Name:

1. MUHAMMAD EZRAL REDZUAN BIN AZLEE

ID Number:

1. AM2304013408

Lecturer: Lab group / Tutorial group / Tutor (if

applicable)
WAN ASIAH BT MUHAMAD TAHIR (HJH)

Course and Course Code: Submission Date:

DATA STRUCTURE AND ALGORITHM / SWC4133 26/2/2024 - MONDAY
Extension & Late submission:
Assignment No. / Title: DISALLOWED
ACCESSIBILITY

Assignment type: % of Assignment Returning Date:

Mark
ASSIGNMENT
Penalties:
1. 10% of the original mark will be deducted for every one-week period after the submission
date

2. No work will be accepted after two weeks of the deadline

3. If you were unable to submit the coursework on time due to extenuating circumstances, you
may be eligible for an extension

4. Extension will not exceed one week

Declaration: I/we the undersigned confirm that I/we have read and agree to abide by these regulations on
plagiarism and cheating. I/we confirm that this piece of work is my/our own. I/we consent to appropriate
storage of our work for checking to ensure that there is no plagiarism/ academic cheating.

Signature:
Full Name: (MUHAMMAD EZRAL REDZUAN BIN AZLEE)

This section may be used for feedback or other information

TABLE OF CONTENTS

No. Title Page

1. Front Cover UPTM 1
2. Table Of Content 2
3. UML Class Diagram 3
4. Structure Inside BlueJ 4
5. Coding (Object Class and Main Class) 5 - 17
6. Output (With Correct and Incorrect input) 18 - 30
7. Conclusion 31
8. Assignment Rubric Form 32

2
Activity 1 – Creating the database schema

Create Table CUSTOMER

(
CustId Varchar (10) Not Null Unique,
CustName VarChar (50),
CustAddress Varchar (50),
CustPhoneNo Char (12),
Primary Key (CustId)
);

Create Table ORDER_ITEM

(
ItemNo VarChar (10) Not Null Unique,
ItemName VarChar (30),
Quantity INT Default 0,
Price Decimal (5,2) Default 999.99,
Primary Key (ItemNo)
);

Create Table ORDER_RECEIPT

(
OrderNo INT Not Null Unique,
OrderDate Date,
CustId VarChar(10),
ItemNo VarChar (10),
Primary Key (OrderNo),
Foreign Key (CustId) References CUSTOMER (CustId),
Foreign Key (ItemNo) References ORDER_ITEM (ItemNo)
);

3
Activity 2 – Populating the database

INSERT INTO CUSTOMER (CustId, CustName, CustAddress, CustPhoneNo)

VALUES
('C1001', 'Siti Aminah Ahmad', 'Taman Melawati Gombak', '013256778'),
('C1002', 'Ahmad Fadly', 'Taman Melewar Gombak', '0143456778'),
('C1003', 'Siti Asmah Ali', 'Bandar Tasik Selatan', '011256778'),
('C1004', 'Ainul Mardhiyah Razali', 'Taman Conought Cheras ', '018956778'),
('C1005', 'Muhammad Faizul', 'Sec 3, BB Bangi', '019987888');

INSERT INTO ORDER_ITEM (ItemNo, ItemName, Quantity, Price) VALUES

('T1001', 'PENBLUE', 1000, 1.25),
('T1002', 'PENCIL2B', 1100, 1.23),
('T1003', 'PENCIL2A', 900, 1.30),
('T1004', 'PENBLACK', 850, 1.23),
('T1005', 'PENRED', 800, 1.20);

INSERT INTO ORDER_RECEIPT (OrderNo, OrderDate, CustId, ItemNo)

VALUES
(1001, '2019-12-12', 'C1002', 'T1002'),
(1002, '2018-05-12', 'C1004', 'T1001'),
(1003, '2020-01-11', 'C1001', 'T1002'),
(1004, '2020-05-01', 'C1005', 'T1003'),
(1005, '2020-08-10','C1003', 'T1003');

4
Activity 3 – Analysing the problem.

Tracey (Supervisor)
– Need to be able to see and change everything.

Bill, Sheila, Govind

– Can do most of the routine work but cannot create a new customer

Temp1, Temp2, Temp3

– can process order but cannot see the customer.

User Matrix

User Access Customer Order_Item Order_Receipt

Matrix User
Tracey Select, Update, Select, Update, Select, Update, Delete,
Delete, Insert Delete, Insert Insert
Bill Select, Update, Select, Update, Select, Update, Delete,
Delete Delete, Insert Insert

Sheila Select, Update, Select, Update, Select, Update, Delete,

Delete Delete, Insert Insert
Govind Select, Update, Select, Update, Select, Update, Delete,
Delete Delete, Insert Insert
Temp1 - Select Select
Temp2 - Select Select
Temp3 - Select Select

User Access Customer Order_Item Order_Receipt

Matrix User
Sele Update Delete Insert Selec Upd Del Insert Select Update Delete Insert
ct t ate ete

Tracey            
Bill           
Sheila           
Govind           
Temp1  

Temp2  

Temp3  

5
Activity 4 – Executing the security script

mysql> CREATE USER 'Tracey'@'localhost' IDENTIFIED BY 'tracey';

Query OK, 0 rows affected (0.02 sec)

mysql> CREATE USER 'Bill'@'localhost' IDENTIFIED BY 'bill';

Query OK, 0 rows affected (0.03 sec)

mysql> CREATE USER 'Sheila'@'localhost' IDENTIFIED BY 'sheila';

Query OK, 0 rows affected (0.02 sec)

mysql> CREATE USER 'Govind'@'localhost' IDENTIFIED BY 'govind';

Query OK, rows affected (0.02 sec)

mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON orders.customer TO

‘Tracey'@'localhost';
Query OK, 0 rows affected (0.03 sec)

mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON orders.order_item TO

'Tracey'@'localhost';
Query OK, 0 rows affected (0.01 sec)

mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON orders.order_receipt TO

'Tracey'@'localhost';
Query OK, 0 rows affected (0.03 sec)

6
mysql> GRANT SELECT, UPDATE, DELETE ON orders.customer TO ‘Bill’’@'localhost';
Query OK, 0 rows affected (0.03 sec)

mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON orders.order_item TO

‘Bill’@'localhost';
Query OK, 0 rows affected (0.01 sec)

mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON orders.order_receipt TO

‘Bill’@'localhost';
Query OK, 0 rows affected (0.03 sec)

mysql> GRANT SELECT, UPDATE, DELETE ON orders.customer TO ‘Sheila’@'localhost';

Query OK, 0 rows affected (0.03 sec)

mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON orders.order_item TO

‘Sheila’@'localhost';
Query OK, 0 rows affected (0.01 sec)

mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON orders.order_receipt TO

‘Sheila’@'localhost';
Query OK, 0 rows affected (0.03 sec)

7
mysql> GRANT SELECT, UPDATE, DELETE ON orders.customer TO ‘Govind’@'localhost';
Query OK, 0 rows affected (0.03 sec)

mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON orders.order_item TO

‘Govind’@'localhost';
Query OK, 0 rows affected (0.01 sec)

mysql> GRANT SELECT, UPDATE, DELETE, INSERT ON orders.order_receipt TO

‘Govind’@'localhost';
Query OK, 0 rows affected (0.03 sec)

8
mysql> CREATE USER 'Temp1'@'localhost' IDENTIFIED BY 'temp1';
Query OK, 0 rows affected (0.03 sec)

mysql> CREATE USER 'Temp2'@'localhost' IDENTIFIED BY 'temp2';

Query OK, rows affected (0.01 sec)

mysql> CREATE USER 'Temp3'@'localhost' IDENTIFIED BY 'temp3';

Query OK, 0 rows affected (0.02 sec)

mysql> GRANT SELECT ON orders.order_item TO 'Temp1'@'localhost';

Query OK, 0 rows affected (0.01 sec)

mysql> GRANT SELECT ON orders.order_receipt TO 'Temp1'@'localhost';

Query OK, 0 rows affected (0.00 sec)

mysql> GRANT SELECT ON orders.order_item TO 'Temp2'@'localhost';

Query OK, 0 rows affected (0.02 sec)

mysql> GRANT SELECT ON orders.order_receipt TO 'Temp2'@'localhost';

Query OK, 0 rows affected (0.01 sec)

mysql> GRANT SELECT ON orders.order_item TO 'Temp3'@'localhost';

Query OK, 0 rows affected (0.01 sec)

mysql> GRANT SELECT ON orders.order_receipt TO 'Temp3'@'localhost';

Query OK, 0 rows affected (0.00 sec)

9
10
mysql> show grants for ’Tracey’@’localhost’;

mysql> show grants for ‘Bill’@’localhost’;

mysql> show grants for ‘Sheila’@’localhost’;

mysql> show grants for ‘Govind’@’localhost’;

11
mysql> show grants for ‘Temp1’@’localhost’;
mysql> show grants for ‘Temp2’@’localhost’;
mysql> show grants for ‘Temp3’@’localhost’;

12
Activity 5 – Testing the access control.

TRACEY – CUSTOMER TABLE

SELECT STATEMENT

INSERT STATEMENT

13
UPDATE STATEMENT

DELETE STATEMENT

14
TRACEY – ORDER_ITEM TABLE

SELECT STATEMENT

INSERT STATEMENT

15
UPDATE STATEMENT

DELETE STATEMENT

16
TRACEY – ORDER_RECEIPT TABLE

SELECT STATEMENT

INSERT STATEMENT

17
UPDATE STATEMENT

DELETE STATEMENT

18
BILL, SHEILA, GOVIND – CUSTOMER TABLE

SELECT STATEMENT

INSERT STATEMENT

19
UPDATE STATEMENT

DELETE STATEMENT

20
BILL, SHEILA, GOVIND – ORDER_ITEM TABLE

SELECT STATEMENT

INSERT STATEMENT

21
UPDATE STATEMENT

DELETE STATEMENT

22
BILL, SHEILA, GOVIND – ORDER_RECEIPT TABLE

SELECT STATEMENT

INSERT STATEMENT

23
UPDATE STATEMENT

DELETE STATEMENT

24
TEMP1, TEMP2, TEMP3 – CUSTOMER TABLE

SELECT STATEMENT

INSERT STATEMENT

UPDATE STATEMENT

25
DELETE STATEMENT

26
TEMP1, TEMP2, TEMP3 – ORDER_ITEM TABLE

SELECT STATEMENT

INSERT STATEMENT

UPDATE STATEMENT

27
DELETE STATEMENT

28
TEMP1, TEMP2, TEMP3 – ORDER_RECEIPT TABLE

SELECT STATEMENT

INSERT STATEMENT

UPDATE STATEMENT

29
DELETE STATEMENT

30
Activity 6 – Conclusion

Any additional SQL security measure that could be taken is by implementing

stored procedure that handle a sensitive operation, such as inserting large
order that is over RM1000, to make sure that only authorized user can
perform this operation.

Strength:
- Each user role has a different level of authorization that can ensure that
each user has their own job and what kind of level of authorization they
can access.

- Access control has many levels of authorization, so it easier to manage

privileges that have been given to the user role.

Weakness:
- Lack of encryption or masking of sensitive data.

- Limited validation or auditing mechanisms.

31
Activity 7 – Postscript

Well, how well did you do?

Remember Tracey?
After your work, she thought she should have a raise. She asked and was
refused and then returned to her desk. To answer these questions, refer to
your database design and security script.

1. Tracey then tried to delete the CUSTOMER table. Did she succeed?

No, Tracey doesn’t succeed in deleting CUSTOMER table because she

doesn’t have the permission or level of authority to delete the table in
database.

2. I hope not, but if so, why? Did you not inadvertently give her SYSADM
privileges?

If Tracey does manage to delete the CUSTOMER table, then that mean
the administrator accidentally give Tracey excessive privileges without
they realize.

3. She then tried to delete some customers. Did she succeed? Did the
deletes cascade?

No, Tracey should not be able to delete customers data because the
data in CUSTOMER table relates to another table that we called as
child table. So, the data cannot be deleted or cascade, unless the
CASCADE DELETE is set up into the system.

4. She tried to insert a line in all orders over RM1000 for 500 coffee
machines. Did she succeed?

For this case, Tracey does succeed in insert a line in orders that over
RM1000. This is because the access control mechanism that deny the
permission for user that doesn’t have the privilege to handle that orders
is not set up in the system. Even if that access control mechanism does
have been set up, Tracey and Govind have the access to handle that
orders.

32
5. And how was the problem detected?

The problem with access control would be detected through regular

auditing and monitoring of the database activities.

6. She tried to change her password. Did she succeed?

No, she doesn’t succeed in changing her password, this is because the
authority to change password and manage the user can only be done
by SYSTEM ADMIN and not the supervisor in sales office.

7. How much privilege can any one individual ever be given?

One individual can have as many privileges as possible if the SYSTEM

ADMIN is approved. But privilege escalation should be minimized, and
the user should only be given the privilege that necessary for their roles
only.

33