Autonomous role-based security for database management systems

摘要

Embodiments described herein generally relate to creating an autonomous role-based security system for a database management system, wherein a super user may not always be required. A computer-implemented method is described. The method includes establishing one or more privileges in a database system, each privilege controlling access to an administrative function for the database system. Each privilege is assigned to one or more roles. Each role may always have a minimum set of users with only administrative rights over the role. A request is received from a first user to grant a role to a second user. A database management system determines whether the first user has administrative privileges over the role. If the first user has administrative privileges over the role, the role is granted to the second user. The database system may satisfy the principles of least privilege and separation of duties.

主权项

1. A computer-implemented method, comprising:
establishing one or more privileges in a database system, each privilege controlling access to an administrative function for the database system; assigning each privilege to one or more roles; receiving a request from a first user to grant a role to a second user; determining whether the first user has administrative rights over the role; granting the role to the second user when the first user is determined to have administrative rights over the role; receiving a request from the first user to revoke a role from a third user; determining whether the first user has administrative rights over the role; determining whether revoking the role from the third user would result in the role not having a threshold number of administrators; and revoking the role from the third user when the first user is determined to have administrative rights over the role and when the role is determined to have at least the threshold number of administrators after revoking the role from the third user.