Problem

I have SQL Server databases with top secret, secret and unclassified data.  How can we establish custom SQL Server data classification schemes for implementing "need to know" access to data in specific tables?  Check out this tip to learn more.

Solution

With current regulations such as SOX, HIPAA, etc., protecting sensitive data is a must in the enterprise.  In this tip we will see how to implement Row Level Security (RLS) and Cell Level Security (CLS) with the help of SQL Server Label Security Toolkit which you can download from CodePlex http://sqlserverlst.codeplex.com/.

What is a security label in SQL Server?

A security label is a marking that describes the sensitivity of an item, in this case, information. It consists of a string containing defined security categories of the information available.

ID

Name

CreditCardNo

Classification
1 Ken Sánchez 1010101 SECRET
2 Terri Duffy 8498489 TOP SECRET
3 Rob Walters 4884556 UNCLASSIFIED

In order to access the information the users need to have a clearance defined.

User

Clearance
Alice TOP SECRET
Bob SECRET
David UNCLASSIFIED

So, in this case, assuming a hierarchical security scheme, if Alice performs a SELECT * FROM Table1 he will get all of the three records, because she has TOP SECRET clearance and that includes SECRET and UNCLASSIFIED clearances. And if Bob is the one who performs the previous query, he will get only the records 1 and 3.

How does the SQL Server Label Security toolkit work?

This toolkit consists of a framework composed by:

  • Metadata tables used to define the security labels.
  • Helper stored procedures and functions to manipulate the labels.
  • A view, vwVisibleLabels that contains the list of all the security labels present in the database to which the current logged user have access (I will expand this topic below).
  • A GUI to develop the security schema.

It is important to note that the approach used by this Toolkit makes the assumption that applications using the database will connect by using a specific identity for each end user. This identity could be either a Windows account or a SQL Server login. That's because the security labels are associated to database roles or Windows groups. On SQL Server 2012 you can use the Contained Database feature to create a user without a login.

Implementing SQL Server Row and Cell Level Security的更多相关文章

  1. SQL Server: Windows Firewall with Advanced Security

    SQL Database Engine: TCP 1433 & UDP 1434 SQL Analysis Service: TCP 2383 (2382 if named instance) ...

  2. Migrating Oracle on UNIX to SQL Server on Windows

    Appendices Published: April 27, 2005 On This Page Appendix A: SQL Server for Oracle Professionals Ap ...

  3. Microsoft SQL Server Version List [sqlserver 7.0-------sql server 2016]

    http://sqlserverbuilds.blogspot.jp/   What version of SQL Server do I have? This unofficial build ch ...

  4. Microsoft SQL Server Version List(SQL Server 版本)

    原帖地址 What version of SQL Server do I have? This unofficial build chart lists all of the known Servic ...

  5. sql server安装教程(2008 R2,图形界面安装/命令提示符安装即静默安装)

    转自:http://blog.51cto.com/jimshu/585023 SQL Server 2008(32/64位)下载地址: 链接:https://pan.baidu.com/s/1eR5b ...

  6. Storing and Retrieving Images from SQL Server using Microsoft .NET

    原文 Storing and Retrieving Images from SQL Server using Microsoft .NET Download source - 19.6 Kb Intr ...

  7. sql server Local Service, Local System or Network Service

    local system account local system 选项指定一个不需要密码的本地系统账号去连接同一台电脑的sql server.local system account会限制sql s ...

  8. [SQL in Azure] Provisioning a SQL Server Virtual Machine on Azure

    http://azure.microsoft.com/en-us/documentation/articles/virtual-machines-provision-sql-server/ Provi ...

  9. [SQL in Azure] Getting Started with SQL Server in Azure Virtual Machines

    This topic provides guidelines on how to sign up for SQL Server on a Azure virtual machine and how t ...

随机推荐

  1. myeclipse关闭html,jsp等页面的可视化编辑器

    myeclipse打开html,jsp等页面时,有的是默认用可视化编辑器打开的,这样打开会显得很慢,只要关闭可视化编辑器就会快很多了,方法如下: 1,选择菜单: windows -> prefe ...

  2. C++类所占内存大小计算

    C++类所占内存大小计算 说明:笔者的操作系统是32位的. class A {}; sizeof( A ) = ? sizeof( A ) = 1明明是空类,为什么编译器说它是1呢? 空类同样可以实例 ...

  3. jiulianhuan 快速幂--矩阵快速幂

    题目信息: 1471: Jiulianhuan 时间限制: 1 Sec  内存限制: 128 MB 提交: 95  解决: 22 题目描述 For each data set in the input ...

  4. 虚拟机Linux----Ubuntu1204----退格键方向键无法使用

    修改 /etc/vim/vimrc.tiny,如下: set compatible #修改为 set nocompatible #控制方向键set backspace=2 #控制退格键

  5. jdk环境搭建

    win7+jdk环境变量配置 进行java开发,首先要安装jdk,安装了jdk后还要进行环境变量配置:1.下载jdk(http://java.sun.com/javase/downloads/inde ...

  6. leetcode-Single Number III 找独数

    Single Number III Given an array of numbers nums, in which exactly two elements appear only once and ...

  7. for循环的三种写法

    第一种写法  传统的方法,遍历数组 String[] arr = { "amy", "heinrich", "cindy", "g ...

  8. ArcGis 获取地理、平面坐标系

                                         ESRI.ArcGIS.Geometry.ISpatialReference spatialReference = spati ...

  9. lvm之创建/扩容/缩容/快照及关闭的全部流程操作记录

    基本介绍Linux用户安装Linux 操作系统时遇到的一个最常见的难以决定的问题就是如何正确地给评估各分区大小,以分配合适的硬盘空间.随着 Linux的逻辑盘卷管理功能的出现,这些问题都迎刃而解, l ...

  10. Go Walk教程 - 流程控制( switch)

    Go的 switch 非常灵活,表达式不必是常量或整数,执行的过程从上至下,直到找到匹配项,不要break: var score =98 var result string switch score/ ...