github/sql-server-samples
1
0
Fork 0
mirror of https://github.com/Microsoft/sql-server-samples.git synced 2025-12-08 14:58:54 +00:00
Code Issues Releases Wiki Activity
Files
1aa379112300fe5a3fdeb452e3ee9b09f3835c1c
sql-server-samples/samples/demos/belgrade-product-catalog-demo/sql-scripts/6 rls.sql
Perry Skountrianos - MSFT 12087926ee Admin:Renaming folders to lower case
2017-02-02 13:46:51 -08:00

61 lines
1.4 KiB
Transact-SQL
Raw Blame History

DROP SECURITY POLICY IF EXISTS dbo.ClientAccessPolicy
GO
DROP FUNCTION IF EXISTS dbo.pUserCanAccessCompanyData
GO
CREATE FUNCTION
dbo.pUserCanAccessCompanyData(@CompanyID int)
RETURNS TABLE
WITH SCHEMABINDING
AS RETURN (
SELECT 1 as canAccess WHERE
SESSION_CONTEXT(N'CompanyID') = '-1'
OR CAST(SESSION_CONTEXT(N'CompanyID') as int) = @CompanyID)
GO
/*
TRY IT:
EXEC sp_set_session_context 'CompanyID', '-1'
select SESSION_CONTEXT(N'CompanyID')
SELECT * FROM dbo.pUserCanAccessCompanyData(1)
*/
CREATE SECURITY POLICY dbo.ClientAccessPolicy
ADD FILTER PREDICATE dbo.pUserCanAccessCompanyData(CompanyID) ON dbo.Product
WITH (State=ON)
GO
/*
EXEC sp_set_session_context 'CompanyID', '-1'
SELECT * FROM Product
EXEC sp_set_session_context 'CompanyID', 1
SELECT * FROM Product
EXEC sp_set_session_context 'CompanyID', 2
SELECT * FROM Product
EXEC sp_set_session_context 'CompanyID', 777
SELECT * FROM Product
*/
-- Add RLS on history data
ALTER SECURITY POLICY dbo.ClientAccessPolicy
ADD FILTER PREDICATE dbo.pUserCanAccessCompanyData(CompanyID) ON History.Product
GO
/*
Don't allow company to enter a product for different company.
*/
ALTER SECURITY POLICY dbo.ClientAccessPolicy
ADD BLOCK PREDICATE dbo.pUserCanAccessCompanyData(CompanyID) ON dbo.Product
GO
/*
Don't show other companies to current company.
*/
ALTER SECURITY POLICY dbo.ClientAccessPolicy
ADD FILTER PREDICATE dbo.pUserCanAccessCompanyData(CompanyID) ON dbo.Company
GO
Reference in New Issue View Git Blame Copy Permalink