{"id":14791,"date":"2016-01-21T09:30:00","date_gmt":"2016-01-21T17:30:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/dataplatforminsider\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/"},"modified":"2024-01-22T22:52:25","modified_gmt":"2024-01-23T06:52:25","slug":"limiting-access-to-data-using-row-level-security","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/","title":{"rendered":"Limiting access to data using Row-Level Security"},"content":{"rendered":"<p>To satisfy compliance standards, internal regulations or basic security principles, applications often need to limit a user&#8217;s access to only certain rows of data in a database. For example:<\/p>\n<ul>\n<li>An oil and gas exploration application might restrict an analyst&#8217;s access to well production data based on the analyst\u2019s region and role.<\/li>\n<li>A healthcare application might restrict a doctor&#8217;s access to patient data based on the doctor\u2019s staffing assignments.<\/li>\n<li>A multitenant application with a &#8220;<a href=\"https:\/\/msdn.microsoft.com\/library\/aa479086.aspx?wt.mc_id=WW_CE_DM_OO_BLOG_NONE\">shared database, shared schema<\/a>&#8221; tenancy model needs to prevent tenants from accessing data that does not belong to them.<\/li>\n<\/ul>\n<p>Traditionally, customers have implemented their row-level access logic using SQL views or customized application code. But these workarounds can introduce problems: Views are decentralized, susceptible to runtime errors and difficult to maintain during application upgrades. And customized application code is not only difficult to maintain as your codebase grows, but also impossible in scenarios where you don&#8217;t own the application code (e.g., commercial off-the-shelf software).<\/p>\n<p><a href=\"https:\/\/msdn.microsoft.com\/library\/dn765131.aspx?wt.mc_id=WW_CE_DM_OO_BLOG_NONE\">Row-Level Security (RLS)<\/a>, a new programmability feature available in Azure SQL Database and SQL Server 2016, solves these problems by centralizing your row-level access logic within the database. As your application grows, RLS helps you maintain a consistent data access policy and reduce the risk of accidental data leakage.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" style=\"border-color: currentColor;margin-right: auto;margin-left: auto\" src=\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2018\/03\/RLS20Diagram.png\" alt=\" \" width=\"500\" height=\"235\" \/><\/p>\n<h1>How it works<\/h1>\n<p>RLS is a form of &#8220;predicate-based access control&#8221; \u2014 it works by automatically applying a security predicate to all queries on a table. The predicate determines which users can access which rows. For example, a simple predicate might be, &#8220;WHERE SalesRep = CURRENT_USER&#8221;, while a complicated predicate might include JOINs to look up information in other tables.<\/p>\n<p>There are two types of security predicates:<\/p>\n<ul>\n<li>Filter predicates silently filter SELECT, UPDATE and DELETE operations to exclude rows that do not satisfy the predicate.<\/li>\n<li>Block predicates explicitly block INSERT, UPDATE and DELETE operations that do not satisfy the predicate.<\/li>\n<\/ul>\n<p>To add a security predicate on a table, you first need an inline table-valued function that defines your access criteria. Then, you create a security policy that adds filter and block predicates on any tables you like, using this function. Here&#8217;s a simple example that prevents sales representatives from accessing rows in a customer&#8217;s table that are not assigned to them:<\/p>\n<p><span style=\"font-family: courier new,courier\"><span style=\"color: #0000ff\">CREATE FUNCTION<\/span> dbo.customerPredicate<span style=\"color: #808080\">(<\/span>@SalesRepName <span style=\"color: #0000ff\">AS sysname<\/span><span style=\"color: #808080\">)<\/span><\/span><br \/>\n<span style=\"font-family: courier new,courier\">\u00a0\u00a0\u00a0 <span style=\"color: #0000ff\">RETURNS TABLE<\/span><\/span><br \/>\n<span style=\"color: #0000ff;font-family: courier new,courier\">\u00a0\u00a0\u00a0 WITH SCHEMABINDING<\/span><br \/>\n<span style=\"color: #0000ff;font-family: courier new,courier\">AS<\/span><br \/>\n<span style=\"font-family: courier new,courier\"><span style=\"color: #0000ff\">\u00a0\u00a0\u00a0 RETURN SELECT<\/span> 1 <span style=\"color: #0000ff\">AS<\/span> accessResult <\/span><br \/>\n<span style=\"font-family: courier new,courier\">\u00a0\u00a0\u00a0 <span style=\"color: #0000ff\">WHERE<\/span> @SalesRepName = <span style=\"color: #ff00ff\">USER_NAME<\/span><span style=\"color: #808080\">()<\/span> OR <span style=\"color: #ff00ff\">USER_NAME<\/span><span style=\"color: #808080\">()<\/span> = <span style=\"color: #ff0000\">&#8216;Manager&#8217;<\/span><\/span><br \/>\n<span style=\"color: #0000ff;font-family: