Bewerken

Delen via


ADD SENSITIVITY CLASSIFICATION (Transact-SQL)

Applies to: SQL Server 2019 (15.x) and later versions Azure SQL Database Azure SQL Managed Instance Azure Synapse Analytics

Adds metadata about the sensitivity classification to one or more database columns. The classification can include a sensitivity label and an information type.

Classifying sensitive data in your database environment helps achieve extended visibility and better protection. For more information, see Data Discovery & Classification.

Syntax

    ADD SENSITIVITY CLASSIFICATION TO
    <object_name> [ , ...n ]
    WITH ( <sensitivity_option> [ , ...n ] )

<object_name> ::=
{
    [ schema_name. ] table_name.column_name
}

<sensitivity_option> ::=
{
    LABEL = string |
    LABEL_ID = guidOrString |
    INFORMATION_TYPE = string |
    INFORMATION_TYPE_ID = guidOrString |
    RANK = NONE | LOW | MEDIUM | HIGH | CRITICAL
}

Arguments

object_name [ schema_name. ] table_name.column_name

The name of the database column to be classified. Currently only column classification is supported.

  • schema_name (optional) - The name of the schema to which the classified column belongs.
  • table_name - The name of the table to which the classified column belongs.
  • column_name - The name of the column being classified.

LABEL

The human readable name of the sensitivity label. Sensitivity labels represent the sensitivity of the data stored in the database column.

LABEL_ID

An identifier associated with the sensitivity label. Often used by centralized information protection platforms to uniquely identify labels in the system.

INFORMATION_TYPE

The human readable name of the information type. Information types are used to describe the type of data being stored in the database column.

INFORMATION_TYPE_ID

An identifier associated with the information type. Often used by centralized information protection platforms to uniquely identify information types in the system.

RANK

An identifier based on a predefined set of values that define sensitivity rank. Used by other services like Advanced Threat Protection to detect anomalies based on their rank.

Remarks

Only one classification can be added to a single object. Adding a classification to an object that is already classified overwrites the existing classification.

Multiple objects can be classified using a single ADD SENSITIVITY CLASSIFICATION statement.

The system view sys.sensitivity_classifications can be used to retrieve the sensitivity classification information for a database.

ADD SENSITIVITY CLASSIFICATION works if any one of the parameters is supplied. If you supply only LABEL or INFORMATION_TYPE, without corresponding IDs, the command succeeds. However, you should have a one-to-one mapping between LABEL_ID and LABEL name.

The RANK parameter isn't currently used, so just having a rank value against a column without a LABEL or INFORMATION_TYPE doesn't add any value and should be avoided. If you provide just the RANK parameter, the command succeeds, but this is a known issue.

Permissions

Requires ALTER ANY SENSITIVITY CLASSIFICATION permission. The ALTER ANY SENSITIVITY CLASSIFICATION is also provided by the database permission CONTROL, or by the server permission CONTROL SERVER.

Examples

A. Classify two columns

The following example classifies the columns dbo.sales.price and dbo.sales.discount with the sensitivity label Highly Confidential, rank Critical and the Information Type Financial.

ADD SENSITIVITY CLASSIFICATION TO dbo.sales.price,
    dbo.sales.discount
WITH (
    LABEL = 'Highly Confidential',
    INFORMATION_TYPE = 'Financial',
    RANK = CRITICAL
);

B. Classify only a label

The following example classifies the column dbo.customer.comments with the label Confidential and label ID 643f7acd-776a-438d-890c-79c3f2a520d6. Information type isn't classified for this column.

ADD SENSITIVITY CLASSIFICATION TO dbo.customer.comments
WITH (
    LABEL = 'Confidential',
    LABEL_ID = '643f7acd-776a-438d-890c-79c3f2a520d6'
);