Professional Documents
Culture Documents
data model
By Lielet G.
File system
RDBMS,OODBMS,ORDBMS
Object relational data models
Oracle Relational Model
END;
END;
/
Creating Object Tables
• Creating an object type is not the same as
creating a table.
• Creating a type merely defines a logical
structure; it does not create storage.
• To use an object-relational interface to your data,
you must create object types whether you intend
to store your
data in object tables or leave it in relational tables
and access it through object views.
• Object views and object tables alike
presuppose object types: an object table
or object view is always a table or view of
a certain object type.
Generally, you can think of the relationship
between the "objects" and "object tables"
in the following way:
• Classes, which represent entities, map to
object tables
• Attributes map to columns
• Objects map to rows
Object type as a data type
CREATE TABLE contacts
(
contact person_typ, -- object type can be used like any other built-in data types.
contact_date DATE );
--The contacts table is a relational table with an object type as the data type of its
contact column.
Note:
--person_type is instantiated and values are assigned to the attributes of the object
instance.
How Objects are Stored in Tables
END;
END;
/
Cont..
CREATE TABLE solids of solid_typ;
SET SERVEROUTPUT ON
DECLARE
solid solid_typ;
BEGIN
SELECT VALUE(s) INTO solid FROM solids s WHERE s.len = 10;
solid.display();
END;
Member Methods for Comparing
Objects
• Map Methods Map methods return values
that can be used for comparing and
sorting.
• obj_1 > obj_2 is equivalent to:
obj_1.map() > obj_2.map()
Creating a Map Method
CREATE OR REPLACE TYPE rectangle_typ AS OBJECT (
len NUMBER,
wid NUMBER,
MAP MEMBER FUNCTION area RETURN NUMBER);
/
AS RESULT IS
RETURN SELFBEGIN
SELF.name := name;
SELF.area := len*wth;
SELF.len := len;
SELF.wth := wth;
RETURN ;
END;
CONSTRUCTOR FUNCTION rectangle_typ (name VARCHAR2, side NUMBER) RETURN SELF AS
RESULT IS
BEGIN
SELF.name := name;
SELF.area := side * side;
SELF.len := side;
SELF.wth := side;
RETURN ;
END;
END;
/
CREATE TABLE shape_tbl OF shape_typ;
NOT FINAL;
/
Creating the Parent or Supertype person_typ
Object
CREATE OR REPLACE TYPE person_typ AS OBJECT (
idno NUMBER,
name VARCHAR2(30),
phone VARCHAR2(20),
MAP MEMBER FUNCTION get_idno RETURN NUMBER,
MEMBER FUNCTION show RETURN VARCHAR2)
NOT FINAL;
/
CREATE OR REPLACE TYPE BODY person_typ AS
MAP MEMBER FUNCTION get_idno RETURN NUMBER IS
BEGIN
RETURN idno;
END;
-- function that can be overriden by subtypes
MEMBER FUNCTION show RETURN VARCHAR2 IS
BEGIN
RETURN 'Id: ' || TO_CHAR(idno) || ', Name: ' || name;
END;
END;
/
Creating a Subtype Object
CREATE TYPE student_typ UNDER person_typ (
dept_id NUMBER,
major VARCHAR2(30),
OVERRIDING MEMBER FUNCTION show RETURN VARCHAR2)
NOT FINAL;
/
You can call the show() function for the supertype and subtypes in the table with the
following:
SELECT p.show() FROM person_obj_table p;
Redefining an inherited
property by defining the
same property differently at
the subtype level
front of the signature to tell the processor that this method is going to be
overrided
);
/
CREATE TABLE rectangle_tbl OF rectangle_typ;
INSERT INTO rectangle_tbl VALUES(rectangle_typ(‘rec01’,5,4,3));
INSERT INTO rectangle_tbl VALUES(rectangle_typ('rec02',10,1 ,4));
-- using default constructor of rectangle_typ
SELECT r.get_name()
FROM rectangle_tbl r
WHERE r.get_area()<5; - - this method is called from the super type
SELECT *
FROM rectangle_tbl r
WHERE r.get_area(r.len,r.wth)<5; - - this method is called from the sub type
CREATE TYPE BODY rectangle_typ AS
MEMBER FUNCTION get_area(len number,wth number)
RETURN number IS
BEGIN
RETURN
len*wth;
END get_area;
OVERRIDING MEMBER PROCEDURE display IS
BEGIN
DBMS_OUTPUT.PUT_LINE(‘Name’||name||’area’||
get_area(LEN, WID)‘length’||len||’width’||wth);
END display;
END;
/
Only methods that are not declared to be final
in the supertype can be overridden.
