ADD SENSITIVITY CLASSIFICATION (Transact-SQL)

APPLIES TO: yesSQL Server yesAzure SQL Database yesAzure Synapse Analytics (SQL DW) noParallel Data Warehouse

Adds metadata about the sensitivity classification to one or more database columns. The classification can include a sensitivity label and an information type.

For SQL Server, this was introduced in SQL Server 2019.

Classifying sensitive data in your database environment helps achieve extended visibility and better protection. Additional information can be found in Getting started with SQL Information Protection

Syntax

ADD SENSITIVITY CLASSIFICATION TO
    <object_name> [, ...n ]
    WITH ( <sensitivity_option> [, ...n ] )     

<object_name> ::=
{
    [schema_name.]table_name.column_name
}

<sensitivity_option> ::=  
{   
    LABEL = string |
    LABEL_ID = guidOrString |
    INFORMATION_TYPE = string |
    INFORMATION_TYPE_ID = guidOrString | 
    RANK = NONE | LOW | MEDIUM | HIGH | CRITICAL
}

Arguments

object_name ([schema_name.]table_name.column_name)

Is the name of the database column to be classified. Currently only column classification is supported. - schema_name (optional) - Is the name of the schema to which the classified column belongs to. - table_name - Is the name of the table to which the classified column belongs to. - column_name - Is the name of the column being classified.

LABEL

Is the human readable name of the sensitivity label. Sensitivity labels represent the sensitivity of the data stored in the database column.

LABEL_ID

Is an identifier associated with the sensitivity label. This is often used by centralized information protection platforms to uniquely identify labels in the system.

INFORMATION_TYPE

Is the human readable name of the information type. Information types are used to describe the type of data being stored in the database column.

INFORMATION_TYPE_ID

Is an identifier associated with the information type. This is often used by centralized information protection platforms to uniquely identify information types in the system.

RANK

Is an identifier based on a predefinied set of values which define sensitivity rank. Used by other services like Advanced Threat Protection to detect anomalies based on their rank.

Remarks

  • Only one classification can be added to a single object. Adding a classification to an object that is already classified will overwrite the existing classification.
  • Multiple objects can be classified using a single ADD SENSITIVITY CLASSIFICATION statement.
  • The system view sys.sensitivity_classifications can be used to retrieve the sensitivity classification information for a database.

Permissions

Requires ALTER ANY SENSITIVITY CLASSIFICATION permission. The ALTER ANY SENSITIVITY CLASSIFICATION is implied by the database permission ALTER, or by the server permission CONTROL SERVER.

Examples

A. Classifying two columns

The following example classifies the columns dbo.sales.price and dbo.sales.discount with the sensitivity label Highly Confidential and the Information Type Financial.

ADD SENSITIVITY CLASSIFICATION TO
    dbo.sales.price, dbo.sales.discount
    WITH ( LABEL='Highly Confidential', INFORMATION_TYPE='Financial' )

B. Classifying only a label

The following example classifies the column dbo.customer.comments with the label Confidential and label ID 643f7acd-776a-438d-890c-79c3f2a520d6. Information type isn't classified for this column.

ADD SENSITIVITY CLASSIFICATION TO
    dbo.customer.comments
    WITH ( LABEL='Confidential', LABEL_ID='643f7acd-776a-438d-890c-79c3f2a520d6' )

See Also

DROP SENSITIVITY CLASSIFICATION (Transact-SQL)

sys.sensitivity_classifications (Transact-SQL)

Permissions (Database Engine)

Getting started with SQL Information Protection