TLDR:
I still have to give specific users or groups view-permission on an ADX database when I use an On-Behalf token to do a Kusto query, even though the application that does the query has view rights. Am I misunderstanding something? How can I just give an application view-permissions to an ADX database, but still use Row-level security?
Full description
The situation is as follows.
I have a website that does a call to endpoints of a telemetry-api to get sensor data to show on page. This telemetry-api queries Azure Data Explorer (ADX) using the .NET Kusto Client. ADX has been set up with Row-Level Security (RLS).
So the situation that I want is that:
- Just the API application is allowed view permissions on the ADX database, not every individual user
- The query on ADX is done for the user, so that row-level security does its job.
I have been following the following documentation: [https://learn.microsoft.com/en-us/azure/data-explorer/provision-azure-ad-app][https://learn.microsoft.com/en-us/azure/data-explorer/provision-azure-ad-app]
Specifically, under the "Configure delegated permissions for the application registration" section it seems to say exactly what I want:
"If your application needs to access Azure Data Explorer using the credentials of the calling user, configure delegated permissions for your application registration. For example, if you're building a web API to access Azure Data Explorer and you want to authenticate using the credentials of the user who is calling your API."
The website logs in the user, and does a call to the telemetry API using the access JWT token.
The telemetry API uses this access token to create an On-Behalf-token for this user, using its AAD app registration.
This creates an expected token with the user information, the ApplicationId as the audience and user_impersonation for ADX as scope.
Executing a Kusto query with this OBO token returns an error that the user in the token does not have access to the ADX database.
In this situation, the Telemetry application is given viewer permissions to the ADX Database, as stated in the documentation. It was my belief that since the OBO token is specifically created by the Telemetry application, this OBO token would be enough to access the database, But it is not.
It all works as expected when I add the user specifically as a database-viewer to the database permissions. This tells me that even though the application requests a JWT token, it is not correctly granted access to ADX.
How can I set this up so that I just have to give an application access on the ADX database (and not each individual user account), and still use Row level security?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(304, 32%, 39%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECR%3C/text%3E%3C/svg%3E)
or upvote 
button whenever the information provided helps you.