New Security Features In SQL SERVER 2016 – PART 1

Data Security in any application is vital. Different business or application has their own security policy. SQL Server 2016 provides three new security features which helps to protect data.

Below there are new security features added in SQL Server 2016.

  • Row-Level Security (RLS)
  • Dynamic Data Masking (DDM)
  • Always Encrypted

In this part of blog, we will see use case and implementation of Row-Level Security feature.

row level security

Predicate based access control is possible using . We can control access to rows in a table based on user characteristics. For example, a manager can only access employee data who are reporting to him.

It supports two types of security predicate.

  • Filter predicates: it is transparent to user. It is applied for all read operation like SELECT, DELETE, UPDATE
  • Block Predicates: Explicitly block write operation if it violates the predicate. It affects all write operations like AFTER INSERT, AFTER UPDATE, BEFORE UPDATE and BEFORE DELETE.

We can implement RLS using Security policy and inline table valued function. Let’s put things into action and impalement RLS where a manager can only see employee data whoever reporting to him.

First create 3 users where 2 are having manager role and one having Senior manager role.Manager can only see data for its employee and Senior manager see all employee’s data.

--Create users
CREATE USER SeniorManager WITHOUT LOGIN;  
CREATE USER Manager1 WITHOUT LOGIN;  
CREATE USER Manager2 WITHOUT LOGIN;  

--Create a table and inserts some records
CREATE TABLE Employees  
    (  
    Empid int,  
    EmpName varchar(10),  
    ManagerName sysname,  
    );

INSERT Employees VALUES   
(700, 'Emp_A', 'Manager1'),   
(701, 'Emp_B', 'Manager1'),   
(702, 'Emp_C', 'Manager2'),  
(703, 'Emp_D', 'Manager1'),   
(704, 'Emp_E', 'Manager2'),   
(705, 'Emp_F', 'Manager2'),
(706, 'Emp_G', 'Manager2'),   
(707, 'Emp_H', 'Manager1'),   
(708, 'Emp_I', 'Manager2'),  
(709, 'Emp_J', 'Manager1'),   
(710, 'Emp_K', 'Manager2'),   
(711, 'Emp_M', 'Manager2');
GO
--Grant all 3 users to read data from Employees table

GRANT SELECT ON Employees TO SeniorManager;  
GRANT SELECT ON Employees TO Manager1;  
GRANT SELECT ON Employees TO Manager2;

GO
--It is recommended to create a separate schema for the predicate function and security policy
 CREATE SCHEMA RLS;  
 GO  

--Create predicate function with schema binding. If function is not schema binding and your query is join with other table or calling any function, then the user will need select or execute permission on these additional tables and functions.
CREATE FUNCTION RLS.EmployeeSecurityFilter(@ManagerName AS sysname)  
 RETURNS TABLE  
WITH SCHEMABINDING  
AS  
    RETURN SELECT 1 AS EmployeeSecurityFilter_result   
WHERE @ManagerName = USER_NAME() OR USER_NAME() = 'SeniorManager';

--Create a security policy using the predicate function 

CREATE SECURITY POLICY EmployeeCheck
ADD FILTER PREDICATE RLS.EmployeeSecurityFilter(ManagerName)   
ON dbo.Employees  
WITH (STATE = ON);

-- run below query
EXECUTE AS USER = 'Manager1';  
SELECT * FROM Employees;   
REVERT;  


manager 1

   

When we run the query against Employees as user Manager1, though we execute the query without any filter, SQL server finds there is security policy EmployeeCheck defined on table Employees so it applies the predicate filter check and will show only those employee rows who are reporting to manager1. Manager1 will not realize any filter is applied and can only see data applicable.

Now run the same query as user Manager2. When you execute the same query by user Manager2, it applies the filter predicate value as Manager2.

EXECUTE AS USER = 'Manager2';  
SELECT * FROM Employees;   
REVERT;  

 

 

manager2

If you see the filter predicate function checks if the user is SeniorManager it will return 1 for all rows resulting showing all rows when SeniorManager reads employees table.

EXECUTE AS USER = 'SeniorManager';  
SELECT * FROM Employees;   
REVERT;

senior manager

 

We can disable the security policy on Empolyees table using below query.

ALTER SECURITY POLICY EmployeeCheck WITH (STATE = OFF);

Once you set the state of Security policy to off and user manager1 or manager2 run the same query, it will not apply the filter. User can see all rows.

However, only 8 are recognised by WHO as innovative https://antibioticspro.com which can improve the effectiveness of antimicrobial therapy.

 

   

About Sandip Pani

Sandip Pani is a Database/BI developer and speaker and is located in Bangalore, India. He has been working with SQL Server over 11 years. He is MCITP for SQL Server 2008 and specializes in SQL Server for application developers and performance and query tuning. His specialization is into Query Tuning and performance troubleshooting. He is working as Senior Technical Specilist for NextGen Healthcare. He is active in SQL community world. He share and enhance his knowledge of SQL Server by spending time at newsgroups and forums, reading and writing blogs, and attending and speaking at conferences.

View all posts by Sandip Pani →

Leave a Reply

Your email address will not be published.