Advertisement
Larnu

RLS Example

Nov 20th, 2023 (edited)
1,564
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
T-SQL 3.17 KB | Source Code | 0 0
  1. USE Sandbox;
  2. Go
  3. /* This Script assumes it is being run as a sysadmin, or at least a db_owner */
  4.  
  5. CREATE USER Jane WITHOUT LOGIN;
  6. CREATE USER John WITHOUT LOGIN;
  7. CREATE USER Sarah WITHOUT LOGIN;
  8. GO
  9.  
  10. CREATE TABLE dbo.SomeTable (SomeID int IDENTITY(1,1),
  11.                             SomeUser sysname NOT NULL,
  12.                             SomeOtherUser sysname NULL,
  13.                             SomeString varchar(3) NULL,
  14.                             SomeDate date);
  15. GO
  16. GRANT SELECT ON dbo.SomeTable TO Jane;
  17. GRANT SELECT ON dbo.SomeTable TO John;
  18. GRANT SELECT ON dbo.SomeTable TO Sarah;
  19. GO
  20. CREATE FUNCTION dbo.tvf_SomeTable_SecPred (@SomeUser sysname, @SomeOtherUser sysname)
  21. RETURNS TABLE
  22. WITH SCHEMABINDING
  23. AS
  24.     RETURN SELECT 1 AS SecPred
  25.     WHERE USER_NAME() IN (@SomeUser,@SomeOtherUser)
  26.        OR USER_NAME() = 'Jane'
  27.        OR USER_NAME() = 'dbo';
  28. GO
  29.  
  30. CREATE SECURITY POLICY SomeFilter
  31. ADD FILTER PREDICATE dbo.tvf_SomeTable_SecPred(SomeUser,SomeOtherUser)
  32. ON dbo.SomeTable
  33. WITH (STATE = ON);
  34. GO
  35.  
  36. INSERT INTO dbo.SomeTable (SomeUser,SomeOtherUser,SomeString,SomeDate)
  37. VALUES('John','Sarah','abc',GETDATE()),
  38.       ('Jim','Sarah','def',GETDATE()),
  39.       ('Jane',NULL,'xyz',GETDATE()),
  40.       ('Sarah','Jane',NULL,GETDATE());
  41. GO
  42.  
  43. SELECT *
  44. FROM dbo.SomeTable;
  45. GO
  46.  
  47. CREATE PROC dbo.SomeProc @SomeUser sysname, @SomeOtherUser sysname = NULL AS
  48. BEGIN
  49.     SELECT SomeID,
  50.            SomeUser,
  51.            SomeOtherUser,
  52.            SomeString,
  53.            SomeDate
  54.     FROM dbo.SomeTable
  55.     WHERE SomeUser = @SomeUser
  56.        OR SomeOtherUser = @SomeOtherUser;
  57. END;
  58. GO
  59. GRANT EXECUTE ON dbo.SomeProc TO Jane;
  60. GRANT EXECUTE ON dbo.SomeProc TO John;
  61. GRANT EXECUTE ON dbo.SomeProc TO Sarah;
  62. GO
  63. SELECT * FROM dbo.SomeTable; --Returns all the rows, dbo is always allowed
  64. EXEC dbo.SomeProc @SomeUser = 'Jim'; --Returns a row, dbo is allowed
  65. EXEC dbo.SomeProc @SomeOtherUser = 'Sarah',@SomeUser = 'Jane'; --Returns 3 rows, dbo is allowed
  66. GO
  67.  
  68. --Try as Jane;
  69. EXECUTE AS USER = 'Jane';
  70. GO
  71. SELECT * FROM dbo.SomeTable; --Returns all the rows, Jane is always allowed
  72. EXEC dbo.SomeProc @SomeUser = 'Jim'; --Returns a row, Jane always allowed
  73. EXEC dbo.SomeProc @SomeOtherUser = 'Sarah',@SomeUser = 'Jane'; --Returns 3 rows, Jane always allowed
  74. GO
  75. REVERT;
  76. GO
  77. --Try as John
  78. EXECUTE AS USER = 'John';
  79. GO
  80. SELECT * FROM dbo.SomeTable; --Returns only rows where John is SomeUser (1 row) (no rows where they are SomeOtherUser)
  81. EXEC dbo.SomeProc @SomeUser = 'Jim'; --Returns no rows, John isn't Jim or Sarah (values of columns on the row)
  82. EXEC dbo.SomeProc @SomeOtherUser = 'Sarah',@SomeUser = 'Jane'; --Returns 1 row, where John is SomeUser
  83. GO
  84. REVERT;
  85. GO
  86.  
  87. --Try as Sarah
  88. EXECUTE AS USER = 'Sarah';
  89. GO
  90. SELECT * FROM dbo.SomeTable; --Returns only rows where Sarah is SomeUser (1 row) or SomeOtherUser (2 rows)
  91. EXEC dbo.SomeProc @SomeUser = 'Jim'; --Returns a row, Sarah is the OtherUser
  92. EXEC dbo.SomeProc @SomeOtherUser = 'Sarah',@SomeUser = 'Jane'; --Returns 2 rows, Sarah is the User
  93. GO
  94. REVERT;
  95.  
  96.  
  97. GO
  98. DROP PROC dbo.SomeProc;
  99. DROP SECURITY POLICY SomeFilter;
  100. DROP TABLE dbo.SomeTable;
  101. DROP FUNCTION dbo.tvf_SomeTable_SecPred;
  102. DROP USER Jane;
  103. DROP USER John;
  104. DROP USER Sarah;
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement