Microsoft AzureData EngineeringAzureBeginner28 min read

What Is Column-Level Security? Security Definition

Also known as: Column-Level Security, CLS database security, Azure SQL column security, DP-203 security, data engineering security

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

Column-Level Security (CLS) lets database administrators control who can see specific columns in a table, like hiding salary or social security numbers from most users. It works by granting or denying SELECT permissions on individual columns rather than entire tables. This way, sensitive data stays hidden from unauthorized users while still allowing them to access other parts of the table for their work. It is a lightweight way to protect sensitive data without building separate views or tables.

Must Know for Exams

Column-Level Security is a specific topic that appears in the DP-203 exam, which is the Microsoft Azure Data Engineer certification. The exam objectives include designing and implementing data security, which covers column-level security as a method for protecting sensitive data.

Microsoft expects you to know when to use CLS versus other security features like Dynamic Data Masking, Always Encrypted, or Row-Level Security. These are commonly compared in exam questions. You might be asked to choose the best approach for a given scenario. For example, a question might describe a situation where you need to hide salary data from managers but still allow them to see employee names and departments. CLS would be the right answer because it controls access to specific columns.

You also need to understand the limitations of CLS. The exam may present a scenario where a user needs to update a column but not read it. In that case, CLS alone is insufficient because INSERT and UPDATE permissions are not controlled at the column level by default. You would need to explicitly DENY INSERT or UPDATE on the sensitive column. This is a common exam trap.

Another exam topic is the integration of CLS with other Azure security services. You might need to explain how CLS works alongside Azure Active Directory authentication and Azure Key Vault. For instance, a question could ask about the order of permission checks: first, the user must have CONNECT permission to the database, then SELECT permission on the table or schema, and finally SELECT permission on the column. Understanding this hierarchy is important.

The exam may also test your knowledge of the SQL syntax for granting column-level permissions. You might be given a T-SQL statement and asked whether it correctly implements CLS. Or you might be asked to identify the correct statement among several similar options.

Scenario-based questions are common. For example, you are a data engineer for a healthcare company. You have a table called PatientRecords with columns PatientID, Name, Diagnosis, and InsuranceNumber. You need to ensure that nurses can see Name and Diagnosis but not InsuranceNumber. The correct answer would be to GRANT SELECT on the table to the nurse role but DENY SELECT on the InsuranceNumber column for that role.

Finally, the DP-203 exam emphasizes cost and performance implications. Questions may ask about the performance impact of CLS compared to creating views. The correct answer is that CLS has minimal performance overhead because it is checked during query compilation, not at runtime for every row. Understanding this distinction can earn you points on the exam.

Simple Meaning

Imagine you work in a large office building with many departments. In that building, there is a central filing room that holds folders for every employee. Each folder contains papers like name, job title, phone number, salary, and home address. Now, think of a database table as that filing room, and each piece of paper as a column in the table.

Without Column-Level Security, every person who opens the filing room sees all the papers in every folder. That means a junior assistant might see the CEO's salary, a cleaner might see the HR director's home address, and a contractor might see sensitive financial data. That would be a serious privacy problem.

With Column-Level Security, it is like putting a small lock on certain papers inside each folder. For example, you put a lock on the paper that says Salary and another lock on the paper that says Home Address. Only people who have a special key to that lock can open and read those specific papers. Everyone else can still see the other papers in the folder, like Name, Job Title, and Phone Number. They just cannot see the locked ones.

In database terms, the locks are permissions. You tell the database who is allowed to see the Salary column and who is not. When a user runs a query, the database checks their permission for each column. If they do not have permission for a column, the database simply does not return data from that column for their query. The user might not even know the column exists.

This is different from creating a separate table for sensitive data or building a view that only shows certain columns. CLS is simpler and easier to maintain because you do not have to create extra objects. You just apply a security rule directly to the column. It is like adding a lock to a drawer rather than moving all the sensitive items to a different room. This makes it very practical for data engineers and database administrators who need to protect private information like medical records, financial data, or personal identification numbers.