111
Security (Cont.)
Physical level
Physical access to computers allows destruction of
data by intruders; traditional lock-and-key security is
needed
Computers must also be protected from floods, fire,
etc.
More in Chapter 17 (Recovery)
Human level
Users must be screened to ensure that an authorized
users do not give access to intruders
Users should be trained on password selection and
secrecy
112
Operating System Authentication (continued)
113
Authorization
Forms of authorization on parts of the database:
114
Authorization (Cont.)
Forms of authorization to modify the database schema:
Index authorization - allows creation and deletion of
indices.
Resources authorization - allows creation of new
relations.
Alteration authorization - allows addition or deletion of
attributes in a relation.
Drop authorization - allows deletion of relations.
115
Authorization and Views
Users can be given authorization on views, without being
given any authorization on the relations used in the view
definition
Ability of views to hide data serves both to simplify usage
of the system and to enhance security by allowing users
access only to data they need for their job
A combination or relational-level security and view-level
security can be used to limit a user’s access to precisely
the data that user needs.
116
View Example
Suppose a bank clerk needs to know the names of
the customers of each branch, but is not authorized to
see specific loan information.
Approach: Deny direct access to the loan relation, but
grant access to the view cust-loan, which consists only
of the names of customers and the branches at which
they have a loan.
The cust-loan view is defined in SQL as follows:
create view cust-loan as
select branchname, customer-name
from borrower, loan
where borrower.loan-number = loan.loan-
number
117
View Example (Cont.)
The clerk is authorized to see the result of the query:
select *
from cust-loan
When the query processor translates the result into a
query on the actual relations in the database, we
obtain a query on borrower and loan.
Authorization must be checked on the clerk’s query
before query processing begins.
118
Authorization on Views
119
Granting of Privileges
The passage of authorization from one user to
another may be represented by an authorization
graph.
The nodes of this graph are the users.
The root of the graph is the database administrator.
Consider graph for update authorization on loan.
An edge Ui Uj indicates that user Ui has granted
update authorization on loan to Uj.
U1 U4
DBA U2 U5
U3
120
Authorization Grant Graph
Requirement: All edges in an authorization graph must be
part of some path originating with the database
administrator
If DBA revokes grant from U1:
Grant must be revoked from U4 since U1 no longer has
authorization
Grant must not be revoked from U5 since U5 has another
authorization path from DBA through U2
Must prevent cycles of grants with no path from the root:
DBA grants authorization to U7
U7 grants authorization to U8
U8 grants authorization to U7
DBA revokes authorization from U7
Must revoke grant U7 to U8 and from U8 to U7 since there is
no path from DBA to U7 or to U8 anymore.
121
Security Specification in SQL
The grant statement is used to provide authorization
grant <privilege list>
on <relation name or view name> to <user list>
<user list> is:
a user-id
public, which allows all valid users the privilege granted
A role (more on this later)
Granting a privilege on a view does not imply granting
any privileges on the underlying relations.
The grantor of the privilege must already hold the
privilege on the specified item (or be the database
administrator).
