Get-DbaDbDataClassification

Synopsis

Retrieves data classification information for columns in SQL Server databases

Description

Retrieves data classification labels stored as extended properties on table columns. Data classification
is used to tag sensitive data columns with information type and sensitivity labels, which helps with
compliance, data governance, and security auditing.

Classification metadata is stored as four extended properties on each classified column:

• sys_information_type_id: GUID identifying the information type
• sys_information_type_name: Human-readable information type name (e.g., “Financial”, “Health”, “Credentials”)
• sys_sensitivity_label_id: GUID identifying the sensitivity label
• sys_sensitivity_label_name: Human-readable sensitivity label (e.g., “Public”, “General”, “Confidential”)

These properties are compatible with Microsoft Information Protection (MIP) labels used by SQL Server
Data Discovery & Classification in SSMS and Azure SQL Database.

Requires SQL Server 2005 or later due to use of sys.extended_properties.

Syntax

Get-DbaDbDataClassification
    [[-SqlInstance] <DbaInstanceParameter[]>]
    [[-SqlCredential] <PSCredential>]
    [[-Database] <String[]>]
    [[-Schema] <String[]>]
    [[-Table] <String[]>]
    [[-Column] <String[]>]
    [[-InputObject] <Database[]>]
    [-EnableException]
    [<CommonParameters>]

Examples

Example: 1

PS C:\> Get-DbaDbDataClassification -SqlInstance sql2019

Returns all data classifications across all databases on sql2019.

Example: 2

PS C:\> Get-DbaDbDataClassification -SqlInstance sql2019 -Database AdventureWorks

Returns all data classifications in the AdventureWorks database.

Example: 3

PS C:\> Get-DbaDbDataClassification -SqlInstance sql2019 -Database AdventureWorks -Table Customer

Returns data classifications for columns in the Customer table.

Example: 4

PS C:\> Get-DbaDatabase -SqlInstance sql2019 -Database AdventureWorks | Get-DbaDbDataClassification

Returns all data classifications in AdventureWorks by piping the database object.

Example: 5

PS C:\> Get-DbaDbDataClassification -SqlInstance sql2019 -Database AdventureWorks | Where-Object SensitivityLabel -eq "Highly Confidential"

Returns only columns classified as Highly Confidential in AdventureWorks.

Optional Parameters

-SqlInstance

The target SQL Server instance or instances.

-SqlCredential

Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory -
Integrated are all supported.
For MFA support, please use Connect-DbaInstance.

-Database

Specifies which databases to search for data classifications. Only applies when connecting directly via SqlInstance.

-Schema

Filters results to columns in the specified schema(s).

-Table

Filters results to columns in the specified table(s).

-Column

Filters results to the specified column name(s).

-InputObject

Accepts database objects piped from Get-DbaDatabase.

-EnableException

By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
This avoids overwhelming you with “sea of red” exceptions, but is inconvenient because it basically disables advanced scripting.
Using this switch turns this “nice by default” feature off and enables you to catch exceptions with your own try/catch.

Outputs

PSCustomObject

Returns one object per classified column with the following properties:

• ComputerName: The computer name of the SQL Server instance
• InstanceName: The SQL Server instance name
• SqlInstance: The full SQL Server instance name
• Database: The database name
• Schema: The schema name of the table
• Table: The table name
• Column: The column name
• InformationTypeId: GUID identifying the information type
• InformationType: Human-readable information type name
• SensitivityLabelId: GUID identifying the sensitivity label
• SensitivityLabel: Human-readable sensitivity label name