Muhammad Zahran

Application Developer

Software Developer

Data Scientist

Project Manager

Muhammad Zahran

Application Developer

Software Developer

Data Scientist

Project Manager

Download CV Contact Me
Blog Post

Security and Access Control in Modern Databases

January 28, 2024 Code, Design by Muhammad Zahran
Security and Access Control in Modern Databases

Introduction

In today’s digital world, database security is more critical than ever. Applications store sensitive user data, payment information, and business intelligence, making them prime targets for attacks. Implementing robust access control, encryption, and security policies ensures data privacy, integrity, and compliance.

1. Authentication and Role Management

  • Modern databases like Supabase (PostgreSQL) provide built-in authentication.
  • Roles and permissions control who can access tables, views, or execute functions.
  • Example roles:
    • admin: full access
    • app_user: restricted access to their own data
  • Granting access:
GRANT SELECT, INSERT ON userInfo TO app_user;
GRANT EXECUTE ON FUNCTION prevent_multiple_active_carts(uuid) TO app_user;
  • This ensures users can perform allowed actions without accessing sensitive areas.

2. Row-Level Security (RLS)

  • RLS restricts access to specific rows in a table based on conditions.
  • Example: Users can only see their own orders or carts.
CREATE POLICY user_cart_policy
ON cartInfo
FOR SELECT
USING (user_id = auth.uid());
  • When combined with Supabase authentication, this enforces per-user access automatically.

3. Data Encryption

  • Sensitive data, such as passwords, credit cards, or personal info, should always be encrypted.
  • Use functions or vault tables for encryption and decryption.
-- Example: Using pgcrypto
INSERT INTO secrets (user_id, secret_value)
VALUES (auth.uid(), pgp_sym_encrypt('sensitive_data', 'encryption_key'));
  • This ensures that even if the database is compromised, sensitive data remains secure.

4. Secure Functions and Views

  • Encapsulate logic in functions to prevent direct table modifications.
  • Limit views to expose only the necessary columns to users.
  • Example: public_product_view shows product name and price without revealing supplier info.

5. Monitoring and Auditing

  • Track database activity using audit logs or extensions.
  • Supabase provides audit_log_entries table to monitor login attempts, queries, and actions.
  • Alerts can be set for suspicious behavior, such as failed logins or unusual data access.

6. Best Practices

  • Implement least privilege access: give users only the permissions they need.
  • Use row-level security for user-specific data.
  • Encrypt sensitive data at rest and in transit.
  • Regularly audit roles, permissions, and access patterns.
  • Keep database and extensions updated to patch vulnerabilities.

Conclusion

Database security and access control are essential for protecting sensitive data and maintaining trust. By combining authentication, role management, row-level security, encryption, and monitoring, developers can build secure, scalable, and compliant applications. In e-commerce and AI-powered apps, these practices prevent unauthorized access, safeguard personal information, and ensure reliable operation.

Tags: