ITCamp 2018 - Damian Widera - SQL Server 2016. Meet the Row Level Security. Practical notes
0 likes62 views
The document discusses the implementation of Row-Level Security (RLS) in SQL Server 2016 to ensure data privacy in multi-tenant applications. It outlines common scenarios where RLS is necessary, presents both dirty and clean implementation solutions, and addresses performance, limitations, and potential issues with RLS. The agenda includes a problem statement, solutions, and a Q&A segment regarding the practical application of RLS in various environments.
ITCamp 2018 - Damian Widera - SQL Server 2016. Meet the Row Level Security. Practical notes
- 1. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals SQL Server 2016. Meet the Row Level Security. Practical notes Damian Widera + Dominika Widera Microsoft Data Platform MVP EUVIC @damianwidera http://sqlplayer.net
- 2. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Many thanks to our sponsors & partners! GOLD SILVER PARTNERS PLATINUM POWERED BY
- 3. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Damian Widera Project Manager & Technical Lead | EUVIC (www.euvic.pl) MVP | MCT | MCSE | MCITP [email protected] +48 665-229-227 @damian.widera facebook.com/damian.widera.10 http://sqlplayer.net Channel9
- 4. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals EUVIC PALO ALTO NOWY JORK WARSZAWA KATOWICE GLIWICE BIELSKO BIAŁA WROCŁAW CZĘSTOCHOWA GDYNIA KRAKÓW BYDGOSZCZ WIEDEŃ BIAŁYSTOK
- 5. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Agenda • Problem statement(s) • Dirty solution (pre-SQL Server 2016) • Clean and nice solution (SQL Server 2016+) • Is it really clean & nice?
- 6. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Problem statement no.1 • You have a multi-tenant e-commerce website and different companies registered on your website and you have centralized single database for all clients. • Your responsibility is that one tenant’s data should not be available to another tenant.
- 7. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Problem statement no.2 • You have hospital database in which you have login user of different doctors and nurses. • You should show data to doctor or nurses of their patients to whom they are giving treatment
- 8. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Problem statement no.3 • We have a SQL Server table which stores supplier and order information. This data is critical to our business and we want to restrict access for some employees. • We want employees to only see the orders they processed based on their employee ID
- 9. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Dirty solution • Implementation of the row-level access logic using • Views • Stored procedures or functions • Parametrized views • Customized application code
- 10. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Dirty solution • Suppose you have web application, mobile solution, Excel file • Then the same logic is implemented in many applications • Must be maintained… • Upgrade… - all at once?
- 11. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Clean & nice solution • Learn & implement & use the RLS
- 12. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals RLS setup • Create Users and grant them necessary permissions on a table • INSERT, UPDATE, DELETE, SELECT • Create a new Inline Table-Valued Function(*) that will contain the Filter/Block Predicate for that table. This function can have a sophisticated business logic with multiple JOINs or just a simple WHERE condition • Create a new Security Policy for this table and add the above Function (Filter) Predicate to it. • Please note that these Functions & Security Policies should be unique for a table. So to create RLS for an another table, you will need to create separate Function & Security Policy.
- 13. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Filter / Block predicate • Filter Predicate it will filter / exclude the rows which do not satisfy the predicate – SELECT, UPDATE or DELETE • For example: Suppose, you want to restrict doctor to see other doctor’s patient data then in such case you can apply filter predicate. • Block Predicate helps in implementing policy by which INSERT, UPDATE or DELETE operations will prevent saving data. • For example, you have multi-tenant application and you want to restrict one tenant user to insert or update other tenant’s data.
- 14. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Permissions • Create / Alter a policy: • ALTER ANY SECURITY POLICY, ALTER SCHEMA • Access the data: • SELECT and REFERENCES on function • SELECT on a table • REFERENCES on a table • REFERENCES on all columns (arguments to a function)
- 15. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Is it really clean & nice? • Performance? • Limitations? • Known problems?
- 16. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Performance • Use Query Store to monitor queries • Performance – same as a view • Inline function is applied • Columnstore – you might end up with ROW mode • FTS – CONTAINSTABLE, FREETEXT will be slower
- 17. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Limitations • Filestream, Polybase – not working • DBCC – show unfiltered data • Temporal tables – predicates must be applied manually on the historic table • Partitioned views – no blocking predicate allowed • Indexed views - cannot be created on top of tables that have a security policy, because row lookups via the index would bypass the policy • CDC – can leak the entire rows that should be filtered • CT – can leak the PK of rows that should be filtered to users with both SELECT and VIEW CHANGE TRACKING permission. Actual data are not leaked
- 18. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Known problems • Crafted query • SELECT 1 / (Salary – 10000) FROM Payrol • WHERE Name = ’John Doe’; • You will observe divide-by-zero exception
- 19. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals What if? • I need to limit access based on AD group • Use IS_MEMBER() funtion • We use only one login in the application • Use SESSION_CONTEXT
- 20. @ITCAMPRO #ITCAMP18Community Conference for IT Professionals Q & A