Row-Level Security announced for Azure SQL Database

Similar Messages

• Implement row-level security using Oracleu2019s Virtual Private Databases (VPD)

  Environment: Business Objects XI R2; Oracle 10g
  Functional Requirement:
  Implement row-level security using Oracleu2019s Virtual Private Databases (VPD) technology. The restriction is that the Business Objects Universe connection should use a generic/u201Capplicationu201D database user account. This will allow the organization to avoid the situation where the Business Objects password and the Oracle password need to be kept in synch.
  What do we need from the Business Objects support team?
  1.     Review the 2 attempted solutions that we have tried to implement
  2.     Propose solutions/answers to open questions for each of the attempted solutions
  3.     Propose any alternate solution that will help us implement the Function Requirement stated above
  Attempted Solution 1: Connection String uses Oracle Proxy User
  The connection string that is specified in the Universe is the following:
  app_user[end_user]/app_user_pwdarrobaDatabase.WORLD
  app_user = generic application user
  end_user = the oracle account of the end user which is set using arrobaVariable('BOUSER') app_user_pwd = password of the generic application user
  We have tried and implemented this in our test environment. However, we have some questions and concerns around how the connections are reused in a connection pool environment.
  Open Question for Solution 1:
  i. What happens when multiple proxy users try to connect on at the same time?  Business Objects shares the generic app_user connect string.  However, every user that logs on will have their own unique proxy user credentials.  Will there be any contention involved?  If so, what kind of errors can we expect?
  ii. If a user logs on using his credentials (proxy user), and business objects opens up a connection to the database using that user's credentials (as the proxy user but logging in through the generic app user). Then the user exits out --> based on our test today, it seems like the database connection remains open.  In that case, if another user logs on similarly with their credentials, will business objects simply assign the first users connection to that second user?  If so, then our security will not work.  Is there a way that Business Objects can somehow ensure that everytime we close a report, the connection is also terminated both at the BO and DB levels?
  iii. Our 3rd question is general high level -> How connection pooling works in general and how it is implemented in BO, i.e. how are new connections assigned, how are they recycled, how are they closed, etc.
  Attempted Solution 2: Using the ConnectInit parameter
  Reading through a couple of the Business Objects documents, it states that u201CUsing the ConnectInit parameter it is possible to send commands to the database when opening the session which can be used to set database specific parameters used for optimization.u201D
  Therefore, we tried to set the parameter in the Universe using several different options:
  ConnectInit = BEGIN SYSTEM.prc_logon('arrobaVARIABLE('BOUSER')'); COMMIT; END; ConnectInit = BEGIN DBMS_SESSION.SET_IDENTIFIER('arrobaVariable('BOUSER')'); COMMIT; END;
  Neither of the above iterations or any variation of that seemed to work. It seems that the variable is not being set or being u201Cexecutedu201D on the database.
  One of the Business Objects documents had stated that Patch ID 38, 977, 350 must be installed in our BO environments. We have verified that this patch has been applied on our system.
  Open Questions for Solution 2:
  How do we get the parameter ConnectInit to work? i.e. what is the proper syntax to enter and what other things do we need to check to get this to work.
  Note: Arroba word is being used instead of the symbol in order to avoid following error message:
  We are sorry but your message can not be posted since you have included an email address. Please remove the email address and re-post.

  the connectinit setting should look something like this:
  declare a date; begin vpd_setup('@VARIABLE('BOUSER')'); Commit; end;
  The vpd_setup procedure (in Oracle) should look like this:
  CREATE OR REPLACE procedure vpd_setup (p_user varchar)IS
  BEGIN
    DBMS_SESSION.set_vpd( 'SESSION_VALUES', 'USERID', p_user );
  END vpd_setup;
  Then you can retrieve the value of the context variable in your vpd functions
  and set the vpd.

