dataplat
diff --git a/‎dbatools.psd1‎
Lines changed: 3 additions & 0 deletions b/‎dbatools.psd1‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎dbatools.psm1‎
Lines changed: 3 additions & 0 deletions b/‎dbatools.psm1‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎public/Get-DbaDbDataClassification.ps1‎
Lines changed: 184 additions & 0 deletions b/‎public/Get-DbaDbDataClassification.ps1‎
Lines changed: 184 additions & 0 deletions
diff --git a/‎public/Remove-DbaDbDataClassification.ps1‎
Lines changed: 140 additions & 0 deletions b/‎public/Remove-DbaDbDataClassification.ps1‎
Lines changed: 140 additions & 0 deletions
@@ -730,6 +730,9 @@
         'Get-DbaExtendedProperty',
         'Set-DbaExtendedProperty',
         'Add-DbaExtendedProperty',
+        'Get-DbaDbDataClassification',
+        'Set-DbaDbDataClassification',
+        'Remove-DbaDbDataClassification',
         'Get-DbaOleDbProvider',
         'Get-DbaConnectedInstance',
         'Disconnect-DbaInstance',
 
@@ -920,6 +920,9 @@ if ($PSVersionTable.PSVersion.Major -lt 5) {
         'Get-DbaExtendedProperty',
         'Set-DbaExtendedProperty',
         'Add-DbaExtendedProperty',
+        'Get-DbaDbDataClassification',
+        'Set-DbaDbDataClassification',
+        'Remove-DbaDbDataClassification',
         'Get-DbaOleDbProvider',
         'Get-DbaConnectedInstance',
         'Disconnect-DbaInstance',
 
@@ -0,0 +1,184 @@
+function Get-DbaDbDataClassification {
+    <#
+    .SYNOPSIS
+        Retrieves data classification information for columns in SQL Server databases
+
+    .DESCRIPTION
+        Retrieves data classification labels stored as extended properties on table columns. Data classification
+        is used to tag sensitive data columns with information type and sensitivity labels, which helps with
+        compliance, data governance, and security auditing.
+
+        Classification metadata is stored as four extended properties on each classified column:
+        - sys_information_type_id: GUID identifying the information type
+        - sys_information_type_name: Human-readable information type name (e.g., "Financial", "Health", "Credentials")
+        - sys_sensitivity_label_id: GUID identifying the sensitivity label
+        - sys_sensitivity_label_name: Human-readable sensitivity label (e.g., "Public", "General", "Confidential")
+
+        These properties are compatible with Microsoft Information Protection (MIP) labels used by SQL Server
+        Data Discovery & Classification in SSMS and Azure SQL Database.
+
+        Requires SQL Server 2005 or later due to use of sys.extended_properties.
+
+    .PARAMETER SqlInstance
+        The target SQL Server instance or instances.
+
+    .PARAMETER SqlCredential
+        Login to the target instance using alternative credentials. Accepts PowerShell credentials (Get-Credential).
+
+        Windows Authentication, SQL Server Authentication, Active Directory - Password, and Active Directory -
+        Integrated are all supported.
+
+        For MFA support, please use Connect-DbaInstance.
+
+    .PARAMETER Database
+        Specifies which databases to search for data classifications. Only applies when connecting directly via SqlInstance.
+
+    .PARAMETER Schema
+        Filters results to columns in the specified schema(s).
+
+    .PARAMETER Table
+        Filters results to columns in the specified table(s).
+
+    .PARAMETER Column
+        Filters results to the specified column name(s).
+
+    .PARAMETER InputObject
+        Accepts database objects piped from Get-DbaDatabase.