courier new,courier\">go<\/span><\/p>\n<p><span style=\"font-family: courier new,courier\"><span style=\"color: #0000ff\">CREATE SECURITY POLICY<\/span> dbo.customerAccessPolicy<\/span><br \/>\n<span style=\"font-family: courier new,courier\">\u00a0\u00a0\u00a0 <span style=\"color: #0000ff\">ADD FILTER PREDICATE<\/span> dbo.customerPredicate<span style=\"color: #808080\">(<\/span>SalesRepName<span style=\"color: #808080\">)<\/span> <span style=\"color: #0000ff\">ON<\/span> dbo.Customers,<\/span><br \/>\n<span style=\"font-family: courier new,courier\">\u00a0\u00a0\u00a0 <span style=\"color: #0000ff\">ADD BLOCK PREDICATE<\/span> dbo.customerPredicate<span style=\"color: #808080\">(<\/span>SalesRepName<span style=\"color: #808080\">)<\/span> <span style=\"color: #0000ff\">ON<\/span> dbo.Customers<\/span><br \/>\n<span style=\"color: #0000ff;font-family: courier new,courier\">go<\/span><\/p>\n<p><span style=\"color: #008000;font-family: courier new,courier\">&#8212; Now test the policy by impersonating SalesRep01<\/span><br \/>\n<span style=\"font-family: courier new,courier\"><span style=\"color: #0000ff\">EXECUTE AS USER<\/span> = <span style=\"color: #ff0000\">&#8216;SalesRep01&#8217;<\/span><\/span><br \/>\n<span style=\"color: #0000ff;font-family: courier new,courier\">go<\/span><\/p>\n<p><span style=\"color: #008000;font-family: courier new,courier\">&#8212; Only rows where SalesRepName = &#8216;SalesRep01&#8217; are returned (filter predicate)<\/span><br \/>\n<span style=\"font-family: courier new,courier\"><span style=\"color: #0000ff\">SELECT<\/span> * <span style=\"color: #0000ff\">FROM<\/span> dbo.Customers<\/span><br \/>\n<span style=\"color: #0000ff;font-family: courier new,courier\">go<\/span><\/p>\n<p><span style=\"color: #008000;font-family: courier new,courier\">&#8212; Error because the new SalesRepName &lt;&gt; &#8216;SalesRep01&#8217; (block predicate)<\/span><br \/>\n<span style=\"font-family: courier new,courier\"><span style=\"color: #0000ff\">INSERT INTO<\/span> dbo.Customers <\/span><br \/>\n<span style=\"font-family: courier new,courier\">\u00a0\u00a0\u00a0 <span style=\"color: #808080\">(<\/span>CustomerId<span style=\"color: #808080\">,<\/span> CustomerName, SalesRepName<span style=\"color: #808080\">) <\/span><\/span><br \/>\n<span style=\"color: #0000ff;font-family: courier new,courier\">VALUES <\/span><br \/>\n<span style=\"font-family: courier new,courier\">\u00a0\u00a0\u00a0 <span style=\"color: #808080\">(<\/span>1<span style=\"color: #808080\">,<\/span> <span style=\"color: #ff0000\">&#8216;New Customer&#8217;<\/span><span style=\"color: #808080\">,<\/span> <span style=\"color: #ff0000\">&#8216;SalesRep99&#8217;<\/span><span style=\"color: #808080\">)<\/span><\/span><br \/>\n<span style=\"color: #0000ff;font-family: courier new,courier\">go<\/span><\/p>\n<p><span style=\"color: #0000ff;font-family: courier new,courier\">REVERT<\/span><br \/>\n<span style=\"color: #0000ff;font-family: courier new,courier\">go<\/span><\/p>\n<h1>Frequently asked questions<\/h1>\n<p><em><strong>What is the performance impact of using RLS?<\/strong><\/em><\/p>\n<p>In general, RLS will have the same performance as a view. Because RLS relies on the query optimizer to inline the predicate function efficiently, the performance depends on the complexity of your queries and predicates, as well as any indexes you have created. For more information, see <a href=\"http:\/\/blogs.msdn.com\/b\/sqlsecurity\/archive\/2015\/04\/24\/row-level-security-performance-and-common-patterns.aspx?wt.mc_id=WW_CE_DM_OO_BLOG_NONE\">Row-Level Security: Performance and common patterns<\/a>.<\/p>\n<p><em><strong>Can I limit access based on AD group memberships?<\/strong><\/em><\/p>\n<p>Yes, you can use the <a href=\"https:\/\/msdn.microsoft.com\/library\/ms186271.aspx?wt.mc_id=WW_CE_DM_OO_BLOG_NONE\">IS_MEMBER()<\/a> function in your predicate to check SQL role or AD group memberships. For an example, see the <a href=\"https:\/\/www.microsoft.com\/sql-server\/sql-server-2019\">RLS Hospital Demo script<\/a>.<\/p>\n<p><em><strong>What if my application uses connection pooling with a single login for all users?<\/strong><\/em><\/p>\n<p>No problem, your application can use the new <a href=\"https:\/\/msdn.microsoft.com\/library\/mt590806.aspx?wt.mc_id=WW_CE_DM_OO_BLOG_NONE\">SESSION_CONTEXT<\/a> feature to get and set session-scoped key-value pairs to identify users for RLS, while still enabling efficient connection pooling. For examples, see the <a href=\"https:\/\/www.microsoft.com\/sql-server\/sql-server-2019\">RLS Mid-Tier Demo script<\/a> or the <a href=\"https:\/\/azure.microsoft.com\/en-us\/documentation\/articles\/web-sites-dotnet-entity-framework-row-level-security\/?wt.mc_id=WW_CE_DM_OO_BLOG_NONE\">Web app with a multitenant database using Entity Framework and Row-Level Security tutorial<\/a>.