role after you have implemented label-based access control (LBAC) on your database server:
- Using the SETSESSIONAUTH privilege (see SET SESSION AUTHORIZATION statement)
- Exporting schema and data (see The dbschema, dbexport, and dbimport Utilities)
- Importing data (see The dbschema, dbexport, and dbimport Utilities)
These actions require the user to have read and write access credentials:
- Backing up and restoring with onbar and ontape utilities (see Backup and restore)
- Data loading and unloading
To prevent unauthorized access to protected tables, take extra precautions with the following database operations and objects:
- The onlog utility
- The oncheck utility
- Enterprise replication
- Data definition language (DDL) operations
- INSERT INTO . . . SELECT FROM Statement
- High Performance Loader .RET and .FLT files (see Data loading and unloading)
- Temporary tables created by the INTO TEMP clause
- User-defined routines created with DBA keywords
SET SESSION AUTHORIZATION statement
You can use The SET SESSION AUTHORIZATION statement to assume the identity of another user, including the user's LBAC credentials for protected tables.
HCL OneDB 11.10 and later versions that have label-based access control (LBAC) capability handles the SETSESSIONAUTH privilege differently from earlier versions of the database server that did not have LBAC functionality. The newer versions of HCL OneDB require the DBSECADM to grant the SETSESSIONAUTH privilege. Because the SETSESSIONAUTH privilege can be used to assume the LBAC credentials of another user, the DBSECADM must be careful in granting the SETSESSIONAUTH privilege.
If the database server has been converted from an earlier version that did not support LBAC, users who held the DBA privilege are automatically granted the SETSESSIONAUTH access privilege for PUBLIC in the migration process. You must initialize the converted server as a version that supports LBAC security policies to remove the SETSESSIONAUTH privilege from all DBAs and enable the DBSECADM role to grant this privilege.
For more information about how SET SESSION AUTHORIZATION operates with LBAC, see HCL OneDB Guide to SQL: Syntax.
Backup and restore
Users who are responsible for backing up or restoring protected data with an onbar and ontape utilities must have LBAC read-and-write access credentials for the corresponding server tables. LBAC security remains intact during backup and after being restored on the server, but to protect the saved backup data you must take other precautions.
You can restore of a specific table or set of tables that have previously been backed up with onbar or ontape. These tables can be restored to a specific point in time. During table-level restore of LBAC-protected tables, ensure that the schema command files specify the security policy with the target table. Because a protected target table is created during the restore, the user running the table level restore must hold the DBSECADM role. Also, LBAC rules are enforced when the INSERT statement from the schema command file is executed to load the target table. If the entire table is to be restored, the user must possess the necessary LBAC credentials.
You cannot use the archecker utility to perform a table-level restore.
The dbschema, dbexport, and dbimport Utilities
LBAC rules are enforced on protected tables when the dbschema and dbexport utilities are run. Only those rows are unloaded where the user's security label dominates the column label, row label, or both. Since both dbschema and dbexport utilities must read LBAC catalogs, the user running these utilities must have the appropriate LBAC credentials or exemptions to access the data.
The dbimport utility creates and populates a database from text files. The user importing LBAC-protected data with this utility must have the DBSECADM role. After the import process is complete, the DBSECADM role does not have any exemptions that were defined before the import process.
Data loading and unloading
- dbload utility
- onpload and ipload utilities for High-Performance Loader (HPL)
HCL OneDB provides a number of ways to load and unload data, for example, the dbload utility.
LBAC rules are applied when these statements are executed, or utilities are run, on protected tables. The user's security label must dominate the column label, row label, or both. If an entire table is to be loaded/unloaded, then the user must have the necessary LBAC credentials to read and write all the labeled rows and columns. Alternatively, the DBSECADM can grant an exemption to the user so that the security policy protecting the tables can be bypassed.
Rows that are rejected when the onpload utility is run are dumped to .REJ and .FLT files. Take the necessary precautions to prevent unauthorized access to these files. For express-mode loads using HPL, the rows are inserted directly to table extents skipping the SQL layer. The user running the express-mode load must be granted the necessary exemptions to bypass the security policy.
You cannot use the onload and onunload utilities with LBAC.
The onlog utility
The onlog utility displays all or selected portions of the logical log. This command can take input from selected log files, the entire logical log, or a backup tape of previous log files. The log records can expose data that is protected by LBAC on a live database. Take precautions to ensure data is not exposed by misuse of this utility.
The oncheck utility
The oncheck utility can display pages from tables or chunks, which can expose data that is protected by LBAC on a live database. Take precautions to ensure data is not exposed by misuse of this utility.
Enterprise replication
You cannot apply LBAC to a table participating in Enterprise Replication. Also, you cannot define an Enterprise Replication replicate on a table that is protected by LBAC.
Data definition language (DDL) operations
LBAC does not restrict users on your system from performing data definition language (sometimes called data definition statements) operations. For example, a user whom has not been granted security policy credentials or an exemption can run TRUNCATE TABLE or DROP TABLE on an LBAC-protected table.
INSERT INTO . . . SELECT FROM Statement
When the INSERT INTO . . . SELECT FROM statement is used on an LBAC-protected table to create another table, ensure that the new table is protected by the same security policy used to protect the source table. Otherwise, the new table can potentially expose data in violation of your organization's privacy policy. Note that this potential data exposure can happen if the statement is used to create a permanent table, or to create a temporary table and then inserted into a permanent one.
Temporary tables created by the INTO TEMP clause
The INTO TEMP clause of the SELECT statement creates a temporary table to hold the query results. If the table being selected from is a protected table, the query-result data in the intermediate temporary table is not protected by LBAC. Take the necessary precautions to ensure that the data in the temporary table is not exposed to unauthorized users.
User-defined routines
You can register user-defined routines (UDRs) with the DBA keyword. If a user is granted the execute privilege on a UDR, the database server automatically grants the user temporary DBA privileges that are enabled only when the user is executing the UDR. The user executing the DBA UDR assumes the identity of a DBA for the duration of the UDR has the DBA's user label during that time. Avoid using protected tables in DBA UDRs.