User's Guide
   PART 4. Database Administration and Advanced Use
     CHAPTER 22. Keeping Your Data Secure       

Controlling database access

By assigning user IDs and passwords, the database administrator controls who can gain access to a database. By granting permissions to each user ID, the database administrator controls what tasks each user can carry out when connected. This section describes the features available for controlling database access.

Permission scheme is based on user IDs 

When users log into the database, they have access to all database objects that meet any of the following criteria:

• The object was created by that user.

• The user was explicitly granted permission on the object.

• A group to which the user belongs was explicitly granted permission on the object.

The user cannot access any database object that does not meet these criteria. In short, users can access only objects that they own or to which access has been explicitly granted.

     For more information, see the following:

• Managing User IDs and Permissions.

• CONNECT statement.

• GRANT statement.

• REVOKE statement.

Using integrated logins 

Integrated logins allow users to use a single login name and password to log into the Windows NT operating system and into a database. An external login name is associated with a database user ID. When a user attempts an integrated login, the operating system tells the server who the user is, and the server logs the user in as the associated database user ID. No login name or password are required, since the user provided both in order to log into the operating system. There are some security implications of integrated logins to consider

     For more information see the following

• Using integrated logins.

• Security concerns: unrestricted database access.

• LOGIN_MODE option.

  Increasing password security

Passwords are an important part of any database security system. To be secure, passwords must not be easy to guess, and they must not be easily accessible on users' hard drives or other locations.

Restricting password length 

By default, passwords can be any length. For greater security, you can enforce a minimum length requirement on all new passwords. You do this by setting the MIN_PASSWORD_LENGTH database option to a value greater than zero. The following statement enforces passwords to be at least 8 bytes long.

SET OPTION PUBLIC.MIN_PASSWORD_LENGTH = 8

     For more information, see MIN_PASSWORD_LENGTH option.

Encrypt the passwords 

As passwords are the key to accessing databases, it is important that they not be easily available to unauthorized people in a security-conscious environment.

When you create an ODBC data source, or a Sybase Central connection profile, you can optionally include a password. Avoid including passwords for greater security. If you do include a password in the data source, check the box to encrypt the password.

     For information on creating ODBC data sources, see Creating an ODBC data source.