Updated July 31, 2023

Field-Level Security, or FLS, refers to the practice of controlling access to data in a database by the individual data fields in each record, so that users are only able to access the data fields they are authorized for. Fields that users are not authorized to view may be masked or otherwise obfuscated while other fields in the record are accessible. This contrasts with database-level, table-level, and row-level security which controls access to entire databases, tables, or records respectively.

There are many advantages to implementing data security at the field level, instead of at higher levels.  The most obvious is that you can then store data records that may have fields with different security requirements in a single database or table, instead of segregating that data into separate databases or tables for users with different security clearances.  All users can then access the data in a single location, with the fields a particular user is not authorized to access masked when they access the data.  For instance, access to customer bank account details may be limited to users in the finance department, but users in other departments may still be able to view the rest of a customer record.  This helps organizations reduce the complexity of their data storage, which yields benefits both in the time it takes to design and maintain systems, as well as the cost of the systems required to host that data.  In this way field-level security is a type of logical segregation of data.  You can read more about the types of data segregation in our blog post on data segregation.

Field-level security requires that an organization’s data security solution is aware of enough context to correctly evaluate and enforce data access policies per field at the row or record level.  This is best accomplished by having Attribute-Based Access Control (ABAC) policies that dynamically evaluate the attributes of the data being accessed and the user requesting access, so that an access decision can be made for each individual record included in the data access request.  By making the data access decision for each field within a row, data that a user should not have access to can be masked in the results returned by a query, or in the display of records from a table.  By masking specific fields in the records from the data set available to a user, the chances of data being accessed by those unauthorized to view are reduced.

Visit our product technology page to find out more about NextLabs products and how Field-Level Security is used by organizations to protect their sensitive data.