stackoom
  简体   繁体   中英

How to do row-level security allowing multiple accessId to match the row's id in SQL Server?

 原文  2022-08-23 05:02:16       sql/ sql-server/ predicate/ sql-function/ row-level-security

Question

I use a function as BLOCK and FILTER PREDICATE in order to implement row-level security.

CREATE FUNCTION [dbo].[AccessPredicate] 
    (@accessId int)
RETURNS TABLE
WITH SCHEMABINDING
AS
    RETURN 
        SELECT 1 AS AccessPredicateResult
        WHERE @accessId = CAST(SESSION_CONTEXT(N'accessId ') AS int)

I now need to modify the session context variable to hold any number of accessId. Since it is a SQL_VARIANT type, I cannot use a TABLE variable or custom one. I resorted to a CSV list as NVARCHAR , eg 1,2,3

That means I need to update the SELECT query in my function to do a 'WHERE @accessId IN (...)'. Of course I can't just

SELECT 1 AS AccessPredicateResult
WHERE @accessId IN (CAST(SESSION_CONTEXT(N'accessId ') AS VARCHAR)) -- where accessId = '1,2,3'

Without liking the implications, I tried to do that by putting the whole query into a @sql VARCHAR variable and then EXEC sp_executesql @sql but that failed because SQL Server cannot have a DECLARE in a table valued function (for whatever reason?.). Neither does the table valued function allow EXEC a stored procedure as far as my research suggests.

I'm blocked by this, can't think of a way to do this now.

So I've got the allowed accessId in my C# code and somehow need to persist them in the session context (or are there other, well performing, methods?) so that my predicate can use it to confirm the row in question is accessible. What's the best way forward now?

Thanks

1 answers

solution1
 0  2022-08-23 20:46:58

You can use STRING_SPLIT in a subquery

CREATE OR ALTER FUNCTION dbo.AccessPredicate
    (@accessId int)
RETURNS TABLE
WITH SCHEMABINDING
AS RETURN
SELECT 1 AS AccessPredicateResult
WHERE @accessId IN (
    SELECT s.value
    FROM STRING_SPLIT(CAST(SESSION_CONTEXT(N'accessId') AS varchar(4000)), ',')
);

I warn you though, that RLS is not foolproof security, and can be circumvented by a uer able to craft custom queries.

As a side note: Why does SQL Server not allow variables or EXEC in functions?

EXEC is not allowed because a function must not be side-affecting.

Furthermore, an inline table function must be a single statement, therefore it makes no sense to DECLARE variables. It is effectively a parameterized view, and functions that way as far as the compiler is concerned.

If you do need to "declare" variables, you can use a VALUES virual table, along with CROSS APPLY . FOr example:

CREATE OR ALTER FUNCTION dbo.AccessPredicate
    (@accessId int)
RETURNS TABLE
WITH SCHEMABINDING
AS RETURN
SELECT c2.Calc2 AS AccessPredicateResult
FROM (VALUES(
    SomeCalculationHere
)) AS c1(Calc1)
CROSS APPLY (VALUES(
    SomeFunction(c1.Calc1)
)) AS c2(Calc2);

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question SQL Row-Level Security multiple users and for sysadmin SQL Server row-level security without username in data How to implement row-level security in Java? Row-Level Security Predicate Filter How avoid row-level locking in PL/SQL How do I get row id of a row in sql server Export data with phpmyadmin, ordered on row-level What is a difference between BEFORE and AFTER dml operations ? (Row-Level Security) SQL Server 2016 with Row Level Security - Addressing the Bottleneck Row Level Security with multiple users for one row
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM