Row Level Security for SQL Server 2008

Update to this post from many moons ago!


An important challenge for some public sector developers is providing label-based row level security in database-centric applications.  Such systems require that classified and/or compartmented data be tagged with security labels and that access to data at the row level be mediated by the DBMS based on the permissions of the end user.  These requirements are especially common in military and other security-related
customer environments.

Implementing row level security based on security labels is possible in SQL Server 2008 – but you won’t need separately priced add-on to do it.  A revised whitepaper has just been released by Microsoft detailing a design framework for row (and cell) level security in SQL Server.  This whitepaper is accompanied by a free toolkit on Codeplex, which provides a robust code-gen tool for implementing the framework based on your needs, as well as samples and additional documentation.  Both the whitepaper and the toolkit are revisions to original versions released a few years back (on this very blog).  The new version incorporates lessons learned and streamlines some complex scenarios.  It also removes the requirement to use the SQLCLR – which was an obstacle in some cases – and includes full source for the toolkit.

 Whitepaper:  Implementing Row and Cell Level Security in Classified Databases

Toolkit:  SQL Server Label Security Toolkit


If you’re considering options and/or feasibility for a database design with row level security, a close look at this material is definitely in order.


Comments (6)

  1. Jackx says:

    The short cut to the Implementing Row and Cell Level Security in Classified Databases is not working!

  2. Dwaine says:

    The link offered above by Dooley looks like the original document.  This 8/2011 post (and the code plex site) suggests a "revised" white paper.  Would a PubSec monitor like to comment or point us to the real Doc?

  3. gduncan411 says:

    Brandon M Dooley's link is indeed the older v2005 version. There is indeed a newer version of the document updated for SQL Server 2008 (I have a snapshot of the 2008 version here,…/rowcell-level-security-for-sql-server.html).

    I've pinged this team a couple weeks ago letting them know the above link in the post is bad, but I've not heard anything from them yet…

  4. gduncan411 says:

    Maybe this will help (and maybe get someone angry at me) but I've got a copy of the SQL Server 2008 updated version of document locally and have now just posted that copy to SkyDrive here,

    Hope this helps

  5. Mads Nielsen says:

    You can find the 2012 version of the document here:…/security-and-compliance.aspx