Problem

I have SQL Server databases with top secret, secret and unclassified data.  How can we establish custom SQL Server data classification schemes for implementing "need to know" access to data in specific tables?  Check out this tip to learn more.

Solution

With current regulations such as SOX, HIPAA, etc., protecting sensitive data is a must in the enterprise.  In this tip we will see how to implement Row Level Security (RLS) and Cell Level Security (CLS) with the help of SQL Server Label Security Toolkit which you can download from CodePlex http://sqlserverlst.codeplex.com/.

What is a security label in SQL Server?

A security label is a marking that describes the sensitivity of an item, in this case, information. It consists of a string containing defined security categories of the information available.

ID

Name

CreditCardNo

Classification
1 Ken Sánchez 1010101 SECRET
2 Terri Duffy 8498489 TOP SECRET
3 Rob Walters 4884556 UNCLASSIFIED

In order to access the information the users need to have a clearance defined.

User

Clearance
Alice TOP SECRET
Bob SECRET
David UNCLASSIFIED

So, in this case, assuming a hierarchical security scheme, if Alice performs a SELECT * FROM Table1 he will get all of the three records, because she has TOP SECRET clearance and that includes SECRET and UNCLASSIFIED clearances. And if Bob is the one who performs the previous query, he will get only the records 1 and 3.

How does the SQL Server Label Security toolkit work?

This toolkit consists of a framework composed by:

  • Metadata tables used to define the security labels.
  • Helper stored procedures and functions to manipulate the labels.
  • A view, vwVisibleLabels that contains the list of all the security labels present in the database to which the current logged user have access (I will expand this topic below).
  • A GUI to develop the security schema.

It is important to note that the approach used by this Toolkit makes the assumption that applications using the database will connect by using a specific identity for each end user. This identity could be either a Windows account or a SQL Server login. That's because the security labels are associated to database roles or Windows groups. On SQL Server 2012 you can use the Contained Database feature to create a user without a login.

Implementing SQL Server Row and Cell Level Security的更多相关文章

  1. SQL Server: Windows Firewall with Advanced Security

    SQL Database Engine: TCP 1433 & UDP 1434 SQL Analysis Service: TCP 2383 (2382 if named instance) ...

  2. Migrating Oracle on UNIX to SQL Server on Windows

    Appendices Published: April 27, 2005 On This Page Appendix A: SQL Server for Oracle Professionals Ap ...

  3. Microsoft SQL Server Version List [sqlserver 7.0-------sql server 2016]

    http://sqlserverbuilds.blogspot.jp/   What version of SQL Server do I have? This unofficial build ch ...

  4. Microsoft SQL Server Version List(SQL Server 版本)

    原帖地址 What version of SQL Server do I have? This unofficial build chart lists all of the known Servic ...

  5. sql server安装教程(2008 R2,图形界面安装/命令提示符安装即静默安装)

    转自:http://blog.51cto.com/jimshu/585023 SQL Server 2008(32/64位)下载地址: 链接:https://pan.baidu.com/s/1eR5b ...

  6. Storing and Retrieving Images from SQL Server using Microsoft .NET

    原文 Storing and Retrieving Images from SQL Server using Microsoft .NET Download source - 19.6 Kb Intr ...

  7. sql server Local Service, Local System or Network Service

    local system account local system 选项指定一个不需要密码的本地系统账号去连接同一台电脑的sql server.local system account会限制sql s ...

  8. [SQL in Azure] Provisioning a SQL Server Virtual Machine on Azure

    http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-provision-sql-server/ Provi ...

  9. [SQL in Azure] Getting Started with SQL Server in Azure Virtual Machines

    This topic provides guidelines on how to sign up for SQL Server on a Azure virtual machine and how t ...

随机推荐

  1. 烂泥:centos安装LVM方式

    本文由秀依林枫提供友情赞助,首发于烂泥行天下. 最近开始打算学习有关LVM逻辑卷的知识,由于以前没有接触过,看了很多有关这方面的视频.但是一直不深入.今天就先不管了,先把centos系统安装在LVM上 ...

  2. js 操作select和option

    js 操作select和option 1.动态创建select function createSelect(){ var mySelect = document.createElement_x(&qu ...

  3. 动手学习TCP:TCP连接建立与终止

    TCP是一个面向连接的协议,任何一方在发送数据之前,都必须先在双方之间建立一条连接.所以,本文就主要看看TCP连接的建立和终止. 在开始介绍TCP连接之前,先来看看TCP数据包的首部,首部里面有很多重 ...

  4. c++字符串互相转换

    1.string vs char* //string to char* string str; const char* cch = str.c_str(); ]; strcpy(ch,cch); // ...

  5. 【实践】jdbc批量插入数据

    参考文献:http://my.oschina.net/u/1452675/blog/203670 http://superjavason.iteye.com/blog/255423 /*测试批量写入数 ...

  6. codeforces 487B B. Strip(RMQ+二分+dp)

    题目链接: B. Strip time limit per test 1 second memory limit per test 256 megabytes input standard input ...

  7. JavaWeb学习----JSTL标签库

    一.JSTL简介: JSTL全名为JavaServer Pages Standard Tag Library,中文名称为JSP标准标签函数库,目前最新的版本为1.2.JSTL是由JCP(Java Co ...

  8. 使用Loadrunner进行http接口压力测试

    业务描述: 在业务系统里进行查询操作,查询的结果是通过请求http接口,从系统中处理并将结果以json字符串返回. 本文就讲述使用Loadrunner对此类接口进行压力测试并记录相关的性能指标数据: ...

  9. CSS3中的字体rem

    rem和em都是相对单位,em相对父元素的font-size来计算,而rem是根据文档根元素(html)的font-size大小来计算的 通常将html的字体大小设为62.5%(等于10px),当然也 ...

  10. Intellij IDEA 快捷键(Mac)

    编辑 格式化代码 Alt+Command+L 大小写切换 Shift+Command+U 包围 Alt+Command+T 选中代码抽取方法 Alt+Command+M 调试/运行 查看 类关系视图 ...