How to manage the authority of database account?

How to achieve the fine management of database account authority ？

@ Li Qianhong

According to the responsibilities of employees , Sub authority . You can plan a table for yourself , What kind of authority does each department of the company need , What rights does everyone need .（ Generally speaking , Give some general accounts ） People who don't need to be given . If a particular leader or employee needs a certain authority , You need to apply to the management department , Indicate what it is , What is the effect of doing this , When to use , When it's not used , Remember to take it back on time .

@ Wen guobing

What is refinement , It must be the full control of authority . Let me share my experience .

First of all , Depending on the type of account , Distinguish by prefix . Simple classification , It is divided into business account and real name account . In terms of subdivision , Business accounts are divided into website applications 、 Mobile phone application 、 Report application 、 Service application 、 Query service , Real name accounts can be traced to specific employees .

Web application (web_ Business abbreviation )

Mobile phone application (mob_ Business abbreviation )

Report application (rep_ Business abbreviation )

Service application (dae_ Business abbreviation )

Query service (sea_ Business abbreviation )

Real name query (dev_ Name Pinyin )

second , The business account permission is up to SELECT、UPDATE、DELETE and INSERT, Query service and real name query account can only have query authority . Each user has only one password , You need to know whether the user exists when you authorize , If there is , Use the old password to authorize , If it doesn't exist , Generate random password for authorization .

Third , Real name permission can only be queried by fortress machine or springboard machine , Bastion machine has user login and execution SQL journal .

Fourth , on-line IDC Databases are only allowed online Web Machine connection , The tester is not allowed to connect to .

The fifth , Employees need to apply for work order for permission , Authorization can only DBA operation .DBA Need to do a good job in authority control , The person in charge of relevant business can apply for higher authority , But it needs to be copied by email to the higher level leaders for approval .

The sixth ,DBA There's a complete metabase , It records all the user related information , This database has the highest level of importance , Do a good job in safety control .

The seventh , The user's password needs to be complex enough , And there is a complete set of random password generation rules .

The eighth , The business side notifies that the business account is abnormal , There needs to be a process to quickly change accounts .

The ninth , Temporary high authority account number applied by the employee , There needs to be a record , Need to set password expiration time , And you need to develop a recycling process .

The first ten ,MySQL root The code is only DBA Have , And it is not allowed to save this password on any cloud notes or cloud storage , Can only be saved locally . in addition , Regular modification MySQL root password .

The eleventh , Enter through the terminal MySQL, It is not allowed to display the password in clear text .

twelfth , User authorization is recommended in Web Page completion , Safety control is needed . That is to say DB Operation and maintenance management platform , Need to code to implement .

thirteenth , Do a good job of data backup , The fastest way to recover data is through data manipulation .

fourteenth , If possible , Go online in a new business MySQL Audit program , Can pass init-connect Parameters + access_log + binlog Achieve audit .

above .

@ Han Chengliang

The two above are already very detailed , About refinement , The main reason is that each authority is assigned carefully , Achieve , No repetition , Secondly, the definition of authority is clear , What authority should be given to what authority , There are no fuzzy permissions , Finally, the record of authority , Start with authority , The examination and approval , to grant authorization , Take back , Delete and so on a whole set of rules and procedures , The most important thing is a refined idea , Know what you know .

@mountainsun

In terms of specific databases DB2 It is more difficult to achieve a very fine account management , because DB2 All users are operating system users , In the actual production system , It is generally impossible for us to build many users on the system . and ORACLE and MYSQL It's the user who uses the database , It is possible to allocate appropriate database operation permissions according to permissions .