• Timeplan for Azure SQL Database v12

  When will Azure SQL Database v12 be released for production usage?
  Nitramafve

  Hello,
  The official announcements on dates should appear here:
  http://azure.microsoft.com/blog/topics/database/ 
  Stay tuned for the updates. We cannot share dates on this forum prior to official announcements.
  The V12 is in public preview and we stand behind it. If it helps ease any concerns - internally we already run a number of production workloads on this platform.
  Regards,
  Boris.
  Boris Baryshnikov, Azure SQL Database

• Contained Database Users are now available in Azure SQL Database Update preview

  Contained Database Users should be of particular help for people migrating to Azure SQL Database. At the moment, this is a preview release but you can start testing. Here is the announcement of the
  preview with links to more information.
  New SQL Database public preview with new Standard-tier performance level
  Previously announced in November 2014 and now available for customers to try, the
  new
  public preview of SQL Database improves the compatibility of SQL Server applications for Azure SQL Database. Details of this preview are available on the
  SQL
  Database documentation webpage, including the following key enhancements: easier management of large databases to support heavier workloads with parallel queries
  and online indexing, support for programmability functions like CLR and XML index to support more robust application design, improved monitoring and troubleshooting with XEvents and 100 new Dynamic Management Views (DMV), and more performance in the Premium
  tier.
  To try this preview, please sign up via the Preview
  features webpage. Only SQL Database servers with a mix of one or more Basic, Standard, or Premium (not Web or Business) databases are compatible and eligible to
  upgrade to the preview. Please note that any move of an existing Basic, Standard, or Premium database into this preview is irreversible; we recommend that you create a database copy or leverage test databases on any server enrolled in this preview.
  A new Standard-tier performance level, S3, is also available in this preview which gives you more pricing flexibility between Standard and Premium. S3 will deliver 100 Database Throughput Units (DTU) and all the features available in the Standard tier. Please
  note that S3 will appear on your bill as a multiple of S2 until further notice.
  For more information, please visit the SQL
  Database webpage and the
  Microsoft
  Azure Blog. For a comprehensive look at pricing, please visit the
  SQL
  Database pricing webpage.
  Rick Byham, Microsoft, SQL Server Books Online, Implies no warranty

  Hello Rick
  That is great, one thing I'd like to ask, does it support SSMS,SSDT?
  No sign of that yet, that I’ve seen.....
  Best Regards,Uri Dimant SQL Server MVP,
  http://sqlblog.com/blogs/uri_dimant/
  MS SQL optimization: MS SQL Development and Optimization
  MS SQL Consulting:
  Large scale of database and data cleansing
  Remote DBA Services:
  Improves MS SQL Database Performance
  SQL Server Integration Services:
  Business Intelligence

• Setting up Row Level Security in EPM 11.1.1.3

  I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
  i) Enable row level security in Workspace.
  Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
  Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
  Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
  Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
  Any log I can inspect for the connectivity error?
  ii) Configure Row Level Security setting
  I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
  thank you very much.

  I have been following the Administration guide but failed to setup row level security in EPM 11.1. Please advise which part of my steps are wrong. (note I am using MS SQL Server for the EPM Shared Services and Workspace database, everything under Windows env)
  i) Enable row level security in Workspace.
  Step 1) Define a ODBC Data Source named "EPM_WS" in Windows. The ODBC Data Source points to the MS SQL Server database of EPM Workspace since it contains the 3 tables (BRIOSECG, BRIOSECP, BRIOSECR) related to row-level-security.
  Step 2) Login to workspace, select "Administer"->"Configuration Console". Edit "Interactive Reporting Data Access Services" and add a data source with ODBC->MS SQL Server -> "EPM_WS" as the name of datasource. Restart "Interactive Reporting Data Access Services".
  Step 3) Login to workspace, select "Administer"->"Row Level Security". Check "Enable Row Level Security", Choose ODBC->MS SQL Server-> fill in "EPM_WS" as Data Source Name"-> Provide correct user name and password. Click "Save Properties"
  Step 4) It always prompt "Server error setting the Connectivity. Recommended Action: Logoff and logon again. If problem persists contact your local security administrator."
  Any log I can inspect for the connectivity error?
  ii) Configure Row Level Security setting
  I know that for Hyperion IR, there is a file row_level_security.bqy comes with the installation. User can use this bqy file to configure the actual row level security setting. However, I cannot locate this bqy file in the EPM 11.1 installation. What is the proper step for setting up the row level security configuration?
  thank you very much.

