Fine-grained access control

Implementing authorization controls that operate within a table at the row or column level requires fine-grained access control (FGAC). Using FGAC, security or database administrators can set up security to control the results set seen by different people in the organization when they run a select SQL statement for a table, irrespective of the privilege they hold on the database tables.

There are two forms of FGAC:

Label-based access control (LBAC) – LBAC is an implementation of mandatory access control (MAC) where the users and the data itself are each explicitly assigned a security label value. The intersection between the user security label and data security label determines which rows and columns can be seen by the user. The definition of the security labels should be clear before you implement them. After the security labels are established, it's very difficult to alter them.
Row and column access control (RCAC) – RCAC is based on the use of basic, flexible SQL expressions that have defined access rules. RCAC consists of row permissions and column masks. Row permissions are implemented by using an SQL search expression that describes the set of rows that can be accessed. Column masks are implemented by using SQL CASE expressions that describe which column values are permitted to be seen based on the specified conditions for each column.

Warning Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

Authorization

Auditing