Implementing SQL Server Row and Cell Level Security
2016-04-12 10:35
447 查看
Problem
I have SQL Server databases with top secret, secret and unclassified data. How can we establish custom SQL Server data classification schemes for implementing "need to know" access to data in specific tables? Check out this tip to learn more.
Solution
With current regulations such as SOX, HIPAA, etc., protecting sensitive data is a must in the enterprise. In this tip we will see how to implement Row Level Security (RLS) and Cell Level Security (CLS) with the help of SQL Server Label Security Toolkit which you can download from CodePlex http://sqlserverlst.codeplex.com/.
In order to access the information the users need to have a clearance defined.
So, in this case, assuming a hierarchical security scheme, if Alice performs a SELECT * FROM Table1 he will get all of the three records, because she has TOP SECRET clearance and that includes SECRET and UNCLASSIFIED clearances. And if Bob is the one who performs the previous query, he will get only the records 1 and 3.
Metadata tables used to define the security labels.
Helper stored procedures and functions to manipulate the labels.
A view, vwVisibleLabels that contains the list of all the security labels present in the database to which the current logged user have access (I will expand this topic below).
A GUI to develop the security schema.
It is important to note that the approach used by this Toolkit makes the assumption that applications using the database will connect by using a specific identity for each end user. This identity could be either a Windows account or a SQL Server login. That's because the security labels are associated to database roles or Windows groups. On SQL Server 2012 you can use the Contained Database feature to create a user without a login.
I have SQL Server databases with top secret, secret and unclassified data. How can we establish custom SQL Server data classification schemes for implementing "need to know" access to data in specific tables? Check out this tip to learn more.
Solution
With current regulations such as SOX, HIPAA, etc., protecting sensitive data is a must in the enterprise. In this tip we will see how to implement Row Level Security (RLS) and Cell Level Security (CLS) with the help of SQL Server Label Security Toolkit which you can download from CodePlex http://sqlserverlst.codeplex.com/.
What is a security label in SQL Server?
A security label is a marking that describes the sensitivity of an item, in this case, information. It consists of a string containing defined security categories of the information available.ID | Name | CreditCardNo | Classification |
---|---|---|---|
1 | Ken Sánchez | 1010101 | SECRET |
2 | Terri Duffy | 8498489 | TOP SECRET |
3 | Rob Walters | 4884556 | UNCLASSIFIED |
User | Clearance |
---|---|
Alice | TOP SECRET |
Bob | SECRET |
David | UNCLASSIFIED |
How does the SQL Server Label Security toolkit work?
This toolkit consists of a framework composed by:Metadata tables used to define the security labels.
Helper stored procedures and functions to manipulate the labels.
A view, vwVisibleLabels that contains the list of all the security labels present in the database to which the current logged user have access (I will expand this topic below).
A GUI to develop the security schema.
It is important to note that the approach used by this Toolkit makes the assumption that applications using the database will connect by using a specific identity for each end user. This identity could be either a Windows account or a SQL Server login. That's because the security labels are associated to database roles or Windows groups. On SQL Server 2012 you can use the Contained Database feature to create a user without a login.
相关文章推荐
- 在oracle下如何创建database link全面总结
- 【oracle】dblink创建
- Mysql修改数据库名
- Oracle 10g R2 RAC手动打补丁PSU(10.2.0.5.19)
- MySQL性能优化的21个最佳实践 和 mysql使用索引
- MySQL性能优化的21个最佳实践 和 mysql使用索引
- MySQL性能优化的21个最佳实践 和 mysql使用索引
- Oracle修改最大连接数
- Mysql 左连接取出一条数据
- JS代码防止SQL注入的方法(超简单)
- 关系数据库 规范化流程
- 针对某个数据库error做systemstate dump
- 深入浅出数据仓库中SQL性能优化之Hive篇
- mysql性能优化二
- Windows8 64安装Oracle 11g说明
- 数据库” 查询选修所有课的学生信息“ exists解法的理解
- MySql索引原理及慢查询优化
- 三种在MySQL中修改root密码的方法
- 数据库hang住如何收集信息
- 基于zookeeper的redis高可用