CLS works especially well when different users need to see different parts of the same data. For example, a customer service representative might need to see a customer's name and account balance but should not see their credit card number or social security number. Column-Level Security makes that possible with a simple setup.

Full Technical Definition

Column-Level Security (CLS) is a granular access control feature supported in Microsoft SQL Server, Azure SQL Database, and Azure Synapse Analytics. It allows database administrators to control read access to individual columns within a table by applying a GRANT or DENY statement at the column level.

Technically, CLS is implemented using Transact-SQL statements that specify which columns a user or role can access. The syntax uses the GRANT SELECT ON object(column1, column2) TO user format, where only the listed columns are accessible. Columns that are not explicitly granted are effectively hidden from that user. If a user tries to query a column they do not have permission on, the database engine returns an error or simply omits the column data depending on the query structure. In Azure SQL Database and SQL Server, CLS is schema-bound, meaning the permission is tied to the column name and data type at the time of creation. If the column is dropped or renamed, the permission may need to be reapplied.

Under the hood, CLS works by extending the SQL Server's permission hierarchy. The database engine checks column-level permissions during query compilation. When a query plan is built, the engine evaluates whether the executing principal has the necessary SELECT permission on each referenced column. If any column lacks the required permission, the query fails with a permission denied error. This check happens at the same time as other permission checks like schema-level or table-level permissions. Importantly, CLS does not require changes to the physical storage of the data. No separate copies of data are created, and no indexes are duplicated. The same physical row and column exist on disk, but the security layer intercepts access at runtime.

CLS is often used alongside other Azure data security features like Row-Level Security (RLS), Dynamic Data Masking, and Azure Active Directory authentication. For example, you might combine CLS to hide an SSN column while using RLS to ensure a salesperson only sees their own region's rows.

In terms of implementation in Azure, you can set up CLS using the Azure portal's query editor, SQL Server Management Studio (SSMS), or Azure Data Studio. You must have ALTER permission on the table or be a member of the db_securityadmin or db_owner roles to grant column-level permissions. The feature is supported in all service tiers of Azure SQL Database and Azure Synapse, including serverless and provisioned tiers.

One limitation is that CLS does not apply to all operations. For example, writing data (INSERT, UPDATE) is not directly controlled by column-level permissions; if a user has INSERT permission on the table, they can insert into any column, even if they cannot SELECT from it. To fully secure columns, you must also manage INSERT and UPDATE permissions on specific columns using similar GRANT statements. Additionally, CLS does not encrypt the data at rest; it only controls access. For encryption at the column level, you would use Always Encrypted or Transparent Data Encryption.

CLS is also compatible with indexing and query performance. Because the security checks happen during query compilation, there is minimal runtime overhead. However, if a user queries a large number of columns with mixed permissions, the permission check process can add small latency. In most practical scenarios, this is negligible.

For the DP-203 exam, Microsoft expects you to understand that CLS is a schema-level security feature and that it is more granular than table-level permissions. You should know the syntax and be able to identify scenarios where CLS is the appropriate solution versus Dynamic Data Masking or always encrypted. You should also be aware that CLS alone is not sufficient for a comprehensive data security strategy; it is one layer among many.

Real-Life Example

Think about a hospital's electronic health record system. Each patient record contains many pieces of information: name, date of birth, room number, diagnosis, treatment plan, and insurance details. Now, different people in the hospital need different information. The doctor needs to see the diagnosis and treatment plan. The nurse needs to see the room number and treatment plan. The billing clerk needs to see insurance details and the patient's name. The janitor does not need to see any medical information at all.

Without any security, if anyone opens a patient record, they see everything. That would be a breach of privacy and against the law in many countries.

