Unit Three: Database access

management
• This unit is developed to provide you the necessary information
regarding the following content coverage and topics:
• Access Privilege Management
• Monitor network Server Logs
• Manage system resources
3.1. Access Privilege Management
• 3.1.1 Allocate or remove access privileges according to user Status
• Allocate or remove access privileges according to user status" involves managing
user access based on changes in their status, such as new user onboarding, role
changes, or when a user leaves the organization.
• Here are examples for this aspect of Access Privilege Management:
• Allocate Access Privileges for New Users: Definition: Granting appropriate access
privileges to new users based on their roles and responsibilities.
• Example: -- Granting basic read-only access to a new user
• GRANT SELECT ON database.table TO 'new_user'@'localhost';
• -- Granting additional privileges based on the user's role
• GRANT INSERT, UPDATE, DELETE ON database.table2 TO 'new_user'@'localhost';
• Remove Access Privileges for Departing Users:
• Definition: Revoking access privileges for users who have left the
organization or no longer require access.
• Example: -- Revoking all privileges for a departing user
• REVOKE ALL PRIVILEGES ON database.* FROM
'departing_user'@'localhost';
• -- Optionally, drop the user account DROP USER
'departing_user'@'localhost';
•
• Adjust Access Privileges for Role Changes: Modifying access privileges
when a user's role or responsibilities change within the organization.
• Example:
• -- Adjusting access privileges for a user with a new role
• REVOKE SELECT ON database.table FROM
'user_with_previous_role'@'localhost'; GRANT UPDATE, INSERT ON
database.table TO 'user_with_new_role'@'localhost';
• Periodic Access Review and Adjustment:
• Definition: Conducting regular reviews of user access privileges and
adjusting them based on changes in job roles or responsibilities.
• Example: -- Identifying and revoking unnecessary privileges during a
periodic review
• REVOKE DELETE, UPDATE ON database.table3 FROM
'user_to_review'@'localhost';
• Access Privileges Based on User Status:
• Definition: Implementing conditional access privileges based on the
user's status (e.g., active, inactive, probationary).
• Example: -- Granting conditional access based on user status
• IF user_status = 'active'
• THEN
• GRANT SELECT ON database.table4 TO 'active_user'@'localhost';
ELSE
• REVOKE ALL PRIVILEGES ON database.table4 FROM
'inactive_user'@'localhost';
• END IF
• User Access Termination:
• Ensuring that access privileges are promptly terminated when a user
leaves the organization.
• Example: -- Terminating access for a user who has left the
organization
• REVOKE ALL PRIVILEGES ON *.* FROM 'former_user'@'localhost';
DROP USER 'former_user'@'localhost';
• Access Privileges for Temporary Roles:
• Definition:Granting temporary access privileges for users in specific
roles or projects.
• Example: -- Granting temporary access for a specific project
• GRANT SELECT, INSERT, UPDATE ON project_database.* TO
'temporary_user'@'localhost';
• Access Based on User Approval:
• Definition: Requiring approval for granting or modifying access
privileges.
• Example: -- Granting access after approval
• GRANT SELECT, INSERT, UPDATE ON database.table TO
'approved_user'@'localhost';
• Access Audit and Logging: Definition: Logging and auditing access
changes to maintain a record of who has been granted or revoked
access privileges.
• Example: -- Logging access changes -- This could involve triggers or
database audit features
• INSERT INTO access_log (timestamp, user, action, database_object)
VALUES (CURRENT_TIMESTAMP, 'admin', 'GRANT', 'database.table5');
3.2. Monitor network Server Logs
Monitoring
• the network server log-in log file is crucial for identifying and responding to
illegal log-in attempts and potential security breaches.
• This involves actively reviewing log files to detect patterns indicative of
unauthorized access.
• Here's a procedure to implement this monitoring:
• Access Log-in Log Files: Regularly access and review log-in log files on the
network server.
• These files contain records of user log-ins, including successful and
unsuccessful attempts.
• Focus on Security-Relevant Logs: Concentrate on logs that are relevant to
security, such as authentication logs and logs indicating user log-in activities.
• Identify Suspicious Patterns: Look for suspicious patterns in log-in activities,
including multiple failed log-in attempts, log-ins from unusual locations or IP
addresses, or log-ins during non-business hours.
• Automate Log Analysis: Implement automated log analysis tools to assist in the
identification of potential security breaches. These tools can quickly analyze large
volumes of log data and generate alerts for anomalies.
