Row-Level Security (RLS) and Column-Level Security (CLS) are methods that simplify the design and coding of security in applications by imposing restrictions on data access. CLS allows for specific users to access only certain columns of a table relevant to their department, protecting sensitive data. RLS, on the other hand, restricts users to accessing only data rows pertinent to their role or department. Both methods locate the access restriction logic in the database tier, applying the restrictions every time data access is attempted from any tier, making the security system more reliable and robust.
In Microsoft Fabric Warehouse and SQL Endpoint
Visit Security for data warehousing to learn more about the security topics for securing the SQL Endpoint of the lakehouse and the Warehouse in Microsoft Fabric
--Create a Schema
CREATE SCHEMA [Sales]
GO
--Create a table to hold data.
CREATE TABLE [Sales].[SaleDetails](
[SaleID] [int] NOT NULL,
[ProductID] [varchar](100),
[ProductName] [varchar](100) ,
[SalesPersonID] [varchar](100)
)
GO
--populate the table with four rows of data, showing orders for each sales representative.
INSERT INTO Sales.SaleDetails VALUES (1, 'Prd1', 'ProductName1', 'salesusr@contoso.com');
INSERT INTO Sales.SaleDetails VALUES (2, 'Prd2', 'ProductName2', 'salesusr1@contoso.com');
INSERT INTO Sales.SaleDetails VALUES (3, 'Prd3', 'ProductName2', 'salesusr3@contoso.com');
INSERT INTO Sales.SaleDetails VALUES (4, 'Prd4', 'ProductName3', 'salesusr4@contoso.com');
1
when a row in the SalesPersonID
column is the same as the user executing the query (@SalesRep = SUSER_SNAME()
) or when the manager user is executing the query
--create schema
CREATE SCHEMA Security;
GO
--create a inline security function
CREATE FUNCTION Security.tvf_finsecuritypredicate(@SalesRep AS sysname)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN SELECT 1 AS tvf_finsecuritypredicate_result
WHERE @SalesRep = SUSER_SNAME() OR USER_NAME() = 'manageruser@contoso.com';
GO
ON
to enable the policy
CREATE SECURITY POLICY SalesFinFilter
ADD FILTER PREDICATE Security.tvf_finsecuritypredicate(SalesPersonID)
ON Sales.SaleDetails
WITH (STATE = ON);
GO
Sales.SaleDetails
table as each user.
The example will use Grant Statement to provide members of the Security Group with access to view only few columns of a table.
GRANT SELECT ON [ProductLakeHouse].[dbo].[customerdetails]([CustomerID],[CustomerName],[PhoneNumber]) TO [CLSAcessAADgrp];
In conclusion, this guide provides the steps to implement Row-Level Security (RLS) and Column-level security on Microsoft Fabric Warehouse and SQL Endpoint.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.