Now, imagine the hospital uses an electronic system that works like a physical clipboard hanging on a door. The clipboard has multiple papers clipped together. The top paper shows the patient's name and room number. The second paper is covered by a clear plastic sleeve that requires a special magnetic card to open. Inside that sleeve is the diagnosis. The third paper is in a sealed envelope that only the billing manager can open.

The magnetic card system here is like Column-Level Security. Your badge has permissions for specific pieces of paper. A nurse's badge opens the clipboards for room number and treatment plan but does not open the sealed envelope with insurance details. A doctor's badge opens all papers except the billing envelope. A billing clerk's badge opens the patient's name, the insurance details envelope, but not the diagnosis sleeve.

In database terms, each piece of paper is a column. The magnetic card permission is a GRANT statement. The system checks your badge (permissions) before letting you see a particular paper (column). If you do not have permission, the paper simply does not appear to you. You cannot even see that there is a sealed envelope.

This system is efficient because it does not require making copies of the patient record for each role. The original record stays intact. The hospital does not need to create separate filing systems for doctors, nurses, and billing staff. They just add locks (permissions) to specific pieces of information. This saves storage space, reduces complexity, and ensures that when a treatment changes, everyone sees the updated information immediately because there is only one source of truth.

Why This Term Matters

In real IT work and cloud infrastructure, data security is not just about keeping hackers out. It is also about making sure that the right people inside your organization see only what they need to see. This is called the principle of least privilege. Column-Level Security directly supports this principle by allowing fine-grained access control without requiring major database redesign.

For data engineers and database administrators, CLS matters because it gives them a simple tool to protect sensitive data like credit card numbers, social security numbers, medical diagnoses, or salary information. Instead of building multiple views or separate tables for different user roles, you can apply a security rule directly to the column. This reduces the number of database objects you need to maintain, which lowers complexity and the risk of errors. If you create a view for each role, you end up with many views that all need to be updated when the table schema changes. With CLS, you change the table schema once, and the permissions remain tied to the columns.

In cloud environments like Azure, where you might have thousands of users and databases, manual management of access is not feasible. CLS integrates with Azure Active Directory, allowing you to assign permissions to users or groups. This means you can manage security at scale. For example, you can grant SELECT on specific columns to an entire department group rather than individual users. When someone joins or leaves the department, you only manage group membership, not database permissions.

Another practical reason CLS matters is compliance. Regulations like GDPR, HIPAA, PCI-DSS, and SOX require organizations to protect certain types of data. CLS provides an auditable way to enforce these requirements. You can prove that only authorized personnel have access to sensitive columns. This is often easier to demonstrate than complex view-based security.

CLS also matters because it does not affect application code. If your application queries a table with columns A, B, and C, and you later add CLS so that a user cannot see column C, the application does not need to change its SQL. The query will either fail with an error or silently omit column C, depending on how you configure it. This backward compatibility is crucial in enterprise environments where changing application code can be expensive and risky.

Finally, CLS is a cost-effective security measure. It does not require additional storage, compute, or licensing beyond the base database service. It is a built-in feature of Azure SQL Database and SQL Server, so you can use it without additional costs. For organizations on a budget, this is a significant advantage over third-party data masking tools or custom security layers.

How It Appears in Exam Questions

Column-Level Security appears in several types of exam questions on the DP-203 certification. The most common format is scenario-based questions where you are given a business requirement and must choose the appropriate security feature.

Scenario questions typically describe a table with sensitive columns. For example, a retail company has a table named CustomerOrders with columns CustomerID, OrderDate, TotalAmount, and CreditCardNumber. The question might state that customer service representatives need to see OrderDate and TotalAmount but must never see CreditCardNumber. You would need to select Column-Level Security as the solution. The exam might also offer distractors like Dynamic Data Masking, which hides data but does not restrict access, or Always Encrypted, which encrypts data but is more complex to implement.

Configuration questions ask you to produce or identify the correct T-SQL command to enforce CLS. For example, which of the following statements grants SELECT on the Email column of the Users table to user John? The correct answer would be GRANT SELECT ON Users(Email) TO John. Other options might use incorrect syntax like GRANT SELECT ON Users TO John(Email) or GRANT SELECT ON Users.* TO John.

Troubleshooting questions present a situation where a user is getting an error when querying a table. You might be told that the user can see some columns but not others. You would need to identify that CLS is applied and that the user lacks permission on the missing columns. Alternatively, a question might describe a user who can insert data into a column but cannot select from it. This is a valid scenario because CLS controls SELECT but not INSERT by default.

Architecture questions may ask you to design a security solution that includes multiple features. For instance, you have a table with rows that should only be visible to regional managers, and columns that should only be visible to executives. The correct approach is to combine Row-Level Security for row filtering and Column-Level Security for column filtering. The exam may also ask about the order of applying these features or their compatibility.

Comparison questions are also common. For example, what is the main difference between Column-Level Security and Dynamic Data Masking? The answer: CLS restricts access entirely, while Dynamic Data Masking shows a modified version of the data. Another comparison could be between CLS and creating multiple views. The answer: CLS is easier to maintain because changes to the base table do not require updating multiple views.

Finally, there are knowledge questions that test your understanding of limitations. For example, does Column-Level Security prevent a user from updating a column they cannot select from? The answer is no, unless you explicitly DENY UPDATE on that column.

To prepare for these question types, practice writing GRANT and DENY statements for columns. Study the difference between CLS, Dynamic Data Masking, and Always Encrypted. Work through scenarios where you have to combine multiple security features. Understanding when to use each tool is the key to passing the DP-203 exam.

Study dp-203

Test your understanding with exam-style practice questions.

Practise

Example Scenario

You are a data engineer for a university. The university has a database table called StudentRecords with columns: StudentID, FullName, Major, GPA, and SocialSecurityNumber. The university wants to give teaching assistants access to student names and majors so they can help with enrollment, but teaching assistants should not see SocialSecurityNumber or GPA. The registrar's office needs to see all columns including SocialSecurityNumber and GPA for official purposes.

You decide to implement Column-Level Security. First, you create a database role called TA_Role for the teaching assistants. Then, you run the following T-SQL commands: GRANT SELECT ON StudentRecords(StudentID, FullName, Major) TO TA_Role; DENY SELECT ON StudentRecords(SocialSecurityNumber) TO TA_Role; DENY SELECT ON StudentRecords(GPA) TO TA_Role;

Next, you create another role called Registrar_Role. You grant them SELECT on all columns using: GRANT SELECT ON StudentRecords(StudentID, FullName, Major, GPA, SocialSecurityNumber) TO Registrar_Role;

Now, when a teaching assistant logs in and runs a query like SELECT * FROM StudentRecords, the query will fail because they do not have permission on SocialSecurityNumber or GPA. However, if they run SELECT StudentID, FullName, Major FROM StudentRecords, it works perfectly. The teaching assistant never even sees that the other columns exist in the query results.

If a registrar logs in, they can run SELECT * and see all columns.

This scenario shows how CLS provides fine-grained control. The university does not need to create separate tables or views. The same table holds all data, but access is controlled at the column level. This saves time and reduces the chance of data inconsistency.

Common Mistakes

Assuming Column-Level Security automatically prevents users from inserting or updating sensitive columns.

CLS by default only controls SELECT (read) permissions. A user with INSERT permission on the table can still insert data into a column they cannot read. This can lead to unauthorized data entry or data corruption.

Always explicitly DENY INSERT and UPDATE on sensitive columns for any roles or users that should not have write access to them. Use statements like DENY INSERT ON TableName(SensitiveColumn) TO UserRole and DENY UPDATE ON TableName(SensitiveColumn) TO UserRole.

Thinking Column-Level Security encrypts the data in the column.

CLS does not encrypt data. It only controls access at the permission level. Data stored in the column remains in plaintext on disk. If an attacker gains access to the database files or backups, they can read the data regardless of CLS.