+
+    .PARAMETER EnableException
+        By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
+        This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
+        Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
+
+    .NOTES
+        Tags: DataClassification, Classification, Compliance, Security
+        Author: the dbatools team + Claude
+
+        Website: https://dbatools.io
+        Copyright: (c) 2024 by dbatools, licensed under MIT
+        License: MIT https://opensource.org/licenses/MIT
+
+    .LINK
+        https://dbatools.io/Get-DbaDbDataClassification
+
+    .OUTPUTS
+        PSCustomObject
+
+        Returns one object per classified column with the following properties:
+        - ComputerName: The computer name of the SQL Server instance
+        - InstanceName: The SQL Server instance name
+        - SqlInstance: The full SQL Server instance name
+        - Database: The database name
+        - Schema: The schema name of the table
+        - Table: The table name
+        - Column: The column name
+        - InformationTypeId: GUID identifying the information type
+        - InformationType: Human-readable information type name
+        - SensitivityLabelId: GUID identifying the sensitivity label
+        - SensitivityLabel: Human-readable sensitivity label name
+
+    .EXAMPLE
+        PS C:\> Get-DbaDbDataClassification -SqlInstance sql2019
+
+        Returns all data classifications across all databases on sql2019.
+
+    .EXAMPLE
+        PS C:\> Get-DbaDbDataClassification -SqlInstance sql2019 -Database AdventureWorks
+
+        Returns all data classifications in the AdventureWorks database.
+
+    .EXAMPLE
+        PS C:\> Get-DbaDbDataClassification -SqlInstance sql2019 -Database AdventureWorks -Table Customer
+
+        Returns data classifications for columns in the Customer table.
+
+    .EXAMPLE
+        PS C:\> Get-DbaDatabase -SqlInstance sql2019 -Database AdventureWorks | Get-DbaDbDataClassification
+
+        Returns all data classifications in AdventureWorks by piping the database object.
+
+    .EXAMPLE
+        PS C:\> Get-DbaDbDataClassification -SqlInstance sql2019 -Database AdventureWorks | Where-Object SensitivityLabel -eq "Highly Confidential"
+
+        Returns only columns classified as Highly Confidential in AdventureWorks.
+    #>
+    [CmdletBinding()]
+    param (
+        [DbaInstanceParameter[]]$SqlInstance,
+        [PSCredential]$SqlCredential,
+        [string[]]$Database,
+        [string[]]$Schema,
+        [string[]]$Table,
+        [string[]]$Column,
+        [parameter(ValueFromPipeline)]
+        [Microsoft.SqlServer.Management.Smo.Database[]]$InputObject,
+        [switch]$EnableException
+    )
+    process {
+        if ($SqlInstance) {
+            $InputObject = Get-DbaDatabase -SqlInstance $SqlInstance -SqlCredential $SqlCredential -Database $Database | Where-Object IsAccessible
+        }
+
+        foreach ($db in $InputObject) {
+            $server = $db.Parent
+
+            if ($server.VersionMajor -lt 9) {
+                Stop-Function -Message "Data classification requires SQL Server 2005 or later. Skipping $server" -Target $server -Continue
+            }
+
+            $sql = "
+SELECT
+    SCHEMA_NAME(o.schema_id) AS SchemaName,
+    o.name AS TableName,
+    c.name AS ColumnName,
+    CAST(ep1.value AS NVARCHAR(MAX)) AS InformationTypeId,
+    CAST(ep2.value AS NVARCHAR(MAX)) AS InformationType,
+    CAST(ep3.value AS NVARCHAR(MAX)) AS SensitivityLabelId,
+    CAST(ep4.value AS NVARCHAR(MAX)) AS SensitivityLabel
+FROM sys.objects o
+INNER JOIN sys.columns c ON o.object_id = c.object_id
+LEFT JOIN sys.extended_properties ep1
+    ON ep1.major_id = o.object_id AND ep1.minor_id = c.column_id
+    AND ep1.name = 'sys_information_type_id' AND ep1.class = 1
+LEFT JOIN sys.extended_properties ep2
+    ON ep2.major_id = o.object_id AND ep2.minor_id = c.column_id
+    AND ep2.name = 'sys_information_type_name' AND ep2.class = 1
+LEFT JOIN sys.extended_properties ep3
+    ON ep3.major_id = o.object_id AND ep3.minor_id = c.column_id
+    AND ep3.name = 'sys_sensitivity_label_id' AND ep3.class = 1
+LEFT JOIN sys.extended_properties ep4