• Azure SQL Database

  Folks,
  Not sure if this is the right forum to ask these questions, I am planning to sign up for Azure SQL Database and VMs. I am trying answers to following. Any information is appreciated.
  What is the reliability measure of the Azure SQL Database. Is it five 9’s ?
  What is the "MAX Worker Threads” performance measure as mentioned here:
  http://msdn.microsoft.com/en-us/library/azure/dn741336.aspx
  Does “MAX session” correspond to maximum number simultaneous of DB JDBC connections.
  Is it tenant based service where multiple tenants are hosted on the Azure database.
  What is the architecture of Azure SQL database, Is it centralized on a single server or over a cluster of machines ?
  What is the high level architecture of the VMs and SQL DB.
  What is the nature, bandwidth and reliability of connectivity between Azure VMs and Azure SQL DB.
  Is this network capacity between VMs and SQL DB shared between multiple tenants.
  How are the SLAs guaranteed (ensured) and throttled/enforced (to curb over-utilization).
  If we horizontly scale Azure VMs to twice number of current VMs, will the temporal locality of the new VMs has lower network performance in terms of latency or bandwidth than the existing VMs.
  Are there any per Azure VM limits on access to Azure SQL DB.
  If for some reason SQL DB crashes experiences, Is the Data recoverable.
  Can the Azure SQL DB be backed up in Azure Cloud/ or Amazon S3
  Thanks,
  Ajay

  Hi Ajay,
  These msdn forums are the actually the best place to ask questions. 
  I guess you have some scenario in back of your mind that makes you ask these questions, if you can share that with us we may better answer your questions instead of giving you information that may not be most usable for you, regardless here it goes.
  I will do my best to answer all your questions
  What is the reliability measure of the Azure SQL Database. Is it five 9’s ?
  VS: It's 4 nines (99.99) The 99.99% uptime SLA applies to Basic, Standard, and Premium service tiers only. 
  SQL Database Web and Business Editions have an established uptime SLA of 99.9%.
  http://azure.microsoft.com/en-us/services/sql-database/
  What is the "MAX Worker Threads” performance measure as mentioned here:
  http://msdn.microsoft.com/en-us/library/azure/dn741336.aspx
  VS: SQL Database governs the limit on the number of concurrent worker threads (requests) to a database. 
  Any database with more than the allowed limit of concurrent requests will receive error 10928, and further requests on this database can be denied.
  http://msdn.microsoft.com/en-us/library/azure/dn338078.aspx
  Does “MAX session” correspond to maximum number simultaneous of DB JDBC connections.
  VS: Yes, SQL Database governs the limit on the number of concurrent sessions that can be established to a database. When concurrent session limit for a database is reached, new connections to the database are denied and user will receive error
  code 10928. However, the existing sessions to the database are not terminated.
  http://msdn.microsoft.com/en-us/library/azure/dn338078.aspx
  Is it tenant based service where multiple tenants are hosted on the Azure database.
  VS: Yes and No, Yes because its offered as SAAS, yes multiple tenants are hosted on Azure DB, but they are isolated and also depends on the tier you choose. SQL Azure is designed for Massive scaling, so if you were worried about slowness due
  to multi tenant hosting, trust me that should last thing to be worried about.
  No, because you can choose to go all the way to premium (now that does not mean you are the only db on the server but its super high performing database out there)
  What is the architecture of Azure SQL database, Is it centralized on a single server or over a cluster of machines ?
  VS: Its hosted in Microsoft Datacenters and offered as a service, although we can go in detail of architecture of SQL Azure but for this set of questions its irrelevant. Performance is massive on SQL Azure, it can be scaled out or scaled down
  on demand.
  What is the high level architecture of the VMs and SQL DB.
  VS: Not following your question here, what is meant by architecture of VM?
  What is the nature, bandwidth and reliability of connectivity between Azure VMs and Azure SQL DB.
  VS: The connectivity in general is great unless you decide to host one service in part of the world and other totally other corner, in that case also I have seen good connectivity between the two given normal latency.
  Is this network capacity between VMs and SQL DB shared between multiple tenants.
  VS: Not following your question in entirty, do you mean network capacity in terms of GB/Sec? if your vm and sql are in same Data Center its the fastest connectivity you can get out there in market on any cloud or for that matter on prem :)
  they apparantely have a faster network in their DC than many giant companies have on prem.
  How are the SLAs guaranteed (ensured) and throttled/enforced (to curb over-utilization).
  VS: MS have protection against many threats, DOS being one of them, Microsoft has done the best job among all the cloud providers out there to inform thier customers about outages, in a recent summit this was also discussed in detail and suggestions
  were made to improve on the portal feature.
  Each time an service goes down its reported on the portal on service health page, they are improving on the SLA breach report, at this moment its part of your invoice. I have personally not seen a single breach on my services, I am actively using Azure for
  last 5+ years.
  If we horizontly scale Azure VMs to twice number of current VMs, will the temporal locality of the new VMs has lower network performance in terms of latency or bandwidth than the existing VMs.
  VS: number of VMs have nothing to do with network performance, keep in mind the fabric underneath is build for massive scale, network performance and latency will vary (they keep improving) if you choose to create your VMs in a different DCs
  then you would come across some latency and that's normal. 
  Are there any per Azure VM limits on access to Azure SQL DB.
  VS: these are not per VM limits, they are driven by MAx_THREAD and MAX_SESSION, please refer to the link above in the question for Max worker thread
  If for some reason SQL DB crashes experiences, Is the Data recoverable.
  VS: I would be careful to answer this, if you choose to use SQL Azure (which is offered as SAAS) then yes MS takes care of data replication to ensure SLA. if you choose to host your own SQL DB on your VM in Azure, MS is not responsible for
  the data recovery, you will have to take care of it (because now you are not talking about PAAS, instead you are going for IAAS)
  Can the Azure SQL DB be backed up in Azure Cloud/ or Amazon S3
  VS: Ofcourse, I am not very familiar with Amazon S3 but i see no reason why it can't be done.
  hope this helps
  Please mark as answered if it helped
  Vishal Narayan Saxena http://twitter.com/vishalishere http://www.ogleogle.com/vishal/

