Multiple accounts for privilege separation

As of Niagara 4.15, this security feature allows you to configure a Niagara RDBMS device to utilize multiple accounts, enabling privilege separation. Specifically, one account is designated for Data Definition Language (DDL) operations, while another is set for Data Manipulation Language (DML) operations. This setup enhances security by minimizing the attack surface that could be exploited by potential threats, such as SQL injection vulnerabilities. By strictly limiting permissions granted to the data manipulation account, the risks associated with unauthorized actions are reduced.

When to perform this configuration

You should perform this configuration when setting up a Niagara RDBMS device to enhance security by separating the roles of different accounts. This is particularly important if your application involves sensitive data or if it interacts with external users or systems that could pose security risks.

Security requirements

Ensure the following:

  • The required accounts with appropriate privileges are created within the database system.

  • Follow security protocols regarding updates, authentication, and access control to avoid vulnerabilities associated with improper settings.

The Niagara Security Service Dashboard presents a warning if the Non-Privileged Connection Pool is disabled for the SqlServerDatabase or MySQLDatabase. The following recommendations are given:

  • Confirm and enable the Non-Privileged Connection Pool for suitable RDBMS database instances.
  • Security Principle: Enabling this pool enhances security by adhering to the principle of least privilege.
  • Separation of duties: When the Non-Privileged Connection Pool is enabled, the designated user account will handle DML (Data Manipulation Language) operations, while a separate Privileged User account will manage DDL (Data Definition Language) operations.
  • Risk of disabling: If the Non-Privileged Connection Pool remains disabled, all operations including both DML and DDL will be conducted using the Privileged User account, which could increase security risks.

Best practices

To maximize security when using the Niagara RDBMS drivers, use multiple database accounts:

  • Privileged accounts: You have permission to modify the schema (for example, create, alter, and drop tables, sequences, indexes.

  • Non-privileged accounts: They are limited to data manipulation operations (for example, read, insert, delete and update data).

By default, the non-privileged account is disabled and must be explicitly configured and enabled before use. When updating from versions of Niagara that did not support multiple accounts, existing configurations will remain functional with the original account treated as privileged.