+    ON ep4.major_id = o.object_id AND ep4.minor_id = c.column_id
+    AND ep4.name = 'sys_sensitivity_label_name' AND ep4.class = 1
+WHERE o.type = 'U'
+  AND (ep1.value IS NOT NULL OR ep2.value IS NOT NULL OR ep3.value IS NOT NULL OR ep4.value IS NOT NULL)
+ORDER BY SCHEMA_NAME(o.schema_id), o.name, c.name"
+
+            try {
+                $results = $db.Query($sql)
+            } catch {
+                Stop-Function -Message "Error querying data classifications in $($db.Name) on $server" -ErrorRecord $_ -Target $db -Continue
+            }
+
+            foreach ($row in $results) {
+                if ($Schema -and $row.SchemaName -notin $Schema) { continue }
+                if ($Table -and $row.TableName -notin $Table) { continue }
+                if ($Column -and $row.ColumnName -notin $Column) { continue }
+
+                [PSCustomObject]@{
+                    ComputerName       = $db.ComputerName
+                    InstanceName       = $db.InstanceName
+                    SqlInstance        = $db.SqlInstance
+                    Database           = $db.Name
+                    Schema             = $row.SchemaName
+                    Table              = $row.TableName
+                    Column             = $row.ColumnName
+                    InformationTypeId  = $row.InformationTypeId
+                    InformationType    = $row.InformationType
+                    SensitivityLabelId = $row.SensitivityLabelId
+                    SensitivityLabel   = $row.SensitivityLabel
+                    DatabaseObject     = $db
+                }
+            }
+        }
+    }
+}
@@ -0,0 +1,140 @@
+function Remove-DbaDbDataClassification {
+    <#
+    .SYNOPSIS
+        Removes data classification labels from SQL Server table columns
+
+    .DESCRIPTION
+        Removes all data classification metadata from table columns by dropping the four extended properties:
+        - sys_information_type_id
+        - sys_information_type_name
+        - sys_sensitivity_label_id
+        - sys_sensitivity_label_name
+
+        Accepts piped input from Get-DbaDbDataClassification, making it easy to remove classifications
+        from specific columns or bulk-remove classifications across databases.
+
+        Requires SQL Server 2005 or later due to use of sp_dropextendedproperty.
+
+    .PARAMETER InputObject
+        Accepts classification objects piped from Get-DbaDbDataClassification.
+
+    .PARAMETER WhatIf
+        Shows what would happen if the command were to run. No actions are actually performed.
+
+    .PARAMETER Confirm
+        Prompts you for confirmation before executing any changing operations within the command.
+
+    .PARAMETER EnableException
+        By default, when something goes wrong we try to catch it, interpret it and give you a friendly warning message.
+        This avoids overwhelming you with "sea of red" exceptions, but is inconvenient because it basically disables advanced scripting.
+        Using this switch turns this "nice by default" feature off and enables you to catch exceptions with your own try/catch.
+
+    .NOTES
+        Tags: DataClassification, Classification, Compliance, Security
+        Author: the dbatools team + Claude
+
+        Website: https://dbatools.io
+        Copyright: (c) 2024 by dbatools, licensed under MIT
+        License: MIT https://opensource.org/licenses/MIT
+
+    .LINK
+        https://dbatools.io/Remove-DbaDbDataClassification
+
+    .OUTPUTS
+        PSCustomObject
+
+        Returns one object per successfully processed column with these properties:
+        - ComputerName: The computer name of the SQL Server instance
+        - InstanceName: The SQL Server instance name
+        - SqlInstance: The full SQL Server instance name
+        - Database: The database name
+        - Schema: The schema of the table
+        - Table: The table name
+        - Column: The column name
+        - Status: The result of the removal operation
+
+    .EXAMPLE
+        PS C:\> Get-DbaDbDataClassification -SqlInstance sql2019 -Database AdventureWorks | Remove-DbaDbDataClassification
+
+        Removes all data classifications from the AdventureWorks database.
