locked
Row Level Security RRS feed

  • Question

  • Hi,

    I enabled row level security by creating a DH on an entity and specifying for 2 users which members they are allowed to see. When I log in as user A it shows the members it is allowed to see. The user has also permission to create a new member. After creating a new member, it is visible for user A for some time, but after a while (and refreshing the browser) it disappears. It sounds logical because there is no security set on the newly created member.

    What do I have to do to support the scenario that a user only sees the data to which it is allowed to see (row level security) and that newly created members are automatically applied to the right security settings (e.g. row level security is automatically assigned to newly created members).

    Q

    Wednesday, October 5, 2016 12:13 PM

Answers

  • Hi Kjoebie,

    According to your description, you are experiencing the issue when implementing row level security for an entity, right?

    If that is the case, you need to make sure that your settings are correct. In MDS row level security is implemented using Hierarchy Member Permissions. Hierarchy member permissions are optional and should be used only when you want a user to have limited access to specific members. If you do not assign permissions on the Hierarchy Members tab, then the user's permissions are based solely on the permissions assigned on the Models tab.

    Reference
    https://technet.microsoft.com/en-us/library/ee633750.aspx?f=255&MSPPError=-2147217396

    Regards,


    Charlie Liao
    TechNet Community Support

    Tuesday, October 18, 2016 5:44 AM
  • Hi Charlie,

    thanks for you answer.! I am afraid that the issue I am experiencing is 'by design'.

    The scenario is that multiple users are editing members on the same entity. The requirement is that each user should only see the members to which they are authorized to. This is done by assigning permissions on Hierarchy members. For example, ENT1 as members A, B, C and D. There is a DH on ENT1 1. User1 as persmission on members A and B. User2 has permission on members C en D.

    So far so good. But then user1 creates a new member E. The scenario I want to see is that User1 has permission on A, B en E. User2 should only see member C and D. AFAIK I (as an admin) have to assign member E to the DH permissions of user1. As long as I do not do that the permission on member E is derived from the permissions set in the Models tab. If users have read permission on the entity then all users could see member E, which is not what I want.

    So is it possible to set the permissions correctly that only user1 can see member E without assigning it manually? 

    Thanks.

    Q

    Hi KjoebieQ,

    As far as I think, you need to set entity E for user1 if you need to set this entity only available for user1. If you have any concerns about this feature, you can submit a feedback at http://connect.microsoft.com/SQLServer/Feedback and hope it is resolved in the next release of service pack or product.

    Thank you for your understanding.

    Regards,


    Charlie Liao
    TechNet Community Support

    Friday, October 21, 2016 8:34 AM

All replies

  • Hi Kjoebie,

    According to your description, you are experiencing the issue when implementing row level security for an entity, right?

    If that is the case, you need to make sure that your settings are correct. In MDS row level security is implemented using Hierarchy Member Permissions. Hierarchy member permissions are optional and should be used only when you want a user to have limited access to specific members. If you do not assign permissions on the Hierarchy Members tab, then the user's permissions are based solely on the permissions assigned on the Models tab.

    Reference
    https://technet.microsoft.com/en-us/library/ee633750.aspx?f=255&MSPPError=-2147217396

    Regards,


    Charlie Liao
    TechNet Community Support

    Tuesday, October 18, 2016 5:44 AM
  • Hi Charlie,

    thanks for you answer.! I am afraid that the issue I am experiencing is 'by design'.

    The scenario is that multiple users are editing members on the same entity. The requirement is that each user should only see the members to which they are authorized to. This is done by assigning permissions on Hierarchy members. For example, ENT1 as members A, B, C and D. There is a DH on ENT1 1. User1 as persmission on members A and B. User2 has permission on members C en D.

    So far so good. But then user1 creates a new member E. The scenario I want to see is that User1 has permission on A, B en E. User2 should only see member C and D. AFAIK I (as an admin) have to assign member E to the DH permissions of user1. As long as I do not do that the permission on member E is derived from the permissions set in the Models tab. If users have read permission on the entity then all users could see member E, which is not what I want.

    So is it possible to set the permissions correctly that only user1 can see member E without assigning it manually? 

    Thanks.

    Q

    Wednesday, October 19, 2016 10:46 AM
  • Hi Charlie,

    thanks for you answer.! I am afraid that the issue I am experiencing is 'by design'.

    The scenario is that multiple users are editing members on the same entity. The requirement is that each user should only see the members to which they are authorized to. This is done by assigning permissions on Hierarchy members. For example, ENT1 as members A, B, C and D. There is a DH on ENT1 1. User1 as persmission on members A and B. User2 has permission on members C en D.

    So far so good. But then user1 creates a new member E. The scenario I want to see is that User1 has permission on A, B en E. User2 should only see member C and D. AFAIK I (as an admin) have to assign member E to the DH permissions of user1. As long as I do not do that the permission on member E is derived from the permissions set in the Models tab. If users have read permission on the entity then all users could see member E, which is not what I want.

    So is it possible to set the permissions correctly that only user1 can see member E without assigning it manually? 

    Thanks.

    Q

    Hi KjoebieQ,

    As far as I think, you need to set entity E for user1 if you need to set this entity only available for user1. If you have any concerns about this feature, you can submit a feedback at http://connect.microsoft.com/SQLServer/Feedback and hope it is resolved in the next release of service pack or product.

    Thank you for your understanding.

    Regards,


    Charlie Liao
    TechNet Community Support

    Friday, October 21, 2016 8:34 AM