Hi, I think Peter's suggesting you implement that security model in your application, rather than in the database server. Apart from probably not supporting such a security model, it's easier to audit user activity if you are controlling the security model.
Cheers, Luke Venediger. On Thu, 18 Nov 2004 11:46:15 +0100, Jonas Ladenfors <[EMAIL PROTECTED]> wrote: > Ok, jupp if I could use groups each group could have a shared key. How do > you create groups and then add users to them in MySQL? Are you refering to > the Linux systems user and groups? This idea should work but I am not > familiar with how groups work in mysql. I need to be able to audit logs on a > per user level, is this possible in this solution? > > /Jonas > > > > Hi > > I use a system based on linux securuty model > > create groups - this will define access to the data, so you need to group > the data - and encrypt data the group can access using the password > belonging to that group. > > make users members of any number of groups, as required. > > Users can then access any data they are untitled to, but cannot read data > encrytped with a password they do not have access to. > > You will need to use software (php, C++, asp, whatever) to manage the > user/group system. > > HTH > > Peter > > > -----Original Message----- > > From: Jonas Ladenfors [mailto:[EMAIL PROTECTED] > > Sent: 18 November 2004 10:19 > > To: 'Peter Lovatt'; 'Mysql (E-mail)' > > Subject: RE: Row level security requirements, can I still use MySQL? > > > > > > Yeah you are correct locking is something else I actually meant was > > restricted access. > > > > If I understand you correctly I would then encrypt all information in the > > table I was interested in restricting access to. But if two or more users > > was to share a row in the table they would need a shared key? and then > > several user collaborations would result in a lot of different > > keys. I have > > actually been thinking about this solution earlier, my problem with it is > > where to store the different keys that are needed. Forcing the user to > > manually keep track of 5 - 10 keys is to much to hope for sadly;) > > > > What I have been thinking about is some low-level way where you as an > > administrator can control users and groups and place restrictions on each > > row by tagging the row in some way? Or the user could tag his rows in > > someway. > > > > Is this how other RDBMS enforce access restrictions? > > > > Regards > > /Jonas > > > > -----Original Message----- > > From: Peter Lovatt [mailto:[EMAIL PROTECTED] > > Sent: den 18 november 2004 11:03 > > To: Jonas Ladenfors; Mysql (E-mail) > > Subject: RE: Row level security requirements, can I still use MySQL? > > > > > > Hi > > > > What about encrypting the data using a password that is specific to the > > user. That way only those that know the password for that row can > > access it. > > > > Locking is really to stop two users editing the same record at the same > > time, rather than controlling access. > > > > HTH > > > > Peter > > > > > > > > > -----Original Message----- > > > From: Jonas Ladenfors [mailto:[EMAIL PROTECTED] > > > Sent: 18 November 2004 09:46 > > > To: Mysql (E-mail) > > > Subject: Row level security requirements, can I still use MySQL? > > > > > > > > > Hello, I am in the position where I need row level user access, this is > > > crucial in my current project. I know this has been discussed > > > before and the > > > answer has been "use views when they become availble". But views > > > would still > > > allow the "root" user access to the complete table, wouldnt it? I > > > would like > > > to lock rows to certain user and not let anyone else see them, > > > not even the > > > root user. > > > > > > I have been thinking about using heap tables or trying to supply each > > > user/group with their own dynamically created tables. But I > > always come to > > > the conclusion that I am hacking away at something I do not fully > > > understand > > > and that I cannot guaranty that the end result will have the security I > > > claim. > > > > > > Is this possible in MySQL? > > > Does anyone know if it cab be performed with other RDBMS? > > > > > > Regards > > > /Jonas > > > > > > > > > > > > > > > > > > -- > > > MySQL General Mailing List > > > For list archives: http://lists.mysql.com/mysql > > > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] > > > > > > > > > > > > > -- > > MySQL General Mailing List > > For list archives: http://lists.mysql.com/mysql > > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] > > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED] > > -- Get Firefox Browser! Reclaim the web. http://getfirefox.com/ -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/[EMAIL PROTECTED]