• Set Thresholds for Alerts: Define thresholds for log-in activities that trigger alerts.
• For example, multiple failed log-in attempts within a short period or log-ins from
geographically improbable locations.
• Correlate with Other Logs: Correlate log-in log data with other logs, such as
intrusion detection system (IDS) logs or firewall logs, to gain a comprehensive
understanding of network security.
• Real-time Monitoring: Implement real-time monitoring to receive
immediate alerts for suspicious log-in activities. Real-time monitoring
enhances the ability to respond promptly to security incidents.
• Implement Geolocation Analysis: Utilize geolocation analysis to
identify log-ins from locations inconsistent with normal user behavior.
This helps detect potential unauthorized access.
• Check for Unusual Log-in Times: Investigate log-ins that occur during
unusual hours or outside of normal business hours. This can be an
indicator of unauthorized access.
• Review Failed Log-ins: Pay close attention to failed log-in attempts.
Excessive failed attempts may suggest a brute-force attack or an
attempt to gain unauthorized access.
• Track User Accounts: Monitor log-ins for privileged user accounts
closely. Unauthorized access to accounts with elevated privileges
poses a significant security risk.
• Regular Security Training: Conduct regular security training for users
to raise awareness about the importance of secure log-in practices
and to recognize and report suspicious activities.
• Incident Response Plan: Have an incident response plan in place to
guide actions in the event of a detected security breach. This plan
should include steps for isolating affected systems, notifying relevant
parties, and conducting forensic analysis.
• Continuous Improvement: Continuously refine and improve log-in
monitoring based on evolving security threats and the organization's
specific requirements.
3.3. Manage system resources
• Definition: Managing system resources is essential for ensuring optimal
performance, reliability, and efficiency of a database system. It involves
monitoring, allocating, and optimizing resources to meet the demands of the
database and associated applications. Here's a procedure for managing system
resources effectively:
• Procedure:
• Resource Monitoring: Utilize system monitoring tools to continuously track
resource usage, including CPU utilization, memory consumption, disk I/O, and
network activity.
• Set Resource Thresholds: Define thresholds for resource usage that, when
exceeded, trigger alerts. These thresholds can be customized based on the
specific requirements and performance expectations.
• Automated Alerts: Implement automated alerting systems to receive immediate notifications
when resource thresholds are breached. Alerts facilitate proactive response to potential
performance issues.
• Capacity Planning: Conduct regular capacity planning assessments to predict future resource
needs. This involves analyzing historical resource usage patterns and forecasting growth.
• Scale Resources Appropriately: Based on capacity planning assessments, scale resources
(CPU, memory, storage) as needed. This may involve upgrading hardware, adding more servers,
or leveraging cloud-based scaling solutions.
• Prioritize Critical Processes: Identify and prioritize critical database processes and allocate
resources accordingly. Ensure that essential operations receive the necessary computing power
and memory.
• Database Indexing and Optimization: Optimize database indexes and queries to minimize
resource-intensive operations. Well-optimized queries contribute to reduced resource
consumption.
• Regular Performance Tuning: Conduct regular performance tuning activities, such as query
optimization and index maintenance, to enhance database efficiency and reduce resource
utilization.
• Implement Caching Mechanisms: Introduce caching mechanisms to reduce the need for
repetitive database queries, thereby decreasing the load on the database and improving
response times.
• Database Connection Management: Implement connection pooling and efficient connection
management to avoid resource exhaustion caused by a large number of concurrent
connections.
• Disk Space Management: Monitor and manage disk space regularly. Implement practices
such as archiving, purging, or compressing data to prevent unnecessary storage consumption.
• Network Bandwidth Optimization: Optimize network bandwidth usage by minimizing
unnecessary data transfers and ensuring efficient communication between database servers
and clients.
• Backup and Restore Optimization: Optimize backup and restore processes to
minimize their impact on system resources. Consider incremental backups and
ensure that backup schedules do not coincide with peak usage times.
• Virtualization Management: If using virtualization, manage virtual machine
(VM) resources effectively. Adjust VM configurations based on workload
requirements and allocate resources appropriately.
• Implement Load Balancing: If applicable, implement load balancing to distribute
incoming traffic across multiple servers. This helps prevent resource bottlenecks
on individual servers.
• Regular System Updates: Keep the operating system, database software, and
relevant components up to date with the latest patches and updates to benefit
from performance.