Problem

I have SQL Server databases with top secret, secret and unclassified data.  How can we establish custom SQL Server data classification schemes for implementing "need to know" access to data in specific tables?  Check out this tip to learn more.

Solution

With current regulations such as SOX, HIPAA, etc., protecting sensitive data is a must in the enterprise.  In this tip we will see how to implement Row Level Security (RLS) and Cell Level Security (CLS) with the help of SQL Server Label Security Toolkit which you can download from CodePlex http://sqlserverlst.codeplex.com/.

What is a security label in SQL Server?

A security label is a marking that describes the sensitivity of an item, in this case, information. It consists of a string containing defined security categories of the information available.

ID

Name

CreditCardNo

Classification
1 Ken Sánchez 1010101 SECRET
2 Terri Duffy 8498489 TOP SECRET
3 Rob Walters 4884556 UNCLASSIFIED

In order to access the information the users need to have a clearance defined.

User

Clearance
Alice TOP SECRET
Bob SECRET
David UNCLASSIFIED

So, in this case, assuming a hierarchical security scheme, if Alice performs a SELECT * FROM Table1 he will get all of the three records, because she has TOP SECRET clearance and that includes SECRET and UNCLASSIFIED clearances. And if Bob is the one who performs the previous query, he will get only the records 1 and 3.

How does the SQL Server Label Security toolkit work?

This toolkit consists of a framework composed by:

  • Metadata tables used to define the security labels.
  • Helper stored procedures and functions to manipulate the labels.
  • A view, vwVisibleLabels that contains the list of all the security labels present in the database to which the current logged user have access (I will expand this topic below).
  • A GUI to develop the security schema.

It is important to note that the approach used by this Toolkit makes the assumption that applications using the database will connect by using a specific identity for each end user. This identity could be either a Windows account or a SQL Server login. That's because the security labels are associated to database roles or Windows groups. On SQL Server 2012 you can use the Contained Database feature to create a user without a login.

Implementing SQL Server Row and Cell Level Security的更多相关文章

  1. SQL Server: Windows Firewall with Advanced Security

    SQL Database Engine: TCP 1433 & UDP 1434 SQL Analysis Service: TCP 2383 (2382 if named instance) ...

  2. Migrating Oracle on UNIX to SQL Server on Windows

    Appendices Published: April 27, 2005 On This Page Appendix A: SQL Server for Oracle Professionals Ap ...

  3. Microsoft SQL Server Version List [sqlserver 7.0-------sql server 2016]

    http://sqlserverbuilds.blogspot.jp/   What version of SQL Server do I have? This unofficial build ch ...

  4. Microsoft SQL Server Version List(SQL Server 版本)

    原帖地址 What version of SQL Server do I have? This unofficial build chart lists all of the known Servic ...

  5. sql server安装教程(2008 R2,图形界面安装/命令提示符安装即静默安装)

    转自:http://blog.51cto.com/jimshu/585023 SQL Server 2008(32/64位)下载地址: 链接:https://pan.baidu.com/s/1eR5b ...

  6. Storing and Retrieving Images from SQL Server using Microsoft .NET

    原文 Storing and Retrieving Images from SQL Server using Microsoft .NET Download source - 19.6 Kb Intr ...

  7. sql server Local Service, Local System or Network Service

    local system account local system 选项指定一个不需要密码的本地系统账号去连接同一台电脑的sql server.local system account会限制sql s ...

  8. [SQL in Azure] Provisioning a SQL Server Virtual Machine on Azure

    http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-provision-sql-server/ Provi ...

  9. [SQL in Azure] Getting Started with SQL Server in Azure Virtual Machines

    This topic provides guidelines on how to sign up for SQL Server on a Azure virtual machine and how t ...

随机推荐

  1. subline 快捷键

    subline 快捷键  安装 pretty css  html  后1,CTRl+ shift +H 格式化代码

  2. BusyBox Init

    嵌入式系统内核启动后的第一个程序就是init,一般位于/sbin/init(一般是符号链接到/bin/busybox), 但有些也会直接放在根目录下如linuxrc,busybox的init不支持多级 ...

  3. 开创学习的四核时代-迅为iTOP4412学习开发板

    产品特点: 处理器: Exynos 4412 处理器,Cortex-A9四核,功耗性能俱佳! 性能: 1GB(可选2GB) 双通道 64bit数据总线 DDR3: 4GB(可选16GB)固态硬盘EMM ...

  4. Visualize real-time data streams with Gnuplot

    源文地址 (September 2008) For the last couple of years, I've been working on European Space Agency (ESA) ...

  5. 【转载】jQuery Validate 菜鸟教程

    文章1:http://www.runoob.com/jquery/jquery-plugin-validate.html          (jQuery Validate 菜鸟教程)

  6. AC日记——传话 codevs 1506 (tarjan求环)

    1506 传话  时间限制: 1 s  空间限制: 128000 KB  题目等级 : 白银 Silver 题解       题目描述 Description 一个朋友网络,如果a认识b,那么如果a第 ...

  7. 为Unity项目生成文档(二)

    Unity项目生成文档 接着上篇文章:为Unity项目生成文档(一) .Net项目可在VS配置XML 我们可以在VS中通过配置来生成xml文件,但是unity的project,就算同样配置了xml文档 ...

  8. 查询各个商品分类中各有多少商品的SQL语句

    SELECT goods_category_id ,count(*) FROM `sw_goods` group by goods_category_id

  9. Xcode视图调试

    视图调试 使用视图调试器检查您的视图层次结构,可以轻松地判断视图位置.大小以及实现问题. 在XCode中运行你的应用程序,在调试栏上点击“调试视图层次”按钮,进入视图调试器. XCode停止你的应用程 ...

  10. 解决ios下的微信打开的页面背景音乐无法自动播放

    后面的项目发现,还有两个坑,需要注意下: ·本文的解决方案的核心是利用了 微信/易信 在ready的时候会有个 WeixinJSBridgeReady/YixinJSBridgeReady事件,通过监 ...