T-SQL Merge with masked column key
We make use of the MASKED column feature in SQL Server to hide sensitive data when querying. But we've come across a scenario where the INSERT performed as part of the MERGE statement is inserting a masked value. I.E. the newly inserted value is seen as the masked value, even when querying the table as a user with the UNMASK permission.
Specifically, the scenario occurs when:
- A column is
MASKED. - The current user doesn't have the
UNMASKpermission. - The
MERGEstatement'sONclause uses theMASKEDcolumn. - The
MERGEstatement doesn't match, so drops into theINSERTsection.
Below is a minimal reproduction of the issue.
-- Define a test table with one non-masked and one masked column.
CREATE TABLE TestTable(
C1 NVARCHAR(100) MASKED WITH (FUNCTION = 'default()'),
C2 NVARCHAR(100) MASKED WITH (FUNCTION = 'default()'),
C3 NVARCHAR(100) -- Not masked
);
INSERT INTO TestTable
VALUES ('aaa', 'aaa', 'aaa'), ('bbb', 'bbb', 'bbb')
-- Print the current user and initial table content
SELECT SUSER_NAME() AS LoginName, USER_NAME() AS UserName;
SELECT *, 'No columns should be Masked' FROM TestTable
-- Create users with different permissions
CREATE USER user1 WITHOUT LOGIN
-- Setup permissions (No UNMASK permissions)
GRANT SELECT, UPDATE, INSERT TO user1;
-- Switch context to the user WITHOUT UNMASK permissions
EXECUTE AS USER = 'user1';
-- Show the user can only see masked data
SELECT SUSER_NAME() AS LoginName, USER_NAME() AS UserName;
SELECT *, 'Columns 1 & 2 should be Masked' FROM TestTable
-- Execute the merge, matching on the masked column
MERGE TestTable target
USING (
SELECT * FROM (VALUES
('bbb', 'bbb', 'bbb'), -- Will be merged
('ccc', 'ccc', 'ccc'), -- Will be inserted
('ddd', 'ddd', 'ddd')) -- Will be inserted
AS s (C1 ,C2 ,C3)
) AS source
ON (source.C1 = target.C1)
WHEN MATCHED THEN UPDATE SET
target.C2 = source.C2,
target.C3 = source.C3
WHEN NOT MATCHED BY TARGET
THEN INSERT (C1, C2, C3)
VALUES (source.C1, source.C2, source.C3);
-- A regular insert statement to check if masking applies there
INSERT INTO TestTable
VALUES ('eee', 'eee', 'eee')
-- Print the current user and current table content
SELECT SUSER_NAME() AS LoginName, USER_NAME() AS UserName;
SELECT *, 'Columns 1 & 2 should be Masked' FROM TestTable
REVERT; -- Back to the session user context
-- Print the current user and current table content
SELECT SUSER_NAME() AS LoginName, USER_NAME() AS UserName;
SELECT *, 'No columns should be Masked' FROM TestTable
-- Tidy up
DROP TABLE TestTable;
DROP USER user1;
The result of the last SELECT statement is shown below. This select is being executed as a user that has the UNMASK permission, but the two rows inserted by a user without that permission still have the column used as a key in the MERGE apparently masked. I suspect because the masked value was inserted during the MERGE, rather than any issue with permissions.
Is this is a known issue? Or am I doing something wrong?
This is a consequence of the way MERGE works.
When multiple actions are defined, CASE expressions are evaluated in the execution plan to determine the correct value to use for each column. Clearly, an update action will generally cause different values to be assigned than if an insert action applies for that source row.
As the documentation says (emphasis added):
Whenever you project an expression referencing a column for which a data masking function is defined, the expression is also masked.
This is unfortunate when one clause (the insert action in your case) references only literal values (or ones from a non-masked source), while another clause uses masked data. The resulting CASE expression will always emit masked data.
CASE
WHEN [Action1005]=(4) THEN <unmasked data> -- INSERT action
ELSE <masked data>
END
Changing this behaviour would likely be difficult and risky, Using separate insert, update, and delete statements may be a viable workaround.
Azure Feedback: Bug: Merge inserts with masked key columns
- No column name was specified for column 1 of 'sp'
- Getting only Month and Year from SQL DATE
- T-SQL multiple COUNT() with JOIN and LEFT JOIN
- Can't remove single Quote in SQL
- How do I get matched pairs of results (1 male and 1 female) with the same age at random?
- SQL Server Operating system error 5: "5(Access is denied.)"
- How to get the 30 days before date from today's date
- How to get the date 30 days before today's date from database
- What are the disadvantages to Indexes in database tables?
- Default parameter in SQL where clause
- How can I filter words in SQL using a function?
- Getting the second occurrence from charindex function in sql server
- How can I add a database reference to another database on the same server without a .dacpac, so Visual Studio recognizes cross-database reference?
- Connecting to a SQL Server database running in a Docker container from another docker container
- How to connect to SQL Server docker container from another container?
- Unable to enable Microsoft Change Data Capture (CDC) sp_cdc_enable_db
- Crosstab in SQL Server with a column that may have no data
- IIS Regional Settings
- MS Access error "ODBC--call failed. Invalid character value for cast specification (#0)"
- Multiple select queries with union, flatten to single row
- How to access my database from another server
- Highlight Duplicate Values in a NetSuite Saved Search
- Unique constraint on multiple columns in a table variable
- Get size of all tables in database
- SSRS- How can I eliminate page breaks within an email body?
- Performing a bitwise sum
- Creating a balance statement
- One Index, Two Indexers, Populate Array
- SQL Selecting if "active" = true
- Automatically deleting old log entries with the Serilog mssqlserver sink?