<\/p>\n<p><em><strong>If I&#8217;ve enabled RLS, does this mean that my DBAs cannot access data using SSMS?<\/strong><\/em><\/p>\n<p>No. Like other row-level security solutions, RLS is intended for scenarios where the queries that a user can execute are controlled by a middle-tier application. DBAs and users with ad-hoc query access to the database may be able to infer the existence of filtered data, using side-channels. For more information, see the <a href=\"https:\/\/msdn.microsoft.com\/library\/dn765131.aspx?wt.mc_id=WW_CE_DM_OO_BLOG_NONE\">RLS official documentation<\/a>.<\/p>\n<h1>Getting started<\/h1>\n<p>If your application needs to limit users&#8217; access to specific rows of data, we encourage you to use RLS. The easiest way to try it with SQL Server 2016 is to download the <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=49502?wt.mc_id=WW_CE_DM_OO_BLOG_NONE\">AdventureWorks Database for SQL Server 2016 CTP3<\/a> and walk through the RLS sample script.<\/p>\n<p>You can also learn more with the following resources:<\/p>\n<ul>\n<li><a href=\"https:\/\/msdn.microsoft.com\/library\/dn765131.aspx?id=49502?wt.mc_id=WW_CE_DM_OO_BLOG_NONE\">RLS official documentation<\/a><\/li>\n<li><a href=\"https:\/\/channel9.msdn.com\/Shows\/Data-Exposed\/Row-Level-Security-Updates?id=49502?wt.mc_id=WW_CE_DM_OO_BLOG_NONE\">Channel9 overview video<\/a><\/li>\n<li><a href=\"https:\/\/www.microsoft.com\/en-us\/sql-server\/sql-server-2019\">RLS Samples CodePlex project<\/a><\/li>\n<\/ul>\n<p>See the other posts in the <a href=\"\/sqlserver\/2015\/12\/01\/get-the-most-out-of-sql-server-2016\/?wt.mc_id=WW_CE_DM_OO_BLOG_NONE\">SQL Server 2016 blogging series<\/a>.<\/p>\n<p><a href=\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2016\/03\/DPI-Blog_RC_Button1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-14851\" src=\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2016\/03\/DPI-Blog_RC_Button1.png\" alt=\"Try SQL Server 2016 RC\" width=\"300\" height=\"57\" \/><\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>To satisfy compliance standards, internal regulations or basic security principles, applications often need to limit a user&#8217;s access to only certain rows of data in a database. For example: An oil and gas exploration application might restrict an analyst&#8217;s access to well production data based on the analyst\u2019s region and role. A healthcare application might<\/p>\n","protected":false},"author":1457,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"post_tag":[],"product":[5227,2403],"content-type":[2424],"topic":[],"coauthors":[],"class_list":["post-14791","post","type-post","status-publish","format-standard","hentry","product-sql","product-sql-server-2016","content-type-best-practices","review-flag-new-1593580247-437"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Limiting access to data using Row-Level Security - Microsoft SQL Server Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Limiting access to data using Row-Level Security - Microsoft SQL Server Blog\" \/>\n<meta property=\"og:description\" content=\"To satisfy compliance standards, internal regulations or basic security principles, applications often need to limit a user&#8217;s access to only certain rows of data in a database. For example: An oil and gas exploration application might restrict an analyst&#8217;s access to well production data based on the analyst\u2019s region and role. A healthcare application might\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft SQL Server Blog\" \/>\n<meta property=\"article:publisher\" content=\"http:\/\/www.facebook.com\/sqlserver\" \/>\n<meta property=\"article:published_time\" content=\"2016-01-21T17:30:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-23T06:52:25+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2018\/03\/RLS20Diagram.png\" \/>\n<meta name=\"author\" content=\"SQL Server Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@SQLServer\" \/>\n<meta name=\"twitter:site\" content=\"@SQLServer\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"SQL Server Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 min read\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/author\/sql-server-team\/\",\"@type\":\"Person\",\"@name\":\"SQL Server Team\"}],\"headline\":\"Limiting access to data using Row-Level Security\",\"datePublished\":\"2016-01-21T17:30:00+00:00\",\"dateModified\":\"2024-01-23T06:52:25+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/\"},\"wordCount\":797,\"commentCount\":1,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2018\/03\/RLS20Diagram.png\",\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/\",\"name\":\"Limiting access to data using Row-Level Security - Microsoft SQL Server Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2018\/03\/RLS20Diagram.png\",\"datePublished\":\"2016-01-21T17:30:00+00:00\",\"dateModified\":\"2024-01-23T06:52:25+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2018\/03\/RLS20Diagram.