Steve Jones talks about row-level security:
I’ve wanted this feature to be easy for a long time. In fact, I’ve implemented a similar system a few times in different applications, but it’s been a cumbersome feature to meet, plus each developer needs to understand how the system works for it to work well. Even in the case where we once used views to hide our RLS, it was a performance issue.
Microsoft has made things easier with their Row Level Security feature. This was actually released in Azure in 2015, but it’s now available in SQL Server 2016 for every on premise installation as well.
Essentially for each row, there is some data value that is checked to determine if a user has access. This doesn’t mean a join. This doesn’t mean you write a lot of code. The implementation is simple, and straightforward, and I like it.
The implementation is pretty easy, but I’m concerned about the performance. At least from my early view, this adds a good bit of performance drag on your queries. That’s not so bad in a data warehouse environment, but in a busy transactional system, I’m not sure it can keep up. I’d be interested in hearing other thoughts, though.