Row Level Security

A SQL Server security feature that restricts which rows a user can read or modify within a table based on the characteristics of the user executing the query, with enforcement handled transparently at the database engine level.

  • Security predicates: Row-Level Security (RLS) uses security predicates, implemented as inline table-valued functions, to filter rows based on user identity, role membership, or session context.
  • Access control: Filter predicates restrict read operations such as SELECT, UPDATE, and DELETE, while block predicates prevent unauthorized write operations on protected rows.
  • Engine-level enforcement: RLS is enforced by the SQL Server storage engine, ensuring that even queries attempting to bypass application-level filters cannot access restricted data.
  • Common use cases: Typical implementations include multi-tenant applications where each customer can only access their own data, regional data segmentation for sales teams, and compliance-driven access control requirements.
  • Performance considerations: Because security predicates are incorporated into every query’s execution plan, complex predicates on large tables may require appropriate indexing to maintain query performance.
  • Related terms: Effective Permissions, Dynamic Data Masking, Active Directory, Compliance.
SQL_Duck

Tired of Slow SQL Servers?

Find the root cause of performance issues in minutes, not hours. SQL Diagnostic Manager gives you real-time visibility and proactive alerts. 

Start your free trial today