How to check which database roles can see `masked` columns?
-
07-10-2020 - |
Question
In SQL Server 2016 SP1
standard edition we can use dynamic-data-masking. The masking of data is controlled using the built-in security, for example:
REVOKE UNMASK TO user_who_cannot_see_senstive_data
Of course, this is not working for the users who are members of the db_owner
database role.
Is there a list with security roles or cases showing when the REVOKE UNMASK
is going to work?
I have found a database engine permissions but it's too complicated and does not seem to show when data cannot be masked from a user.
Solution
How to check which database roles can see
masked
columns?
Normal query which checks for users permissions seems to do the trick
select princ.name
, princ.type_desc
, perm.permission_name
, perm.state_desc
, perm.class_desc
, object_name(perm.major_id)
from sys.database_principals princ
left join
sys.database_permissions perm
on perm.grantee_principal_id = princ.principal_id
I tested it on below sample script from msdn
CREATE TABLE Membership
(MemberID int IDENTITY PRIMARY KEY,
FirstName varchar(100) MASKED WITH (FUNCTION = 'partial(1,"XXXXXXX",0)') NULL,
LastName varchar(100) NOT NULL,
Phone# varchar(12) MASKED WITH (FUNCTION = 'default()') NULL,
Email varchar(100) MASKED WITH (FUNCTION = 'email()') NULL);
INSERT Membership (FirstName, LastName, Phone#, Email) VALUES
('Roberto', 'Tamburello', '555.123.4567', 'RTamburello@contoso.com'),
('Janice', 'Galvin', '555.123.4568', 'JGalvin@contoso.com.co'),
('Zheng', 'Mu', '555.123.4569', 'ZMu@contoso.net');
CREATE USER TestUser WITHOUT LOGIN;
GRANT SELECT ON Membership TO TestUser;
GRANT UNMASK TO TestUser;
EXECUTE AS USER = 'TestUser';
SELECT * FROM Membership;
REVERT;
now querying gives me below result
Licensed under: CC-BY-SA with attribution
Not affiliated with dba.stackexchange