Access Control
#fancy-title-6757f014680d9 a{ color: #274e75; }
Column level encryption is the last method of protection for information in cases where the invader has successfully breached the database table. In other words, encryption itself simply obscures data, and cannot distinguish which DB account the invader uses or where he invaded from. Therefore, MyDiamo provides an access control function which can restrict access based on certain IP addresses or DB accounts.
The access control function consists of two major parts: access control mode and access control privileges. If you want to block access from certain users and allow others, then it would be convenient to set access control mode to ‘ALLOW’. In contrast, if you want to only allow special access, such as the administrator, and block all others, then ‘DENY’ mode will be most useful.
Denying Access in ALLOW mode
#fancy-title-6757f0146a35a a{ color: #274e75; }
In MyDiamo CLI, you can change access control mode to ‘ALLOW’ by below command.
MyDiamo >SET ENV ACCESS ALLOW
In ‘ALLOW’ mode, access attempts from users not registered in the access control privilege list can gain access to any table. If you want to block the access of ‘ADMIN’ user from IP address 123.123.0.0 from accessing the NAME column in JAMES.EMPLOYEE table, then use the following command to set access privileges:
MyDiamo >SET PRIV ACCESS 123.123.0.0"ADMIN"JAMES"EMPLOYEE"NAME"0
The final parameter ‘0’ means unprivileged.
The command below is for saving only the access control settings.
MyDiamo >SAVE PRIV ACCESS
Now when the ‘ADMIN’ user tries to access the data in the MySQL command line, MySQL will show an access denied error message.
Allowing Access in DENY mode
#fancy-title-6757f0146bc0d a{ color: #274e75; }
In ‘DENY’ mode, the settings are opposite from that of ‘ALLOW’ mode. ‘DENY’ mode blocks every accesses attempt without the proper access privileges, so it is useful when you want to allow only a few permitted users such as DB administrator.
You can set the access control mode to ‘DENY’ by using the command below.
MyDiamo >SET ENV ACCESS DENY
After the access mode has been set to DENY, you should set the individual privileges for the users who are permitted access. If you want to allow access for ‘root’ from localhost to the ADDRESS column in the JAMES.EMPLOYEE table, then the command is:
MyDiamo >SET PRIV ACCESS localhost"root"JAMES"EMPLOYEE"ADDRESS"1
Save your access control settings and then the system will allow only access for those with the saved privileges.
MyDiamo >SAVE PRIV ACCESS