In regulated environments (SOX, HIPAA, PCI-DSS, etc.), protecting sensitive data at the row and cell level is essential.


The free SQL Server Label Security Toolkit (originally from CodePlex: http://sqlserverlst.codeplex.com/) provides a complete framework to implement Row-Level Security (RLS) and Cell-Level Security (CLS) using security labels.


A security label is a string that marks the sensitivity of data rows/cells, composed of predefined categories (e.g., CONFIDENTIAL, RESTRICTED, INTERNAL). Access requires the user to have matching clearance.


Toolkit Components:

- Metadata tables to define and store security labels and clearances.

- Helper stored procedures and functions to assign, validate, filter, and manipulate labels.

- View vwVisibleLabels showing only labels the current logged-in user is cleared to see.

- GUI application to design, visualize, and manage the entire security schema.


Key Requirements & Assumptions:

- Applications must connect using individual end-user identities (Windows AD accounts or SQL logins).

- Labels are associated with database roles or Windows groups.

- On SQL Server 2012+, leverage Contained Database Users to create users without server logins.


Complementary Security:

This toolkit is a strong, zero-cost addition to existing protections like Transparent Data Encryption (TDE).

Combining TDE (data-at-rest encryption) with label-based RLS/CLS gives you encrypted storage plus dynamic, identity-based row/cell access control—ideal for compliance and least-privilege enforcement.