惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Engineering at Meta
Engineering at Meta
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
人人都是产品经理
人人都是产品经理
Project Zero
Project Zero
T
Tailwind CSS Blog
Jina AI
Jina AI
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
小众软件
小众软件
L
LINUX DO - 热门话题
Spread Privacy
Spread Privacy
大猫的无限游戏
大猫的无限游戏
Google DeepMind News
Google DeepMind News
The Hacker News
The Hacker News
C
Cisco Blogs
T
The Exploit Database - CXSecurity.com
C
CXSECURITY Database RSS Feed - CXSecurity.com
Scott Helme
Scott Helme
Security Archives - TechRepublic
Security Archives - TechRepublic
H
Heimdal Security Blog
博客园 - 【当耐特】
W
WeLiveSecurity
J
Java Code Geeks
Latest news
Latest news
酷 壳 – CoolShell
酷 壳 – CoolShell
T
Troy Hunt's Blog
博客园 - Franky
月光博客
月光博客
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
PCI Perspectives
PCI Perspectives
博客园_首页
C
CERT Recently Published Vulnerability Notes
P
Proofpoint News Feed
P
Palo Alto Networks Blog
I
InfoQ
Security Latest
Security Latest
Hacker News: Ask HN
Hacker News: Ask HN
Microsoft Azure Blog
Microsoft Azure Blog
M
MIT News - Artificial intelligence
Help Net Security
Help Net Security
F
Full Disclosure
Cyberwarzone
Cyberwarzone
D
DataBreaches.Net
The Cloudflare Blog
S
Securelist
美团技术团队
C
Cybersecurity and Infrastructure Security Agency CISA
AI
AI
CTFtime.org: upcoming CTF events
CTFtime.org: upcoming CTF events

博客园 - 牟向阳

Daily English 你知道你的後照鏡調錯了嗎?原來裡面隱藏著視線死角! Silverlight Freezing & Crash Silverlight 中实现Service同步调用 Silverlight:获取ContentTemplate中的命名控件 silverlight 4常用的多线程技术 推荐几款Silverlight Tools【转载】 一个配置文件的Mapping Emit Vs CodeDom Custom DataContractSerializerOperationBehavior SQL Service查询分析 WPF&Silverlight精髓 支持定位当前页,自定义排序的分页SQL(拒绝动态SQL) WCF学习经验分享,如何更好地学习WCF? 后台管理界面收集 两个使用的Ajax Demo 自学面向对象 发几个有价值的.net源码 我是如何带领团队开发项目的
Implementing SQL Server Row and Cell Level Security
牟向阳 · 2016-04-12 · via 博客园 - 牟向阳
Problem

I have SQL Server databases with top secret, secret and unclassified data.  How can we establish custom SQL Server data classification schemes for implementing "need to know" access to data in specific tables?  Check out this tip to learn more.

Solution

With current regulations such as SOX, HIPAA, etc., protecting sensitive data is a must in the enterprise.  In this tip we will see how to implement Row Level Security (RLS) and Cell Level Security (CLS) with the help of SQL Server Label Security Toolkit which you can download from CodePlex http://sqlserverlst.codeplex.com/.

What is a security label in SQL Server?

A security label is a marking that describes the sensitivity of an item, in this case, information. It consists of a string containing defined security categories of the information available.

ID

Name

CreditCardNo

Classification

1 Ken Sánchez 1010101 SECRET
2 Terri Duffy 8498489 TOP SECRET
3 Rob Walters 4884556 UNCLASSIFIED

In order to access the information the users need to have a clearance defined.

User

Clearance

Alice TOP SECRET
Bob SECRET
David UNCLASSIFIED

So, in this case, assuming a hierarchical security scheme, if Alice performs a SELECT * FROM Table1 he will get all of the three records, because she has TOP SECRET clearance and that includes SECRET and UNCLASSIFIED clearances. And if Bob is the one who performs the previous query, he will get only the records 1 and 3.

How does the SQL Server Label Security toolkit work?

This toolkit consists of a framework composed by:

  • Metadata tables used to define the security labels.
  • Helper stored procedures and functions to manipulate the labels.
  • A view, vwVisibleLabels that contains the list of all the security labels present in the database to which the current logged user have access (I will expand this topic below).
  • A GUI to develop the security schema.

It is important to note that the approach used by this Toolkit makes the assumption that applications using the database will connect by using a specific identity for each end user. This identity could be either a Windows account or a SQL Server login. That's because the security labels are associated to database roles or Windows groups. On SQL Server 2012 you can use the Contained Database feature to create a user without a login.