vwVisibleLabels not populating?

Dec 15, 2014 at 11:08 PM
I'm implementing Row-level security with this toolkit and whitepaper but I'm having an issue with vwVisibleLabels not populating. I know my permissions are right and they all show up in tblMarking, but tblUniqueLabelMarking and tblUniqueLabel are blank when I look at them and by association vwVisibleLabels shows up empty as well. Anyone know why this happens? I thought it would show all security labels I have access to? Thanks a bunch.
Dec 16, 2014 at 7:20 PM
Edited Dec 16, 2014 at 7:31 PM
Be aware that there are no records in tblUniqueLabel and tblUniqueLabelMarking until you create labels as part of populating labelled data in your database. The main way to do this is with an application call to usp_GetSecLabelID or usp_GetSecLabelDetails. This sproc will either return the ID of an existing label that matches the inbound argument or create entries for a new tblUniqueLabel record and return the new ID. This is deliberate - it would not be a good idea to try to populate these tables with all possible labels. The number of resulting rows could be very large and affect performance. And there is no good reason to do this - most applications tend to use a small number of actual labels, as compared to the number of possible labels. Make sense? You can check the samples in the toolkit for illustration of inserting data along with calls to usp_GetSecLabelID. Also, make sure your login is not sysadmin. The T-SQL IS_MEMBER() function always returns 0 when the current user context is sysadmin, regardless of membership in other roles. So vwVisibleLabels always is empty if you are connected as sysadmin.
Dec 17, 2014 at 1:45 AM
artrask wrote:
Be aware that there are no records in tblUniqueLabel and tblUniqueLabelMarking until you create labels as part of populating labelled data in your database. The main way to do this is with an application call to usp_GetSecLabelID or usp_GetSecLabelDetails. This sproc will either return the ID of an existing label that matches the inbound argument or create entries for a new tblUniqueLabel record and return the new ID. This is deliberate - it would not be a good idea to try to populate these tables with all possible labels. The number of resulting rows could be very large and affect performance. And there is no good reason to do this - most applications tend to use a small number of actual labels, as compared to the number of possible labels. Make sense? You can check the samples in the toolkit for illustration of inserting data along with calls to usp_GetSecLabelID. Also, make sure your login is not sysadmin. The T-SQL IS_MEMBER() function always returns 0 when the current user context is sysadmin, regardless of membership in other roles. So vwVisibleLabels always is empty if you are connected as sysadmin.
Interesting. So currently on my Frontend I have a form that Queries "TableA" to provide specific columns. I am trying to replace "TableA" with a view of "TableA" that only shows records with the specified SecLabelID. If tblUniqueLabel and tblUniqueLabel only show new records that are added with the SecLabel, is there anyway to populate them with existing records I retroactively assign a SecLabelID? Thanks a Bunch.