Daily Coping 9 Nov 2021

Posted on November 9, 2021 by way0utwest

I started to add a daily coping tip to the SQLServerCentral newsletter and to the Community Circle, which is helping me deal with the issues in the world. I’m adding my responses for each day here. All my coping tips are under this tag.

Today’s tip is to respond to a difficult situation in a new way.

My winch broke. One of the rollers broke, but the wire was also wound in a strange way, which allows the door enough, but it’s a mess.

This means I have to take things apart, futz with the wire, which sometimes has metal bits hanging off, reassemble it, get back mounted, test, etc. In other words, it’s a decent part of a day, plus some parts.

I got mad a few times with the staff doing the work (others and my kids), because they weren’t really paying attention. I decided to not get upset, or even vent to my wife. Instead, I ordered a new roller, and a new mount to experiment. I used this as an opportunity to try something better, and just allocated some time out of my week to get this fixed.

Once I changed my attitude, things went smoother. Maybe I can “helper-proof” things this time.

Posted in Blog | Tagged , , | Comments Off on Daily Coping 9 Nov 2021

T-SQL Tuesday #144–Data Governance

Posted on November 9, 2021 by way0utwest

tsqltuesdayThis month’s topic is something I wouldn’t have considered a decade ago. Especially in the US, this isn’t something that I’d actually have cared about for most of my career. Even when companies talked about governance, it was more a checkbox exercise.

Dr. Victoria Holt brings us this invitation from the UK, and I think it’s a great one. This is a data topic that will impact more and more of us in the future. Not all of us, but certainly plenty of us.

If you haven’t thought about this topic, I’d urge you to write something, even if it’s a view that this isn’t necessary. Share your thoughts, this month or in the future.

Data Governance Effort

My employer, Redgate Software, has been interested in this for a number of years. We are a UK company, and when the GDPR passed, we knew this would be a concern for us and our customers.

We built a product to help customers classify and understand their exposure in databases. I hope this expands out to other sources, because I feel this is a constant challenge. While lots of data is in database, we are constantly pulling it out and sharing it in files, reports, and more.

Security is hard, and I don’t know that we’ll end up completely controlling the access and data, but I do think that we need to understand where our risk and exposure are as we share data.

This is a hard job, and a boring one. I can’t see many people enjoying the process of dealing with data governance. We need to make this easy to do, in a distributed fashion by many people as they notice something is not being managed. At the same time, I think that we need to be regularly reviewing and examining security against policies. We have far too many public access points being used to share information when things should be secured.

I don’t know how we reconcile those things, and decide on the value of doing them. Some products may work well, some I think are too targeted, and some too expensive.

I believe data governance matters, but not sure how we actually get to a place that it’s well done in many organizations. Especially in the US.

I hope I’m wrong.

Posted in Blog | Tagged , , | Comments Off on T-SQL Tuesday #144–Data Governance

Row-Level Security Basics–#SQLNewBlogger

Posted on November 8, 2021 by way0utwest

Another post for me that is simple and hopefully serves as an example for people trying to get blogging as #SQLNewBloggers.

I realized recently that I hadn’t really blogged about Row-Level Security, so this post covers some of the things I know at a high level.

What is Row-Level Security?

This was a feature added to SQL Server in SQL Server 2016 that makes it easy to grant access to rows of data based on some characteristic of a user. At a high level, this means:

  • I have something that segregates rows of data, like a CustomerID as a column in an Orders table.
  • I want a customer to only be able to view their orders, those associated with their customer ID.
  • This has to work, even if they didn’t use a WHERE clause and did a SELECT *.
  • In this case, a user for CustomerID 4 would only see Orders that had CustomerID=4 in those rows.

We used to be able to do this with views, but this was cumbersome, and it was obfuscation. There was no security mechanism that actually ensured a user logged in wouldn’t see other rows.

Row-Level Security

This was a first class security mechanism that uses security policies and functions to control access. The way this works is as follows.

We create a function that is a table-valued function which takes a parameter(s) from a column(s) and returns a 1 if the user should view a row. In this case, we would use a WHERE clause in the query in the function that looks for Orders.CustomerID = @CustomerID.

We bind this function in a security policy that binds the function to the table, and specifies the column (or columns) used as parameters to the function. We also specify the predicate involved. There are two types:

  • Filter predicates – limit read access
  • Blog predicates – limit write (insert/update/delete) access

We give permissions to the function to users.

Does it Work?

Yes. It works very well from a security standpoint. Since we are tying this to users or logins, the performance of determining if the user or login has access can be slow. The IS_ROLEMEMBER() and similar functions are not super efficient and you can have performance issues across millions of rows.

However, it works.

I’ll write more in the future on the details.

SQL New Blogger

I was watching a presentation recently on this topic. I’ve written about this for SQL Server Central, but when I checked, I hadn’t really done much blogging on it.

Here I’m re-using knowledge, but in a basic way. I took 15 minutes to write a high level description. I’ll do a few more posts that demo setting this up for reads, one for writes, maybe one to get around how this might have a hole for security purposes. At least 3 more posts.

You could learn this and blog 3-4 times about what you learn and how to set up it up situations.

Posted in Blog | Tagged , , , | Comments Off on Row-Level Security Basics–#SQLNewBlogger

Daily Coping 8 Nov 2021

Posted on November 8, 2021 by way0utwest

I started to add a daily coping tip to the SQLServerCentral newsletter and to the Community Circle, which is helping me deal with the issues in the world. I’m adding my responses for each day here. All my coping tips are under this tag.

Today’s tip is to make a list of new things you want to do before the year ends.

What do I want to do?

  • First, get the grass cut. I got some more done this weekend, but need to get out there for about 10 more hours.
  • Finishing learning Tears in Heaven on guitar. I got partway through and moved on to a few other things, but I want to finish this one.
  • More guitar. I’ve got a lot of partial songs, but I realize I need to pick one and focus for a week or two and then move on. I’d like to aim for 4 completions by Dec 31
  • Go snowboarding. I want to do this. It’s not a goal, but I’m hoping the snow looks good enough.
  • See a live movie – I miss doing this with my wife
  • Get some auto maintenance done. No, not the Tesla, the other things with oil here.
  • Convince a few people to plan a 2022 SQL Saturday – definitely on my mind more after Orlando
  • Go eat sushi – live
  • Have lunch with a few friends. I’ve neglected this lately with a busy schedule.

There are certainly things I need to do, and plenty of chores, but these are more items I’d like to work on for myself.

Posted in Blog | Tagged , , | Comments Off on Daily Coping 8 Nov 2021