122
Privileges in SQL
select: allows read access to relation,or the ability to query using
the view
Example: grant users U1, U2, and U3 select authorization on
the branch relation:
grant select on branch to U1, U2, U3
insert: the ability to insert tuples
update: the ability to update using the SQL update statement
delete: the ability to delete tuples.
references: ability to declare foreign keys when creating
relations.
usage: In SQL-92; authorizes a user to use a specified domain
all privileges: used as a short form for all the allowable
privileges
123
Creating Users
126
CREATE USER– An example
USER_USERS
ALL_USERS
DBA_USERS
USER_TS_QUOTAS
DBA_TS_QUOTAS
Information about the database user who is currently logged on, can
be seen by examining the USER_USERS data dictionary view.
Querying System Privileges
ALL_SYS_PRIVS
SESSION_PRIVS
USER_SYS_PRIVS
DBA_SYS_PRIVS
SYSTEM_PRIVILEGE_MAP
Modifying Users
Modifications involve:
– Changing passwords
– Locking an account
– Increasing a storage quota
ALTER USER DDL statement
DROP command
130
Privilege To Grant Privileges
with grant option: allows a user who is granted a
privilege to pass the privilege on to other users.
Example:
grant select on branch to U1 with grant option
gives U1 the select privileges on branch and allows U1 to
grant this
privilege to others
131
Roles
Within a database, each role name must be unique, different from all
user names and all other role names.
IDENTIFIED BY password
Where: EXTERNALLY
– Role Name of the role to be created
– NOT IDENTIFIED Users granted the role do not need to be verified by
ORACLE to enable it
– IDENTIFIED Indicates that the users granted the role must be verified
by ORACLE to enable the role
– BY password Specifies the password that authorizes enabling the role
– EXTERNALLY Specifies that ORACLE will verify user access to the role
using an operating system utility
Note : If the IDENTIFIED option is chosen, users can enable/disable the role
by using the SET ROLE command.
Benefits of Using Roles
Reduced privilege administration
– Rather than granting the same set of privileges explicitly to several
users, you can grant the privileges for a group of related users to a role,
and then only the role needs to be granted to each member of the
group.
Dynamic privilege management
– If the privileges of a group must change, then only the privileges of the
role need to be modified. The security domains of all users granted the
group’s role automatically reflect the changes made to the role.
Selective availability of privileges
– You can selectively enable or disable the roles granted to a user. This
allows specific control of a user’s privileges in any given situation.
Application awareness
– The data dictionary records which roles exist, so you can design
applications to query the dictionary and automatically enable (or
disable) selective roles when a user attempts to run the application by
way of a given user name.
Displaying Information About Roles
136
Revoking Authorization in SQL
The revoke statement is used to revoke authorization.
revoke<privilege list>
on <relation name or view name> from <user list> [restrict|
cascade]
Example:
revoke select on branch from U1, U2, U3 cascade
Revocation of a privilege from a user may cause other
users also to lose that privilege; referred to as cascading of
the revoke.
We can prevent cascading by specifying restrict:
revoke select on branch from U1, U2, U3 restrict
With restrict, the revoke command fails if cascading
revokes are required.
137
Revoking Authorization in SQL
(Cont.)
<privilege-list> may be all to revoke all privileges the
revokee may hold.
If <revokee-list> includes public all users lose the
privilege except those granted it explicitly.
If the same privilege was granted twice to the same
user by different grantees, the user may retain the
privilege after the revocation.
All privileges that depend on the privilege being
revoked are also revoked.
138
Object Privileges
Schema. role
PUBLIC
Grantors can revoke privileges from only those users to whom they
had granted the privileges in the first place.
Revoking an object privilege may have a cascading effect that
should be investigated before a REVOKE statement is issued.
A B C A B C A B C
Displaying Object Privileges
The object privileges that have been granted can be displayed by
querying the data dictionary.
Available to DBAs
– DBA_TAB_PRIVS All privileges on all tables in
the database
Available to the User
– USER_TAB_PRIVS Privileges on tables for
which the user Is the owner, grantor, or
grantee
145
Thank You!