Post reply

RLS Filters

  • March 16, 2016 at 10:55 pm

    #72578

    Comments posted to this topic are about the item RLS Filters

  • March 16, 2016 at 11:02 pm

    This was removed by the editor as SPAM

  • March 17, 2016 at 3:09 am

    #1865804

    I think there's a typo:

    CREATE SECURITY POLICY rls_CustomerFilter

    ADD FILTER PREDICATE dbo.rls_customer_check(customerid)

    ON dbo.CustomerAccessList;

    GO

    "customerid" instead of "username" passed as parameter to the inline function.

    Anyway, the typo doesn't change the correct answer.

  • March 17, 2016 at 3:28 am

    #1865810

    CREATE SECURITY POLICY rls_CustomerFilter

    ADD FILTER PREDICATE dbo.rls_customer_check(customerid)

    ON dbo.CustomerAccessList;

    GO

    the above is not included "WITH (STATE=ON)". I thought security policy is not enabled yet and insert succeeds.

  • March 17, 2016 at 4:08 am

    #1865817

    I don't understand how this can work, even if you do pass 'bsmith' rather than 5 into the check function (can '5' be cast as a sysname, anyway?).

    The function returns 1 if the supplied name matches the value returned by USER_NAME(). If I run that on my system, I get 'dbo', which according to books online is what you get for a user that is a member of the sysadmin role.

    Even if USER_NAME() returned 'bsmith' for that user, what does this achieve? It appears to have the effect of allowing users to only give themselves access to the specified customer. But it does not stop anybody from doing so, does it?

    Am I missing something?

  • March 17, 2016 at 4:23 am

    #1865820

    Bob JH Cullen (3/17/2016)

    I don't understand how this can work, even if you do pass 'bsmith' rather than 5 into the check function (can '5' be cast as a sysname, anyway?).

    The function returns 1 if the supplied name matches the value returned by USER_NAME(). If I run that on my system, I get 'dbo', which according to books online is what you get for a user that is a member of the sysadmin role.

    Even if USER_NAME() returned 'bsmith' for that user, what does this achieve? It appears to have the effect of allowing users to only give themselves access to the specified customer. But it does not stop anybody from doing so, does it?

    Am I missing something?

    As from BOL, FILTER PREDICATE is active only on READ and not in WRITE. For "insert" o "update" you should use BLOCK.

  • March 17, 2016 at 10:30 am

    #1865927

    Correct, you need a BLOCK predicate to stop writes.

    Sorry for the typo, I'll correct things.

  • March 18, 2016 at 7:19 am

    #1866131

    Appreciate the question Steve.

  • March 23, 2016 at 4:57 pm

    #1867275

    Thank you for the question.

  • April 4, 2016 at 6:22 am

    #1869470

    Interesting question, thanks.

    Need an answer? No, you need a question
    My blog at https://sqlkover.com.
    MCSE Business Intelligence - Microsoft Data Platform MVP

Viewing 10 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic. Login to reply