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2018\/03\/RLS20Diagram.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Limiting access to data using Row-Level Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/\",\"name\":\"Microsoft SQL Server Blog\",\"description\":\"Official News from Microsoft\u2019s Information Platform\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#organization\",\"name\":\"Microsoft SQL Server Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png\",\"width\":259,\"height\":194,\"caption\":\"Microsoft SQL Server Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"http:\/\/www.facebook.com\/sqlserver\",\"https:\/\/x.com\/SQLServer\",\"https:\/\/www.youtube.com\/user\/MSCloudOS\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Limiting access to data using Row-Level Security - Microsoft SQL Server Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/","og_locale":"en_US","og_type":"article","og_title":"Limiting access to data using Row-Level Security - Microsoft SQL Server Blog","og_description":"To satisfy compliance standards, internal regulations or basic security principles, applications often need to limit a user&#8217;s access to only certain rows of data in a database. For example: An oil and gas exploration application might restrict an analyst&#8217;s access to well production data based on the analyst\u2019s region and role. A healthcare application might","og_url":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/","og_site_name":"Microsoft SQL Server Blog","article_publisher":"http:\/\/www.facebook.com\/sqlserver","article_published_time":"2016-01-21T17:30:00+00:00","article_modified_time":"2024-01-23T06:52:25+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2018\/03\/RLS20Diagram.png"}],"author":"SQL Server Team","twitter_card":"summary_large_image","twitter_creator":"@SQLServer","twitter_site":"@SQLServer","twitter_misc":{"Written by":"SQL Server Team","Est. reading time":"3 min read"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/author\/sql-server-team\/","@type":"Person","@name":"SQL Server Team"}],"headline":"Limiting access to data using Row-Level Security","datePublished":"2016-01-21T17:30:00+00:00","dateModified":"2024-01-23T06:52:25+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/"},"wordCount":797,"commentCount":1,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2018\/03\/RLS20Diagram.png","inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/","url":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/","name":"Limiting access to data using Row-Level Security - Microsoft SQL Server Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2018\/03\/RLS20Diagram.png","datePublished":"2016-01-21T17:30:00+00:00","dateModified":"2024-01-23T06:52:25+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2018\/03\/RLS20Diagram.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2018\/03\/RLS20Diagram.png"},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/2016\/01\/21\/limiting-access-to-data-using-row-level-security\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/"},{"@type":"ListItem","position":2,"name":"Limiting access to data using Row-Level Security"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/","name":"Microsoft SQL Server Blog","description":"Official News from Microsoft\u2019s Information Platform","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#organization","name":"Microsoft SQL Server Blog","url":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-content\/uploads\/2019\/08\/Microsoft-Logo.png","width":259,"height":194,"caption":"Microsoft SQL Server Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/#\/schema\/logo\/image\/"},"sameAs":["http:\/\/www.facebook.com\/sqlserver","https:\/\/x.com\/SQLServer","https:\/\/www.youtube.com\/user\/MSCloudOS"]}]}},"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/posts\/14791"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/users\/1457"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/comments?post=14791"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/posts\/14791\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/media?parent=14791"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/post_tag?post=14791"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/product?post=14791"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/content-type?post=14791"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/topic?post=14791"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/sql-server\/blog\/wp-json\/wp\/v2\/coauthors?post=14791"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}