I've done a similar work in 1997 for one of my clients. The password method will be just part of the security system. But you may want to consider to implement the RBAC in the database. In that way, the users whether they are applications, e.g., business objects, DB interactive tool by human user, or so, will only access to the subset of database based on thier privileges by using ACLs which are also based on the defined security policy in the database.
In addition, you may want to use the Asymmetric encryption for some data that needs to be considered a higher security. Pae > Hi All, > > I'm writing a application that needs row level security in it so that > only certain users can view/change etc. certain records. I know that > MySQL currently does not have row level security, and when I've asked > this list before I've been given some helpfull suggestions (although > none of them would actually work for me). So I've decided that the only > way to go is to put the security logic into the application I am building. > > This works fine for my application, but means that if anyone connects > directly to the server using the MySQL client etc, then they'll be able > to see/update everything - making it a pretty weak security system. > > I've had two thoughts about this, but am willing to hear of any other > thoughts people might have. > > One that I could do right now is to get my program to add something to > the password of every user (users are created using the program and > passwords can be changed using it too). This way if they try to connect > to the server directly they won't have the extra bit on their passwords > and it won't let them connect. The program could take care of adding > this extra bit each time anything password related was needed so it > shouldn't be a problem in this respect, however if anyone discovered the > extra bit then it would be imposible to change the extra bit without > giving everyone new passwords (which would be a real pain). > > A second way would be if there was like an application password in the > security area that could be set and would be needed for connection - > sort of like the ssl extra stuff that's been added recently. The > downside of this is it isn't currently there and I'd need to convince > someone at MySQL that it was worth adding and then wait for it to be > added, the upside is that it would be easier to change if the > application password was discovered. > > I've looked a little at the ssl/encryption stuff to see if I could use > that but I don't think it can really help me achieve what I'm trying to > achieve but if someone thinks it can I'd love to hear how. > > If anyone has any other ideas, can see problems that I haven't seen in > the above ideas then I'd appreciate knowing. Are there any others > having this problem (or is it just me!)? > > Thanks for your thoughts, > > cheers, > > noel > > > --------------------------------------------------------------------- > Before posting, please check: > http://www.mysql.com/manual.php (the manual) > http://lists.mysql.com/ (the list archive) > > To request this thread, e-mail <[EMAIL PROTECTED]> > To unsubscribe, e-mail <[EMAIL PROTECTED]> > Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php > --------------------------------------------------------------------- Before posting, please check: http://www.mysql.com/manual.php (the manual) http://lists.mysql.com/ (the list archive) To request this thread, e-mail <[EMAIL PROTECTED]> To unsubscribe, e-mail <[EMAIL PROTECTED]> Trouble unsubscribing? Try: http://lists.mysql.com/php/unsubscribe.php
