Query rewrite

Query rewrite functionality provides fine-grained access control for databases by intercepting database queries and rewriting them based on criteria defined in security policies.

The modification of queries happens transparently and on-the-fly, such that a user issuing queries seamlessly receives results based on rewritten SQL statements.

Query rewrite functionality is implemented through a combination of query rewrite definitions indicating how queries should be changed or augmented and a run-time context indicating the specific circumstances where the query rewrite definitions should be applied.

Rewriting database queries on the fly allows administrators to implement several types of access control, as illustrated by the following examples.

Table 1. Examples of access control with query rewrite.
Access control Original SQL Rewritten SQL
Limiting access to rows by adding a WHERE clause SELECT C from T SELECT C from T WHERE [values]
Limiting access to columns by modifying the SELECT list SELECT C1 from T SELECT C2 from T
  SELECT C1,C2 from T SELECT C2 from T
Restricting database activities by rewriting SQL statements to do nothing. SELECT EMAIL from T SELECT++ EMAIL from T
Restricting what users can do by modifying query verbs (SELECT, INSERT, UPDATE, etc.) DROP TABLE T UPDATE T SET [values]
Restricting what users can do by modifying query objects (TABLE, VIEW, COLUMN, etc.) SELECT C from T1 SELECT C from T2
The ability to seamlessly rewrite database queries provides an extremely powerful and flexible form of access control that allows organizations to quickly address a wide range of security concerns. For example, query rewrite definitions can be developed to accomplish any of the following:
  • Enforcing security in multi-tenancy scenarios where multiple users and applications share a single database, but where not all users and applications should have access to all data.
  • Exposing a database to a production environment for testing purposes without exposing the entire database.
  • Rapidly correcting critical security vulnerabilities while permanent solutions are developed at the database or application level.

Review the following sections to learn more about how query rewrite works and how to configure it for use within your Guardium® environment.

Note: If the S-TAP is set for firewall_default_state=1, the default state for Query Rewrite, qrw_default_state=1 cannot be set at the same time.