SQL-Server-Course/18_RLS.sql at master · aminmesbahi/SQL-Server-Course · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
/**************************************************************
 * SQL Server 2022 Row-Level Security (RLS) Tutorial
 * Description: This script demonstrates how to implement row-level
 *              security using a security policy and a predicate
 *              function in SQL Server. It covers:
 *              - Creating a sample table and inserting data.
 *              - Creating a security predicate function.
 *              - Creating a security policy to filter rows.
 *              - Testing row-level security using SESSION_CONTEXT.
 *              - Enabling/disabling and cleaning up the security policy.
 **************************************************************/

-------------------------------------------------
-- Region: 0. Initialization
-------------------------------------------------
/*
  Ensure that the target database is being used.
*/
USE TestDB;
GO

-------------------------------------------------
-- Region: 1. Creating Sample Table and Inserting Data
-------------------------------------------------
/*
  1.1 Create a sample Orders table to demonstrate RLS.
*/
IF OBJECT_ID(N'dbo.Orders', N'U') IS NOT NULL
    DROP TABLE dbo.Orders;
GO

CREATE TABLE dbo.Orders
(
    OrderID INT PRIMARY KEY,
    CustomerID INT,
    OrderDate DATE,
    Amount DECIMAL(10, 2)
);
GO

/*
  1.2 Insert sample orders into the Orders table.
*/
INSERT INTO dbo.Orders (OrderID, CustomerID, OrderDate, Amount)
VALUES
    (1, 1, '2023-01-01', 100.00),
    (2, 2, '2023-01-02', 150.00),
    (3, 1, '2023-01-03', 200.00),
    (4, 3, '2023-01-04', 250.00),
    (5, 2, '2023-01-05', 300.00);
GO

-------------------------------------------------
-- Region: 2. Implementing Row-Level Security
-------------------------------------------------
/*
  2.1 Create a security predicate function.
       This function filters rows based on the CustomerID value
       stored in the SESSION_CONTEXT.
*/
IF OBJECT_ID(N'dbo.fn_SecurityPredicate', N'IF') IS NOT NULL
    DROP FUNCTION dbo.fn_SecurityPredicate;
GO

CREATE FUNCTION dbo.fn_SecurityPredicate(@CustomerID INT)
RETURNS TABLE
WITH SCHEMABINDING
AS
RETURN
    SELECT 1 AS fn_SecurityPredicateResult
    WHERE @CustomerID = CAST(SESSION_CONTEXT(N'CustomerID') AS INT);
GO

/*
  2.2 Create a security policy using the predicate function.
       This policy will filter rows in the Orders table.
*/
IF EXISTS (SELECT * FROM sys.security_policies WHERE name = 'dbo.OrderSecurityPolicy')
    DROP SECURITY POLICY dbo.OrderSecurityPolicy;
GO

CREATE SECURITY POLICY dbo.OrderSecurityPolicy
ADD FILTER PREDICATE dbo.fn_SecurityPredicate(CustomerID) ON dbo.Orders
WITH (STATE = ON);
GO

-------------------------------------------------
-- Region: 3. Testing Row-Level Security
-------------------------------------------------
/*
  3.1 Set SESSION_CONTEXT for CustomerID = 1 and query the Orders table.
*/
EXEC sp_set_session_context @key = N'CustomerID', @value = 1;
GO

SELECT * FROM dbo.Orders;
GO

/*
  3.2 Set SESSION_CONTEXT for CustomerID = 2 and query the Orders table.
*/
EXEC sp_set_session_context @key = N'CustomerID', @value = 2;
GO

SELECT * FROM dbo.Orders;
GO

/*
  3.3 Set SESSION_CONTEXT for CustomerID = 3 and query the Orders table.
*/
EXEC sp_set_session_context @key = N'CustomerID', @value = 3;
GO

SELECT * FROM dbo.Orders;
GO

-------------------------------------------------
-- Region: 4. Managing the Security Policy
-------------------------------------------------
/*
  4.1 Disable the security policy.
*/
ALTER SECURITY POLICY dbo.OrderSecurityPolicy
WITH (STATE = OFF);
GO

/*
  4.2 Query the Orders table without the security policy in effect.
*/
SELECT * FROM dbo.Orders;
GO

/*
  4.3 Re-enable the security policy.
*/
ALTER SECURITY POLICY dbo.OrderSecurityPolicy
WITH (STATE = ON);
GO

-------------------------------------------------
-- Region: 5. Cleanup
-------------------------------------------------
/*
  5.1 Drop the security policy.
*/
DROP SECURITY POLICY dbo.OrderSecurityPolicy;
GO

/*
  5.2 Drop the security predicate function.
*/
DROP FUNCTION dbo.fn_SecurityPredicate;
GO

/*
  5.3 Drop the sample Orders table.
*/
DROP TABLE dbo.Orders;
GO

-------------------------------------------------
-- Region: End of Script
-------------------------------------------------