Use Always Encrypted or Transparent Data Encryption for encryption at rest. Combine CLS with encryption to protect data both from unauthorized access and from physical theft of files.

Believing that CLS fully hides sensitive columns from all users, including database administrators.

Members of the db_owner or sysadmin roles can override column-level permissions because they have elevated privileges. They can view any column even if CLS is applied. CLS is designed for application users, not for administrators.

Understand that CLS is a tool for controlling access for non-admin users. For data that must be hidden from administrators, consider using Always Encrypted with a column master key stored in Azure Key Vault, which ensures that even database admins cannot see the data.

Confusing Column-Level Security with Dynamic Data Masking and using them interchangeably in exams.

CLS completely blocks access to a column, returning an error or omitting the column. Dynamic Data Masking shows the column but replaces sensitive data with a mask. They serve different purposes: CLS is for access control; masking is for obfuscation without removing access.

If the requirement is to prevent users from seeing sensitive data entirely, use CLS. If users need to see the column but not the actual values (e.g., only last four digits of a credit card), use Dynamic Data Masking. Remember that masking does not prevent users from running other queries that might reveal the data.

Forgetting to apply DENY statements for sensitive columns when using role-based access.

If you only GRANT SELECT on a few columns to a role, the user might still have inherited SELECT permissions on the entire table from another role or from public permissions. Without explicit DENY, they might still see sensitive columns.

Always explicitly DENY SELECT on sensitive columns for any role that should not have access. This ensures that even if the user gains table-level permissions through another role, the column-level DENY takes precedence.

Exam Trap — Don't Get Fooled

A question describes a scenario where a user can read all columns except one sensitive column. The question asks what happens when the user runs SELECT * FROM TableName. Many learners assume the query will simply not return the sensitive column.

In SQL Server and Azure SQL Database, when a user without column-level permission on a specific column runs SELECT *, the query will fail with a permission denied error. The database does not silently omit the column. Remember this: CLS blocks access completely, not by hiding the column.

Only Dynamic Data Masking allows the query to succeed while masking the data.

Commonly Confused With

Column-Level SecurityvsDynamic Data Masking

Dynamic Data Masking (DDM) shows the column in query results but replaces sensitive data with a mask, like showing XXX-XX-1234 for a social security number. Column-Level Security completely hides the column for users without permission, often causing the query to fail if they try to include it.

If a user without permission runs SELECT SSN FROM Customers, CLS returns an error. DDM would return a masked value like XXX-XX-0000.

Column-Level SecurityvsRow-Level Security

Row-Level Security (RLS) controls which rows a user can see based on a filter predicate. It hides entire rows. Column-Level Security controls which columns a user can see. They solve different problems and can be used together.

An employee can only see their own department's rows (RLS) but can see all columns in those rows. Another employee can see all rows but only the Name and Department columns (CLS).

Column-Level SecurityvsAlways Encrypted

Always Encrypted encrypts the data at the column level so that even the database engine cannot read it without the key. Column-Level Security only controls who can read the data but does not encrypt it. Always Encrypted protects data from database administrators; CLS does not.

A column with Always Encrypted shows encrypted binary data to anyone without the key. A column with CLS shows plain text to those with permission and an error to those without.

Column-Level SecurityvsTransparent Data Encryption

Transparent Data Encryption (TDE) encrypts the entire database at rest, protecting the data files and backups. It does not control who can access specific columns. CLS is not about encryption; it is about access control at the column level.

TDE protects the database file if stolen; CLS protects the column from unauthorized queries during normal use.

Column-Level SecurityvsView-Based Security

View-Based Security involves creating multiple views of the same table, each showing a subset of columns. CLS applies security directly to the base table columns, avoiding the need to create and maintain multiple views. CLS is simpler and less prone to errors when schema changes occur.

Instead of creating a view vw_EmployeePublic that shows only Name and Department, you can use CLS to grant those columns directly to a role and deny the rest.