+
+    .EXAMPLE
+        PS C:\> Get-DbaDbDataClassification -SqlInstance sql2019 -Database AdventureWorks -Table Customer | Remove-DbaDbDataClassification -Confirm:$false
+
+        Removes data classifications from all classified columns in the Customer table without prompting.
+
+    .EXAMPLE
+        PS C:\> Get-DbaDbDataClassification -SqlInstance sql2019 -Database AdventureWorks | Where-Object SensitivityLabel -eq "General" | Remove-DbaDbDataClassification
+
+        Removes only classifications with the "General" sensitivity label from AdventureWorks.
+    #>
+    [CmdletBinding(SupportsShouldProcess, ConfirmImpact = "High")]
+    param (
+        [parameter(ValueFromPipeline, Mandatory)]
+        [psobject[]]$InputObject,
+        [switch]$EnableException
+    )
+    process {
+        foreach ($classObj in $InputObject) {
+            $db = $classObj.DatabaseObject
+            if (-not $db) {
+                Stop-Function -Message "No database object found in input. Use Get-DbaDbDataClassification to get valid input objects." -Continue
+                continue
+            }
+
+            $server = $db.Parent
+            $schemaName = $classObj.Schema
+            $tableName = $classObj.Table
+            $columnName = $classObj.Column
+            $target = "[$schemaName].[$tableName].[$columnName] in $($db.Name) on $server"
+
+            if ($Pscmdlet.ShouldProcess($target, "Removing data classification")) {
+                $escapedSchema = $schemaName.Replace("'", "''")
+                $escapedTable = $tableName.Replace("'", "''")
+                $escapedColumn = $columnName.Replace("'", "''")
+
+                $status = "Removed"
+                $errors = @()
+
+                foreach ($propName in "sys_information_type_id", "sys_information_type_name", "sys_sensitivity_label_id", "sys_sensitivity_label_name") {
+                    $checkSql = "
+SELECT COUNT(1) AS PropExists
+FROM sys.extended_properties ep
+INNER JOIN sys.objects o ON ep.major_id = o.object_id
+INNER JOIN sys.columns c ON o.object_id = c.object_id AND ep.minor_id = c.column_id
+WHERE SCHEMA_NAME(o.schema_id) = '$escapedSchema'
+  AND o.name = '$escapedTable'
+  AND c.name = '$escapedColumn'
+  AND ep.name = '$propName'
+  AND ep.class = 1"
+
+                    try {
+                        $exists = $db.Query($checkSql).PropExists
+                        if ($exists -gt 0) {
+                            $dropSql = "EXEC sys.sp_dropextendedproperty @name = N'$propName', @level0type = N'SCHEMA', @level0name = N'$escapedSchema', @level1type = N'TABLE', @level1name = N'$escapedTable', @level2type = N'COLUMN', @level2name = N'$escapedColumn'"
+                            $db.Query($dropSql)
+                        }
+                    } catch {
+                        $errors += $propName
+                        Write-Message -Level Warning -Message "Failed to drop extended property '$propName' from $target : $_"
+                    }
+                }
+
+                if ($errors.Count -gt 0) {
+                    $status = "Partial - failed to remove: $($errors -join ', ')"
+                }
+
+                [PSCustomObject]@{
+                    ComputerName = $classObj.ComputerName
+                    InstanceName = $classObj.InstanceName
+                    SqlInstance  = $classObj.SqlInstance
+                    Database     = $classObj.Database
+                    Schema       = $schemaName
+                    Table        = $tableName
+                    Column       = $columnName
+                    Status       = $status
+                }
+            }
+        }
+    }
+}