Role-based access control
Applies to: ✅ Microsoft Fabric ✅ Azure Data Explorer
Azure Data Explorer uses a role-based access control (RBAC) model in which principals get access to resources based on their assigned roles. Roles are defined for a specific cluster, database, table, external table, materialized view, or function. When defined for a cluster, the role applies to all databases in the cluster. When defined for a database, the role applies to all entities in the database.
Azure Resource Manager (ARM) roles, such as subscription owner or cluster owner, grant access permissions for resource administration. For data administration, you need the roles described in this document.
Note
To delete a database, you need at least Contributor ARM permissions on the cluster. To assign ARM permissions, see Assign Azure roles using the Azure portal.
Real-Time Intelligence in Fabric uses a hybrid role-based access control (RBAC) model in which principals get access to resources based on their assigned roles granted from one or both of two sources: Fabric, and Kusto management commands. The user will have the union of the roles granted from both sources.
Within Fabric, roles can be assigned or inherited by assigning a role in a workspace, or by sharing a specific item based on the item permission model.
Fabric roles
| Role | Permissions granted on items |
|---|---|
| Workspace Admin | Admin RBAC role on all items in the workspace. |
| Workspace Member | Admin RBAC role on all items in the workspace. |
| Workspace Contributor | Admin RBAC role on all items in the workspace. |
| Workspace Viewer | Viewer RBAC role on all items in the workspace. |
| Item Editor | Admin RBAC role on the item. |
| Item Viewer | Viewer RBAC role on the item. |
Roles can further be defined on the data plane for a specific database, table, external table, materialized view, or function, by using management commands. In both cases, roles applied at a higher level (Workspace, Eventhouse) are inherited by lower levels (Database, Table).
Roles and permissions
The following table outlines the roles and permissions available at each scope.
The Permissions column displays the access granted to each role.
The Dependencies column lists the minimum roles required to obtain the role in that row. For example, to become a Table Admin, you must first have a role like Database User or a role that includes the permissions of Database User, such as Database Admin or AllDatabasesAdmin. When multiple roles are listed in the Dependencies column, only one of them is needed to obtain the role.
The How the role is obtained column offers ways that the role can be granted or inherited.
The Manage column offers ways to add or remove role principals.
| Scope | Role | Permissions | Dependencies | Manage |
|---|---|---|---|---|
| Cluster | AllDatabasesAdmin | Full permission to all databases in the cluster. May show and alter certain cluster-level policies. Includes all permissions. | Azure portal | |
| Cluster | AllDatabasesViewer | Read all data and metadata of any database in the cluster. | Azure portal | |
| Cluster | AllDatabasesMonitor | Execute .show commands in the context of any database in the cluster. |
Azure portal | |
| Database | Admin | Full permission in the scope of a particular database. Includes all lower level permissions. | Azure portal or management commands | |
| Database | User | Read all data and metadata of the database. Create tables and functions, and become the admin for those tables and functions. | Azure portal or management commands | |
| Database | Viewer | Read all data and metadata, except for tables with the RestrictedViewAccess policy turned on. | Azure portal or management commands | |
| Database | Unrestrictedviewer | Read all data and metadata, including in tables with the RestrictedViewAccess policy turned on. | Database User or Database Viewer | Azure portal or management commands |
| Database | Ingestor | Ingest data to all tables in the database without access to query the data. | Azure portal or management commands | |
| Database | Monitor | Execute .show commands in the context of the database and its child entities. |
Azure portal or management commands | |
| Table | Admin | Full permission in the scope of a particular table. | Database User | management commands |
| Table | Ingestor | Ingest data to the table without access to query the data. | Database User or Database Ingestor | management commands |
| External Table | Admin | Full permission in the scope of a particular external table. | Database User or Database Viewer | management commands |
| Materialized view | Admin | Full permission to alter the view, delete the view, and grant admin permissions to another principal. | Database User or Table Admin | management commands |
| Function | Admin | Full permission to alter the function, delete the function, and grant admin permissions to another principal. | Database User or Table Admin | management commands |
| Scope | Role | Permissions | How the role is obtained |
|---|---|---|---|
| Eventhouse | AllDatabasesAdmin | Full permission to all databases in the Eventhouse. May show and alter certain Eventhouse-level policies. Includes all permissions. | - Inherited as workspace admin, workspace member, or workspace contributor. Can't be assigned with management commands. |
| Database | Admin | Full permission in the scope of a particular database. Includes all lower level permissions. | - Inherited as workspace admin, workspace member, or workspace contributor - Item shared with editing permissions. - Assigned with management commands |
| Database | User | Read all data and metadata of the database. Create tables and functions, and become the admin for those tables and functions. | - Assigned with management commands |
| Database | Viewer | Read all data and metadata, except for tables with the RestrictedViewAccess policy turned on. | - Item shared with viewing permissions. - Assigned with management commands |
| Database | Unrestrictedviewer | Read all data and metadata, including in tables with the RestrictedViewAccess policy turned on. | - Assigned with management commands. Dependent on having Database User or Database Viewer. |
| Database | Ingestor | Ingest data to all tables in the database without access to query the data. | - Assigned with management commands |
| Database | Monitor | Execute .show commands in the context of the database and its child entities. |
- Assigned with management commands |
| Table | Admin | Full permission in the scope of a particular table. | - Inherited as workspace admin, workspace member, or workspace contributor - Parent item (KQL Database) shared with editing permissions. - Assigned with management commands. Dependent on having Database User on the parent database. |
| Table | Ingestor | Ingest data to the table without access to query the data. | - Assigned with management commands. Dependent on having Database User or Database Ingestor on the parent database. |
| External Table | Admin | Full permission in the scope of a particular external table. | - Assigned with management commands. Dependent on having Database User or Database Viewer on the parent database. |
| Materialized view | Admin | Full permission to alter the view, delete the view, and grant admin permissions to another principal. | - Inherited as workspace admin, workspace member, or workspace contributor - Parent item (KQL Database) shared with editing permissions. - Assigned with management commands. Dependent on having Database User or Table Admin on the parent items. |
| Function | Admin | Full permission to alter the function, delete the function, and grant admin permissions to another principal. | - Inherited as workspace admin, workspace member, or workspace contributor - Parent item (KQL Database) shared with editing permissions. - Assigned with management commands. Dependent on having Database User or Table Admin on the parent items. |