Step-by-Step Breakdown

1

Identify sensitive columns in your table

Before implementing CLS, review your table schema and determine which columns contain sensitive data like personally identifiable information, financial data, medical records, or trade secrets. These are the columns that need protection. In Azure Data Studio or SSMS, you can use system views like INFORMATION_SCHEMA.COLUMNS to list all columns.

2

Define user roles and groups in Azure Active Directory or SQL Server

Decide which users or groups should have access to which columns. Create database roles (e.g., DataReaderLimited, DataReaderFull) to simplify permission management. Using groups and roles rather than individual users makes it easier to maintain access as your organization changes.

3

Grant SELECT permission on the base table or schema to the role

You might need to first grant the role SELECT permission on the table or schema so they can query the table at all. Without this, column-level permissions are irrelevant. For example: GRANT SELECT ON dbo.Customers TO DataReaderLimited. This grants table-level access.

4

Apply GRANT SELECT on specific columns for the role

Use the GRANT statement with column specification to allow access to only the approved columns. For example: GRANT SELECT ON dbo.Customers(CustomerID, FirstName, LastName) TO DataReaderLimited. This ensures the role can see only those columns.

5

Apply DENY SELECT on sensitive columns for the role

For columns that the role must never see, use DENY SELECT explicitly. This ensures that even if the role inherits broader permissions, the sensitive columns remain blocked. Example: DENY SELECT ON dbo.Customers(SSN, CreditCard) TO DataReaderLimited.

6

Test the permissions with a sample user in the role

Log in as a user who is a member of the role and run queries to verify that they can access the allowed columns but cannot access the denied columns. Test both SELECT * and explicit column queries. For denied columns, the query should fail with an error.

7

Document the permissions and review regularly

Maintain clear documentation of which columns are protected and which roles have access. Regularly audit the permissions using system views like sys.database_permissions. This is important for compliance and for onboarding new team members.

Practical Mini-Lesson

Column-Level Security is a powerful tool in your data security toolbox, but it is not a silver bullet. To use it effectively in real-world environments, you need to understand both its capabilities and its limitations.

First, know that CLS is implemented using standard T-SQL GRANT and DENY statements. The syntax is straightforward, but you must apply it correctly. For example, to allow the sales role to see the CustomerName and Email columns but not the CreditCardNumber column, you would run:

GRANT SELECT ON dbo.Customers(CustomerName, Email) TO SalesRole; DENY SELECT ON dbo.Customers(CreditCardNumber) TO SalesRole;

Notice that you also need to grant SELECT on the table first, unless the role has it already. If the role does not have table-level SELECT, the column-level grants will not work. Always check base permissions.

A common practical issue is that CLS does not automatically apply to INSERT, UPDATE, or DELETE operations. If a user has INSERT permission on the table, they can add a new row with a value in the sensitive column, even if they cannot SELECT from it. This could lead to data integrity issues or compliance violations. To prevent this, explicitly deny INSERT and UPDATE on the sensitive column:

DENY INSERT ON dbo.Customers(CreditCardNumber) TO SalesRole; DENY UPDATE ON dbo.Customers(CreditCardNumber) TO SalesRole;

Another real-world consideration is performance. CLS is checked during query compilation, so the overhead is minimal. However, if you have many columns with different permissions for many roles, the permission resolution can become complex. In such cases, consider using schema-level permissions or grouping permissions by role to reduce complexity.

CLS works well with Azure Active Directory for centralized identity management. You can create a database role and add Azure AD groups to that role. Then, you manage permissions on the role. When a user is added or removed from the Azure AD group, their database access changes automatically. This is a best practice for scalability.

What can go wrong? One common mistake is forgetting that DENY overrides GRANT. If a user is part of two roles, one that grants access to a column and one that denies access, the DENY takes precedence. This is intentional and can be used to create exceptions. However, it can also lead to unexpected lockouts if you are not careful. Always test with a representative user account.