• Dynamically creating policies for Row-level security (RLS)

  Hi everybody,
  I’m looking for suggestions on how to configure Row-level security (RLS).
  I have a large number of tables (about 500) and about 100 database users. Each user must see a portion of the data, filtered on a specific field. The field used to filter the data is a Client Id (let’s assume for simplicity that this field is present in all tables and has the same name everywhere).
  Some users must be able to see just one client, other users must be able to see a group of clients, and some other users must be able to see all the clients. The association between Users and Client Id’s is stored in separate database tables.
  I’d like to avoid having to manually create a policy for each table, so I’m looking for a solution that makes use of pl/sql programs to create policies dynamically.
  Has anybody already implemented anything similar? Can you share your approach? Of course I’m looking for the easiest / most robust / most flexible way to implement this.
  Andrea

  It sounds like you would want a single policy function and that you would then apply that policy function to all 500 tables (at least given the simplifying assumptions you make in your question). If your policy function simply returned the `WHERE` clause
  client_id IN (
      SELECT client_id
        FROM table_mapping_user_to_client
       WHERE user_id = <<something that identifies the current user>> )Then you would simply apply that policy to all the tables
  FOR x IN (SELECT * FROM dba_tables WHERE <<condition to find the 500 tables>>)
  LOOP
    dbms_rls.add_policy(
      x.owner,
      x.table_name,
      'Restrict by client_id', -- name of policy
      <<owner of function above>>,
      <<name of function above>> );
  END LOOP;Justin

