%3CLINGO-SUB%20id%3D%22lingo-sub-1657451%22%20slang%3D%22en-US%22%3ELesson%20Learned%20%23135%3A%20Row%20Level%20Security%20based%20on%20Is_RoleMember%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1657451%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EToday%2C%20I%20worked%20on%20a%20service%20request%20that%20our%20customer%20needs%20to%20avoid%20that%20some%20users%20could%20retrieve%20some%20rows%20depending%20on%20a%20specific%20role.%20In%20this%20situation%2C%20we%20are%20going%20to%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Ffunctions%2Fis-rolemember-transact-sql%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EIs_RoleMember%3C%2FA%3E%20function%3C%2FSPAN%3E%3CSPAN%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EFor%20example%2C%20we%20have%20an%20Azure%20Active%20Directory%20group%20called%20MyAADGroup%20that%20contains%20all%20the%20users%20that%20we%20will%20have%20access%20to%20the%20data.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E1)%20We%20are%20going%20to%20create%20the%20group%20in%20Azure%20SQL%20Database%2C%20running%20the%20following%20query%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3ECREATE%20USER%20%5BMyAADGroup%5D%20FROM%20EXTERNAL%20PROVIDER%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E2)%20We're%20going%20to%20create%20the%20role%2C%20for%20example%2C%20auditors%20that%20will%20assign%20to%20the%20group%20MyAADGroup%2C%20running%20the%20following%20command%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3Esp_addrolemember%20'auditors'%2C'MyAADGroup'%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E3)%20The%20next%20step%2C%20would%20be%20to%20create%20the%20security%20function%2C%20running%20the%20following%20command%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3ECREATE%20or%20alter%20Function%20%5Bdbo%5D.%5Bfn_securitypredicateOrder%5D%20(%40UserName%20sysname)%0Areturns%20table%0Awith%20Schemabinding%0Aas%0Areturn%20select%201%20as%20%5Bfn_securityPredicateOrder_result%5D%20where%20IS_ROLEMEMBER('auditors')%3D1%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E4)%20Finally%2C%20we%20need%20to%20create%20the%20security%20policy%20running%20the%20following%20command%3A%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-sql%22%3E%3CCODE%3Ecreate%20security%20Policy%20fn_securitydata%0Aadd%20Filter%20Predicate%0Adbo.fn_securitypredicateOrder(suser_name())%0Aon%20MyTableDummy%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%3EEnjoy!%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1657451%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%3EToday%2C%20I%20worked%20on%20a%20service%20request%20that%20our%20customer%20needs%20to%20avoid%20that%20some%20users%20could%20retrieve%20some%20rows%20depending%20on%20a%20specific%20role.%20In%20this%20situation%2C%20we%20are%20going%20to%20use%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fsql%2Ft-sql%2Ffunctions%2Fis-rolemember-transact-sql%3Fview%3Dsql-server-ver15%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EIs_RoleMember%3C%2FA%3E%20function%3C%2FSPAN%3E%3CSPAN%3E.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-TEASER%3E

Today, I worked on a service request that our customer needs to avoid that some users could retrieve some rows depending on a specific role. In this situation, we are going to use Is_RoleMember function

 

For example, we have an Azure Active Directory group called MyAADGroup that contains all the users that we will have access to the data.

 

1) We are going to create the group in Azure SQL Database, running the following query:

 

 

 

CREATE USER [MyAADGroup] FROM EXTERNAL PROVIDER

 

 

 

2) We're going to create the role, for example, auditors that will assign to the group MyAADGroup, running the following command:

 

 

sp_addrolemember 'auditors','MyAADGroup'

 

 

 

3) The next step, would be to create the security function, running the following command:

 

 

CREATE or alter Function [dbo].[fn_securitypredicateOrder] (@UserName sysname)
returns table
with Schemabinding
as
return select 1 as [fn_securityPredicateOrder_result] where IS_ROLEMEMBER('auditors')=1

 

 

 

4) Finally, we need to create the security policy running the following command:

 

 

create security Policy fn_securitydata
add Filter Predicate
dbo.fn_securitypredicateOrder(suser_name())
on MyTableDummy

 

 

 

Enjoy!