Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Use the session context feature of SQL to implement row-level security in Data API builder.
Prerequisites
- Existing SQL server and database.
- Data API builder CLI. Install the CLI
Create SQL table and data
Create a table with fictitious data to use in this example scenario.
Connect to the SQL database using your preferred client or tool.
Create a table named
Revenueswithid,category,revenue, andaccessible_rolecolumns.DROP TABLE IF EXISTS dbo.Revenues; CREATE TABLE dbo.Revenues( id int PRIMARY KEY, category varchar(max) NOT NULL, revenue int, accessible_role varchar(max) NOT NULL ); GOInsert four sample rows into the
Revenuestable.INSERT INTO dbo.Revenues VALUES (1, 'Book', 5000, 'Oscar'), (2, 'Comics', 10000, 'Oscar'), (3, 'Journals', 20000, 'Hannah'), (4, 'Series', 40000, 'Hannah') GOIn this example, the
accessible_rolecolumn stores the role name that can access the row.Test your data with a simple
SELECT *query.SELECT * FROM dbo.RevenuesCreate a function named
RevenuesPredicate. This function will filter results based on the current session context.CREATE FUNCTION dbo.RevenuesPredicate(@accessible_role varchar(max)) RETURNS TABLE WITH SCHEMABINDING AS RETURN SELECT 1 AS fn_securitypredicate_result WHERE @accessible_role = CAST(SESSION_CONTEXT(N'roles') AS varchar(max));Create a security policy named
RevenuesSecurityPolicyusing the function.CREATE SECURITY POLICY dbo.RevenuesSecurityPolicy ADD FILTER PREDICATE dbo.RevenuesPredicate(accessible_role) ON dbo.Revenues;
(Optional) Create a stored procedure
This section shows a simple "hello world" pattern for using session context values directly in T-SQL.
Create a stored procedure that reads the
rolessession context value and uses it to filter results.CREATE OR ALTER PROCEDURE dbo.GetRevenuesForCurrentRole AS BEGIN SET NOCOUNT ON; DECLARE @role varchar(max) = CAST(SESSION_CONTEXT(N'roles') AS varchar(max)); SELECT id, category, revenue, accessible_role FROM dbo.Revenues WHERE accessible_role = @role; END GO
Run tool
Run the Data API builder (DAB) tool to generate a configuration file and a single entity.
Create a new configuration while setting
--set-session-contextto true.dab init \ --database-type mssql \ --connection-string "<sql-connection-string>" \ --set-session-context true \ --auth.provider SimulatorWhen session context is enabled for SQL Server, Data API builder sends authenticated user claims to SQL by calling
sp_set_session_context(for example,roles). Enabling session context also disables response caching for that data source.Add a new entity named
revenuefor thedbo.Revenuestable.dab add revenue \ --source "dbo.Revenues" \ --permissions "Authenticated:read"Start the Data API builder tool.
dab startQuery the endpoint without specifying an effective role. Observe that no data is returned because the effective role defaults to
Authenticated.curl http://localhost:5000/api/revenueQuery the endpoint while setting the effective role to
Oscar. Observe that the filtered results include only theOscarrows.curl -H "X-MS-API-ROLE: Oscar" http://localhost:5000/api/revenueRepeat using the
Hannahrole.curl -H "X-MS-API-ROLE: Hannah" http://localhost:5000/api/revenue
Test in SQL
Test the filter and predicate in SQL directly to ensure it's working.
Connect to the SQL server again using your preferred client or tool.
Run the
sp_set_session_contextto manually set your session context'srolesclaim to the static valueOscar.EXEC sp_set_session_context 'roles', 'Oscar';Run a typical
SELECT *query. Observe that the results are automatically filtered using the predicate.SELECT * FROM dbo.Revenues;(Optional) Query the table using the stored procedure.
EXEC dbo.GetRevenuesForCurrentRole;