Security and Credentials
How BizFirstGO secures Data Ocean SQL connections — the credential pattern, tenant row isolation, column-level masking for PII, and connection audit trails.
The Credential Pattern (Mandatory)
BizFirstGO enforces a strict credential pattern for all database connections. Connection strings are never stored in workflow definitions, SQL node configurations, or application settings files. They are always stored in the Credential Store and accessed via ICredentialResolver at runtime.
// ICredentialResolver contract
public interface ICredentialResolver
{
Task<string> GetPasswordAsync(int credentialId, CancellationToken ct = default);
Task<string> GetConnectionStringAsync(int credentialId, CancellationToken ct = default);
}
// Usage in IDatasourceConnectionFactory — internal implementation
public async Task<SqlConnection> GetConnectionAsync(string datasourceId, int tenantId, CancellationToken ct)
{
var datasource = await _datasourceRegistry.GetAsync(datasourceId, tenantId, ct);
var connectionString = await _credentialResolver.GetConnectionStringAsync(datasource.CredentialId, ct);
var connection = new SqlConnection(connectionString);
await connection.OpenAsync(ct);
return connection;
}Never store raw connection strings in SQL node configurations, workflow JSON, appsettings files, or environment variables. All credentials must go through the Credential Store. Violation of this rule is a security finding that will block deployment.
Credential Store Integration
The Credential Store supports multiple backends depending on your deployment:
| Backend | Environment | Configuration |
|---|---|---|
| Azure Key Vault | Cloud / Azure production | Managed Identity auth — no secrets in config |
| HashiCorp Vault | On-premises / multi-cloud | AppRole auth with token rotation |
| Encrypted database column | Development / smaller deployments | AES-256 encrypted in BizFirstGO system DB |
| Environment variables | CI/CD pipelines only | Temporary — never for long-running services |
Tenant Row Isolation
Multi-tenancy in Data Ocean SQL Server is enforced at the application layer by the SQL node execution engine. Every query executed by a SQL node automatically receives a tenantId parameter sourced from the workflow execution context (workflow.tenantId).
The framework validates that every SQL query passed to a SqlQueryNode or SqlUpdateNode includes @tenantId as a parameter. Queries missing this parameter are rejected at design-time validation:
// This query will FAIL validation — missing @tenantId filter
SELECT * FROM Customer WHERE CustomerId = @customerId
// This query will PASS validation
SELECT * FROM Customer WHERE TenantId = @tenantId AND CustomerId = @customerId AND IsDeleted = 0The tenant filter check is performed by the Flow Studio design-time validator — it is not a SQL Server Row-Level Security (RLS) policy. For sensitive deployments, consider implementing SQL Server RLS as an additional defense layer. See the SQL Server RLS documentation for the CREATE SECURITY POLICY syntax.
Column-Level PII Masking
For tables containing Personally Identifiable Information (PII), SQL Server's Dynamic Data Masking provides column-level masking for database users without data access rights:
-- Apply masking to PII columns
ALTER TABLE Customer
ALTER COLUMN Email ADD MASKED WITH (FUNCTION = 'email()');
ALTER TABLE Customer
ALTER COLUMN Phone ADD MASKED WITH (FUNCTION = 'partial(0,"XXX-XXX-",4)');
-- The BizFirstApp login must be GRANTED UNMASK to see real values
-- Remove this grant for reporting/analytics accounts that should see masked data
GRANT UNMASK TO BizFirstApp;
-- For a reporting-only login, do NOT grant UNMASK
-- CREATE LOGIN BizFirstReports WITH PASSWORD = '...';
-- (No UNMASK grant — this login sees masked values)Connection Security Checklist
| Control | Implementation | Status |
|---|---|---|
| Encrypted transport | Encrypt=True in connection string | Required |
| Certificate validation | TrustServerCertificate=False in production | Required for production |
| Principle of least privilege | db_datareader + db_datawriter only (not db_owner) | Required |
| Credential rotation | Rotate SQL Server passwords via Credential Store — no redeploys needed | Recommended quarterly |
| Network isolation | SQL Server on private network or VNet — no public endpoint | Recommended for production |
| Audit logging | Enable SQL Server Audit for all DML operations on sensitive tables | Required for compliance |
| Failed login monitoring | Alert on repeated authentication failures (brute force indicator) | Recommended |