T3.2: Manages SQL Security

Overview

InterSystems IRIS SQL security operates through a comprehensive privilege system managed primarily via GRANT and REVOKE commands.

• GRANT command: Assigns privileges to users or roles, enabling specific database operations
• Privilege scope: Granted on a per-namespace basis, immediately exercisable
• Multiple grants: Multiple users can grant the same privilege; single REVOKE removes it entirely

Administrative Privileges

Administrative privileges are namespace-specific and include rights to create, alter, and drop database objects:

• Tables, views, triggers, and procedures
• %DB_OBJECT_DEFINITION: Grants all 16 data definition privileges in one command

Special administrative privileges:

• %NOCHECK, %NOINDEX, %NOLOCK, %NOTRIGGER: Control whether users can apply these keyword restrictions during INSERT, UPDATE, or DELETE
• Note: TRUNCATE TABLE requires %NOTRIGGER privilege

Object Privileges

Object privileges provide access to specific database objects including tables, views, stored procedures, and cubes.

Table-level object privileges:

• %ALTER, DELETE, SELECT, INSERT, UPDATE, EXECUTE, REFERENCES, CANCEL
• Grant access to all columns in table or view, including subsequently added columns

Column-level privileges:

• Can be assigned to specific columns only for more granular control

Wildcard and schema grants:

• Asterisk (*): Grants privileges to all objects in current namespace
• SCHEMA keyword: Grants privileges to all objects within a named schema, including future objects

WITH GRANT OPTION

• Enables privilege delegation
• Allows grantees to grant the same privileges to other users
• REVOKE with CASCADE can reverse cascading series of granted privileges

Methods for Granting Privileges

• SQL GRANT statements
• ObjectScript methods: `$SYSTEM.SQL.Security.GrantPrivilege()`
• Management Portal interface

Object Ownership

The owner of an SQL object automatically holds all privileges on that object in all namespaces to which the object is mapped.

Overview

InterSystems IRIS implements a dual-layer security model that distinguishes between SQL privilege checking and application-level security.

• Purpose: Different access patterns have different security requirements and trust models
• Critical knowledge: Understanding when and where privilege checking occurs is essential for designing secure database applications

SQL Privilege Checking Enforcement

SQL privilege checking is enforced exclusively through specific interfaces:

• ODBC connections
• JDBC connections
• Dynamic SQL (%SQL.Statement objects)
• SQL Shell interface

Behavior:

• Comprehensive privilege validation before allowing any operation
• SQLCODE -99: Privilege Violation error if user lacks required privilege
• Ensures external database access and interactive SQL queries respect security boundaries

Interfaces That Bypass Privilege Checking

Embedded SQL:

• Deliberately does not perform privilege checking
• Assumes applications will implement their own security controls
• Typically used within ObjectScript routines where application logic controls access

Direct class query invocation:

• Without %SQL.Statement objects is considered application access
• Bypasses SQL privilege checks
• Allows developers to build custom security models

SQL vs System Privileges

The relationship between SQL privileges and system-level privileges is asymmetric:

• SQL privilege grants system access: Holding SQL privilege implicitly grants related system privileges required for the SQL action
• System privileges do NOT grant SQL access: System-level privileges do not automatically imply table-level or object-level SQL privileges
• Granularity: SQL protections are more granular, allowing privileges for specific tables, views, columns, and stored procedures

Roles:

• Serve as bridge between both security models
• Single role can include both SQL and system-level privileges
• Shared between both security subsystems

SQLSecurity System Setting

Enforcement boundary can be controlled system-wide:

• Method: `$SYSTEM.SQL.Util.SetOption("SQLSecurity")`
• Value 0: Disables SQL Security for new processes (suppresses privilege-based table/view security)
• Value 1 (default): Privilege enforcement enabled (recommended for production)

Overview

InterSystems IRIS provides comprehensive SQL auditing capabilities that record SQL statement execution for compliance, security monitoring, and troubleshooting purposes.

• Mechanism: Operates through the system's Audit Database
• Content: Records detailed information about SQL operations across different execution interfaces

Audit Event Types

SQL auditing supports three distinct event types:

• %System/%SQL/EmbeddedStatement: Audits Embedded SQL statements within ObjectScript routines
• %System/%SQL/DynamicStatement: Audits Dynamic SQL operations through %SQL.Statement objects
• %System/%SQL/XDBCStatement: Audits SQL statements executed through ODBC and JDBC connections

Note: Each event type is disabled by default; must be enabled via Management Portal: System Administration > Security > Auditing > Configure System Events

Embedded SQL Auditing (Two-Step Enablement)

1. Enable system event: %System/%SQL/EmbeddedStatement 2. Add code directive: `#sqlcompile audit` preprocessor directive in routines containing Embedded SQL

• Setting to ON causes Embedded SQL following it to generate audit records
• Gives fine-grained control over which routines are audited
• Avoids performance overhead on non-sensitive operations

Dynamic SQL Auditing

• Simpler implementation: When %System/%SQL/DynamicStatement event is enabled, system automatically audits every %SQL.Statement execution
• No code changes required: Applies to all Dynamic SQL operations system-wide
• Best for: Monitoring external access or interactive queries requiring comprehensive coverage

Audit Record Content

The Audit Database stores:

• Timestamp (local time)
• Username
• Process ID (PID)
• Description specifying statement type (e.g., "SQL SELECT Statement")
• Event Data (via Details link): Complete SQL statement and input argument/parameter values
• Maximum Event Data length: 3,632,952 characters for Dynamic SQL (longer statements truncated)

Privilege Failure Auditing

• Event: %System/%SQL/PrivilegeFailure
• Records: Every SQLCODE -99 (Privilege Violation) error
• Purpose: Detect unauthorized access attempts, identify permission configuration errors, maintain security audit trails
• Status: Disabled by default; must be explicitly enabled

Performance Considerations

• Embedded SQL auditing: Minimizes overhead with selective #sqlcompile directives
• Dynamic SQL and XDBC auditing: May introduce measurable latency in high-transaction environments
• Balance: Audit coverage requirements against performance considerations