In the first part of this chapter, you learned about permissions on database objects, including objects with data, namely tables, views, and table-valued, user-defined functions. Sometimes you need to give permissions to end users in a more granular way. For example, you might need to give permissions to a specific user to read and update only a subset of columns in the table, and to see only a subset of rows in a table.

You can use programmable objects, such as stored procedures, to achieve these granular permission needs. You can use declarative permissions with DCL statements (GRANT, REVOKE, and DENY) on the column level already available in previous versions of SQL Server. However, SQL Server 2016 and 2017 also offer declarative Row-Level Security, abbreviated to RLS. In this section, you will learn how to:

• Use programmable objects to maintain security
• Use SQL Server 2016 and 2017 RLS