Presentation is loading. Please wait.

Presentation is loading. Please wait.

Enterprise RLS in SQL Server in Power BI

Similar presentations


Presentation on theme: "Enterprise RLS in SQL Server in Power BI"— Presentation transcript:

1 Enterprise RLS in SQL Server in Power BI
Jamey Johnston June 2018 Enterprise Row Level Security in SQL Server in Power BI

2 Agenda Who am I? Row-level Security in MS SQL Server
Row-level Security in Power BI Questions June 2018 Enterprise Row Level Security in SQL Server in Power BI

3 Jamey Johnston Data Scientist/Engineer for an O&G Company
25 years DBA Experience TAMU MS in Analytics Semi-Pro Photographer @STATCowboy Download Code Here! June 2018 Enterprise Row Level Security in SQL Server in Power BI

4 Row Level Security RLS allows for controlled access to rows in tables based on attributes of the user executing the query 2 Methods or RLS in SQL Server: Filter Based (2005+) SQL Server Security Label Toolkit Use views on tables with “labels” to limit access Problem is you have to change the application code and add views (i.e. upgrades are a pain, unsupported applications) Predicate Based (2016+ and Azure) Uses functions and policies to apply predicates to the SQL No application code changes and base database schema left intact (i.e. upgrades not impacted very much by RLS) June 2018 Enterprise Row Level Security in SQL Server in Power BI

5 Row Level Security: Basic Steps
Define Table(s) for RLS Create a new Schema, RLS, for Security Objects Create Table Value Function to define “how” to enforce security on Table Create a Security Policy on the table using the TVF June 2018 Enterprise Row Level Security in SQL Server in Power BI

6 Table Value Functions User defined function that returns a data table
Powerful alternative to View Expand beyond SELECT and use more powerful T-SQL RLS uses them to return a 1 for row matches CREATE FUNCTION AS sysname) RETURNS TABLE WITH SCHEMABINDING AS RETURN SELECT 1 AS fn_RLSpredicate_result WHERE USER_NAME() = 'VP_US' = USER_NAME(); GO June 2018 Enterprise Row Level Security in SQL Server in Power BI

7 Security Policy Policy that is created to apply the Security Predicate
CREATE SECURITY POLICY Well_HeaderFilter ADD FILTER PREDICATE RLS.fn_RLSpredicate(Region) ON dbo.Well_Header ADD BLOCK PREDICATE RLS.fn_RLSpredicate(Region) ON dbo.Well_Header AFTER INSERT GO June 2018 Enterprise Row Level Security in SQL Server in Power BI

8 Recursive Queries with CTE
Use them to query tables with Hierarchical Data June 2018 Enterprise Row Level Security in SQL Server in Power BI

9 Why Predicate Based RLS for Business?
No application code changes and Base database schema left Intact (i.e. upgrades not impacted very much by RLS) With ISV applications it is not advisable to change the Schema Increased ventures with Internal Partners require row-level granular access to the applications RLS allows for the row-level security and eliminates the need for federated/”broken-out” databases/applications June 2018 Enterprise Row Level Security in SQL Server in Power BI

10 Demos Simple RLS Demo Advanced RLS Demo with Hierarchies June 2018
Enterprise Row Level Security in SQL Server in Power BI

11 RLS with Parent/Child Hierarchies
Demo will show how an organizational hierarchy and asset hierarchy can be leveraged together to provide RLS on tables using the new predicate based RLS feature in SQL Server 2016 and Azure Important Concepts: Organization Unit Represents a position in the company (not employee) Security is assigned to the Organization Unit and propagated to the User ID Hierarchy Based Security Allows for inheritance of permissions via the Organization and Asset Hierarchy Do NOT need to assign security to every node in the hierarchy. Child nodes can inherit from Parent Nodes Parent/Child Hierarchy Employee ID / Manager ID - Unary Relationship June 2018 Enterprise Row Level Security in SQL Server in Power BI

12 Asset Hierarchy Snapshot of the Asset Hierarchy June 2018
Enterprise Row Level Security in SQL Server in Power BI

13 Organizational Hierarchy
Snapshot of the Org Hierarchy June 2018 Enterprise Row Level Security in SQL Server in Power BI

14 Security Record for Every Employee is NOT Required!
Hierarchies and RLS insert into [SEC_ASSET_MAP] values (100001, 'ALL', 'ALL'); Inherits from CEO Inherits from SVP who Inherits from CEO insert into [SEC_ASSET_MAP] values (100010, 'REGION', 'NORTHERN US'); insert into [SEC_ASSET_MAP] values (100028, 'ASSET_GROUP', 'PRB'); Inherits from Manger Security Record for Every Employee is NOT Required! June 2018 Enterprise Row Level Security in SQL Server in Power BI

15 RLS with HierarchyID Datatype
Demonstrates how the HierarchyID Datatype can be used for RLS SEC_ORG_USER_BASE_HID Same as SEC_ORG_USER_BASE but includes HierarchyID column to demonstrate RLS with HierarchyID data types June 2018 Enterprise Row Level Security in SQL Server in Power BI

16 Parent/Child vs HierarchyID Data Type
Most familiar and most likely to be supported by ISV Easier to implement security across multiple hierarchies (Org and Asset) More flexible to support access across multiple node levels (i.e. User has access to multiple nodes in the Hierarchy) HierarchyID Datatype Does not work easily across multiple hierarchies and with multiple node level access Very fast when working with one hierarchy Still researching as it is fast and would like to use! June 2018 Enterprise Row Level Security in SQL Server in Power BI

17 Demo ERD June 2018 Enterprise Row Level Security in SQL Server in Power BI

18 Row-level Security: Learn More
Books Online SQL Security Blog (keyword RLS) Channel 9 Videos channel9.msdn.com/Shows/Data-Exposed/Row-Level-Security-in-Azure-SQL-Database Code Samples June 2018 Enterprise Row Level Security in SQL Server in Power BI

19 Questions? Thank you for attending! @STATCowboy http://STATCowboy.com
Download Demos SQL Server Security Blog June 2018 Enterprise Row Level Security in SQL Server in Power BI

20 June 2018 Enterprise Row Level Security in SQL Server in Power BI


Download ppt "Enterprise RLS in SQL Server in Power BI"

Similar presentations


Ads by Google