Row-level security is database security term which relates to the ability to define and enforce access control logic on rows of data such that a user can only retrieve the rows of data he or she is allowed to view.
Row-level security is database security term which relates to the ability to define and enforce access control logic on rows of data such that a user can only retrieve the rows of data he or she is allowed to view.
Several database vendors provide row-level security mechanisms. For instance:
- Oracle provides Virtual Private Database (VPD), a free feature of the Oracle Enterprise Database.
- MySQL provides fine-grained access control (FGAC). This is further detailed in this 2006 article.
- IBM DB2 provides row/column-level access control (RCAC). This is further detailed in this IBM knowledge base.
- SQL Server and Azure SQL Database provide Row-Level Security (RLS). This is further detailed in the MSDN product documentation.
In row-level security, a user can ask to view a set of data e.g. medical records. The database table (or view) contains a complete set of medical records but only returns those records the user is entitled to view. The authorization is typically driven through the configuration of VPD/RCAC/FGAC or through an access control policy e.g. doctors can view the medical records of patients they are assigned to.
Row-level security is becoming more prevalent with the rise of abac and xacml, technologies that help standardize access control.
An extension of row-level security is the ability to apply cell-level security. This space has been coined as dynamic data masking by Gartner analyst Joseph Feiman (see this report and these videos on data masking).
There are several third party vendor solutions which provide row-level security / dynamic data masking:
- GreenSQL
- Informatica DDM
- Axiomatics Data Access Filter MD
Additional information and vendors are listed on Wikipedia.