Another potential issue is that CLS does not work with certain schema changes. If you rename a column that has CLS applied, the permission becomes orphaned. You will need to drop and recreate the permission. Similarly, if you drop a column, the permission is also dropped. Plan your schema changes carefully.

Finally, remember that CLS is part of a broader security strategy. Use it alongside Row-Level Security for row filtering, Dynamic Data Masking for obfuscation, and Always Encrypted for encryption. In the DP-203 exam, you will often be asked to select the combination of features that best meets a complex requirement. For example, you might need to hide the SSN column entirely from most users, but for customer service managers, you might want to show only the last four digits. In that case, you would combine CLS (to block access for other roles) with Dynamic Data Masking (to mask the data for managers).

In practice, implement CLS in a development or staging environment first. Test with all user roles to ensure that the intended users can do their jobs and that sensitive data is truly hidden. Use automatic deployment tools like Azure DevOps to apply CLS as part of your database change scripts, ensuring consistency across environments.

Memory Tip

Think of Column-Level Security as a locked drawer in a filing cabinet. The drawer is the column. You need a specific key (permission) to open it. Without the key, you cannot even see what is inside the drawer. GRANT is the key, DENY is a superglue that keeps the drawer shut even if you have keys from other roles.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

Can Column-Level Security be used in Azure Synapse Analytics?

Yes, Column-Level Security is supported in Azure Synapse Analytics dedicated SQL pools. The same GRANT and DENY T-SQL syntax applies. It works similarly to Azure SQL Database and SQL Server.

Does Column-Level Security work with SELECT * queries?

If a user lacks permission on any column in the table and runs SELECT *, the query will fail with a permission denied error. It does not silently omit the column.

How do I check which columns have Column-Level Security applied?

You can query the sys.database_permissions system view. Look for rows where class = 1 (column) and type = 'SL' (SELECT) or 'UP' (UPDATE), etc. You can also use the INFORMATION_SCHEMA.COLUMN_PRIVILEGES view.

Is Column-Level Security available in all tiers of Azure SQL Database?

Yes, Column-Level Security is available in all service tiers of Azure SQL Database, including Basic, Standard, Premium, and serverless tiers. There is no additional cost.

Can I use Column-Level Security together with Row-Level Security?

Yes, they are complementary. Row-Level Security filters rows, and Column-Level Security filters columns. You can apply both on the same table to create a very granular security model.

Does Column-Level Security protect data at rest?

No. Column-Level Security only controls access at query time. The data is stored in plaintext on disk. To protect data at rest, use Transparent Data Encryption for the database or Always Encrypted for specific columns.

Can a database administrator bypass Column-Level Security?

Yes, members of the db_owner fixed database role or sysadmin fixed server role can override column-level permissions. They can see all columns regardless of CLS. For truly restricted access, use Always Encrypted.

What happens if I rename a column that has Column-Level Security applied?

The column-level permission becomes orphaned and will not apply to the new column name. You must drop the old permission and recreate it using the new column name.

Summary

Column-Level Security is a database feature that allows you to control which users or roles can read, insert, or update individual columns in a table. It is a practical and lightweight way to protect sensitive data like social security numbers, credit card details, or medical information without needing to create separate views or tables. For IT certification exams, especially the Microsoft DP-203, you need to understand how CLS differs from Dynamic Data Masking, Row-Level Security, and Always Encrypted.

You should know the T-SQL syntax for granting and denying column permissions, and be aware that CLS alone does not encrypt data or prevent write operations unless explicitly denied. In real-world data engineering, CLS helps implement the principle of least privilege, simplifies compliance with regulations like GDPR and HIPAA, and scales well with Azure Active Directory group management. Remember that database administrators can bypass CLS, so use it for application users, not as a protection against privileged accounts.

When studying for the exam, practice writing GRANT and DENY statements for columns, work through scenario questions that compare security features, and always test your permissions thoroughly. With this knowledge, you will be prepared to answer any CLS question on the DP-203 exam.