• Row Level Security not working for SAP R/3

  Hi Guys
  We have an environment where the details are as mentioned below:
  1. Crystal Reports are created using Open SQL driver to extract data from SAP R/3 using the SAP Integration Kit.
  2. The SAP roles are imported in Business Objects CMC.
  3. Crystal Reports are published on the Enterprise as well.
  3. Authorization objects are created in SAP R/3 and added as required for the row level security as mentioned in the SAP Installation guide as well. The aim is when the user logs into the Infoview and refreshes the report he should only see data that he is meant to so through the authorization objects.The data security works very much fine when the reports are designed directly on the table but when the reports are built on the Business View it doesnt work hence the user is able to see all data.
  Any help in this issue is greatly appreciated.
  Thanks and Regards
  Kamal

  Hi,
  In order for row level security to work for you using the OpenSql driver, you need to configure the Security Definition Editor on your SAP server.  This is a server side tool which the Integration solution for SAP offers as a transport.
  This tool defined which tables are to be restricted based on authorizations.
  However since you are seeing the issue on reports based on Business Views, you need to identify whether the Business View is configured in such a way where the user refreshing the report is based on the user logging into Infoview.  If the connection to your SAP server is always established with the same user when BV is used then you security definition is pointless.
  You can confirm this by tracing your SAP server to identify what user is being used to logon to SAP to refresh the reports.
  thanks
  Mike

• Row Level Security Not working for the ECC table.

  Hi All,
  We have created a crystal report using SQL Driver.
  We have set the row level security on PA0001 table so that we can restrict the query based on Company Code.
  But when I run the report, it bypasses the row level security and gives access.
  Am I missing some configuration?

  Hi Ingo,
  Security is set up using /crystal/rls transaction. A custom auth object is used for checking the company code with a single field "BUKRS".
  This custom auth object is maintained for the PA0001 table.
  This object is added at the role level with the restricted access to the Company Code..

• How to apply row level security against the database administrator

  I would like an advice in applying row level security against the database administrator. We need to prevent DBA from editing data in some table rows or have any indication that data was corrupted.
  There is no problem in viewing the data so we considered one way hash function or digital signature which will be stored in the same table, but we see following disadvantages:
  HASH - DBA may use the same hash function to update the stored data after he changes the sensitive row.
  Digital signature - the is a need to manage and keep the private key in a safe place outside of DB
  Is there additional ways to achieve the aim?

  Does VPD helps to prevent from DBA to edit/view a data in specific rows?Yes.
  If I correctly understand, DBA has full access to security policy used by VPD to control the access and can grant himself privileges that I don't want.You can to define which users can be exempt of the politics, for the context or by Grant EXEMPT.
  This includes DBAs.
  The simple fact of being DBA doesn't guarantee the exemption.
  Everything goes to depend of the VPD config.

• Row level Security for BI Author Role

  Hi All,
  We are using OBIEE 11.1.1.5 in our project. We have a requirement where we need to configure row level security on certain column.
  We are currently using external table and session variable approach to configure this. This security works fine for the users with BI Consumer
  roles. But we are facing issue with configuring row level security for BI Author role.
  BI Author can create any analysis in BI Answers and suppose he/she creates a report which does not contain the column on which row level
  security is applied than he can see all the data. For eg.
  We have one dimension Products having two levels Product Division and Brand. I want to configure security based on Product Division column.
  But if BI Author create a report with only Brand and Measures than row level security is not working.
  Does anyone has face this issue before.
  Please let me know if you want any other information from my side.
  Regards,
  Vikas

  If you are using a multidimensional cube you can use the "permit" command to control access to dimension members or provide cell level security within the cube. The OLAP database documentation provides on how to use the PERMIT command.
  If you are using relational tables and/or views with additional CWM metadata mapped using OEM then you need to refer to the database documentation relating to Virtual Private Databases and Label Security
  Business Intelligence Beans Product Management Team
  Oracle Corporation

