Jason McKittrick's Blog

SQL Server Row and Cell Level Security

With current regulations such as SOX, HIPAA, etc., protecting sensitive data is a must in the enterprise.  There is a published toolkit to implement Row Level Security (RLS) and Cell Level Security (CLS) using SQL Server Label Security Toolkit which is a free download from CodePlex http://sqlserverlst.codeplex.com/.  It makes use of a Security label in SQL Server. A security label is a marking that describes the sensitivity of an item, in this case, information. It consists of a string containing defined security categories of the information available. In order to get access to the information the users need to have a clearance defined.

The Server Label Security Toolkit consists of a framework composed by:

  • Metadata tables used to define the security labels.
  • Helper stored procedures and functions to manipulate the labels.
  • A view, vwVisibleLabels that contains the list of all the security labels present in the database to which the current logged user have access.
  • A GUI to develop the security schema.

It is important to note that the approach used by this Toolkit makes the assumption that applications using the database will connect by using a specific identity for each end-user. This identity could be either a Windows AD Account or a SQL Login.  That’s because the security labels are associated to DB Roles or Windows groups. On SQL Server 2012 you can use the Contained Database feature to create a user without a login.

This is a solid cost-effective solution to put on top of already secured data as well, like TDE.  Utilizing both methods will allow you to securely encrypt your data and control access to that encrypted data at the row/cell level.

Leave a Reply

Your email address will not be published. Required fields are marked *