IS_DATABASE_ROLE_IN_SESSION: Name resolution with policy and UDF evaluation

Attention

This behavior change is in the 2024_01 bundle.

For the current status of the bundle, refer to Bundle History.

The behavior of the IS_DATABASE_ROLE_IN_SESSION function with a masking policy, row access policy, and UDF is as follows:

Before the change:
  • You cannot use the fully-qualified name of the database role as an argument to the function, in the format database_name.database_role_name, unless the database name is the same database that contains the policy or UDF.

  • The function evaluation depends on whether the database role exists in the specified database. If you specify a relative name as an argument to the function, the function always evaluates to the database that contains the policy or UDF; the database role must be in the same database as the policy or UDF.

After the change:
  • You can use the fully-qualified name of the database role as an argument, however, the function always evaluates to False.

  • When you specify the relative name of the database role as an argument, the function checks to see if the database role is in the same database as the protected table or the database that contains the UDF.

If your UDF or policy conditions call the function, confirm that the database roles exist in the same database as the UDF or protected table. If necessary, recreate the database roles in the database that contains the UDF or protected table.

Important

If you are using this function with Secure Data Sharing, it is important that both the provider and consumer either enable the bundle or disable the bundle to ensure consistent behavior.

Ref: 1499

Language: English