• Row-level security at the Database level

  We need Row-level security at the Database level, where the user who logs in to Crystal reports, should be able to fetch only those rows from the database that he is entitled to see. For this, the login name of the user is passed to a stored procedure which sets the context of the DB session and restricts the data retrieved.
  We are not looking for row-level security where the data is first retrieved and then filtered based on the user login name. However, we are definitely looking for a way to set a context for a database session based on the user login name, even before we start fetching data. So effectively, the user who logs in will fetch only those rows which he is supposed to see.
  Issue:
  We face a problem of not being able to pass a variable (something like 'BOUSER' for BO which works, whereas, 'CurrentCEUserName' for Crystal Reports, which doesn't work), to the database stored procedure to set the context.
  Please let us know if we can use 'CurrentCEUserName' variable in Crystal in the same way as 'BOUSER' is used in ConnectInit for BO? We would like to know how we could pass any variable in Crystal Reports which holds the user login information to a stored procedure.
  Also, please suggest alternate ways to achieve this security restriction, if any.

  Hi
  A previous database had a personnel table with their station name, district and region, with a field holding their logon name.  We also had an activity table with the fields referring to the activity, and a field of Station, district and region it occured in.
  By linking the individual rows in an activity table to the personnel table on the station name field, we then used the CurrentCEUserName to filter on the personnel.  This returned only the records in the activity table where the station the activity took place at was the same as the station associated with the selected personnel who has logged on.
  The additional bonus was if we linked it on District or region we had the same result but at a greater level. ie all activity in the logged on personell's District or if linked on region, then their region.
  The personnel table was maintained by the system administrators, so maintenance was low.
  I hope this helps.
  Kevin

• Column masking row level security in Peoplesoft Databases

  Hi
  How about the credibility of using VPD( for column masking,row level security) in People soft Databases?where the sensitive data is redundant across 100's of tables.
  My intention is to use the VPD across all the tables that contain the sensitive data ( ssn,bank accno, etc)
  Appreciate your help.
  Chelli

  Hi.
  I also have a trouble like yours,but mine is more simple.
  I'd tried to solve,and find that it's really hard and must lost a lot of time to solve,because some table have 2,3 or more derive information that to use VPD is not easy.
  Can i ask for any aspect to solve problem like this.
  Thanks for any answer and support.
  Thinhbk.

• Which is better for performance Azure SQL Database or SQL Server in Azure VM?

  Hi,
  We are building an ASP.NET app that will be running on Microsoft Cloud which I think is the new name for Windows Azure. We're expecting this app to have many simultaneous users and want to make sure that we provide excellent performance to end users.
  Here are our main concerns/desires:
  Performance is paramount. Fast response times are very very important
  We want to have as little to do with platform maintenance as possible e.g. managing OS or SQL Server updates, etc.
  We are trying to use "out-of-the-box" standard features.
  With that said, which option would give us the best possible database performance: a SQL Server instance running in a VM on Azure or SQL Server Database as a fully managed service?
  Thanks, Sam

  hello,
  SQL Database using shared resources on the Microsft data centre. Microsoft balance the resource usage of SQL Database so that no one application continuously dominates any resource.You can try the 
  Premium Preview
  for Windows Azure SQL Database which offers better performance by guaranteeing a fixed amount of dedicated resources for a database.
  If you using SQL Server instance running in a VM, you control the operating system and database configuration. And the
  performance of the database depends on many factors such as the size of a virtual machine, and the configuration of the data disks.
  Reference:
  Choosing between SQL Server in Windows Azure VM & Windows Azure SQL Database
  Regards,
  Fanny Liu
  If you have any feedback on our support, please click here. 
  Fanny Liu
  TechNet Community Support

• How to check the row level security in TOAD for oracle

  Hi ,
  for ex, i have 2 types of users
  normal user and super user
  super user can see the group set (some column name) created by normal user
  but normal user can not see the set created by super user
  this set crestion aslso has 3 types "U','P',S'
  P & S can be viewed by even normal user
  but U should not
  so here we are having some row level security for the normal user .....
  So, in TOAD for oracle how to check that......
  Let me know if i'm not clear

  Like
  I'm the super user....
  And some records are inserted to a table by different users ('a' , 'b', etc....)
  So,if user 'a' logins then he can be able to see only the records inserted by 'a' only...
  how to see in TOAD where such type of scripts (filter conditions) are written.....