This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(172.8, 21%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENP%3C/text%3E%3C/svg%3E)
Hi Team,
I tried to implement column level security on a table in synapse analytics by skipping one column that shouldn't be viewed by a specific user,
but still this user is able to view this column from the table.
The query I used to implement this is: GRANT SELECT ON Table (column1, column2) TO User;
Some extra background:
This user is created in the current DB and has his login created in master DB.
The login is SQL Authentication.
Any idea what is the work around?
Thanks,
Neil.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(73.60000000000001, 21%, 17%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDB%3C/text%3E%3C/svg%3E)
As @Erland Sommarskog says, the user is getting the permissions from somewhere else. This is a scenario where you should use DENY, which overrides any GRANTs the user might have. eg
deny select on SomeTable (secretColumn) to SomeUser
And it's simpler because you only have to list the columns you want to prevent the user from seeing.
Maybe. I think Neil should first determine where the permission comes from. Maybe some permission has been granted frivolously and should be revoked.
DENY is something should avoid as much as possible, as it often can lead to problems further down the road, since DENY takes precedence over GRANT.
But for limiting access to a confidential column that can be a good thing, as you don't have to worry about a role membership changing inadvertently giving the user access to the column, and it's really easy to audit.
...unless the user is added to that role because the user has a new position in the company and should now be entitled to see the new column. And by then everyone has forgotten about the DENY.
But, yes, DENY for individual users is somewhat less risky and issue DENY for AD groups. The latter is almost bound to cause trouble.
Accidentally preventing someone from seeing sensitive data they are entitled to see is much better than the opposite.
True. But if that person has control over you paycheck, the situation can be a little uncomfortable. :-)
But it is also to avoid the opposite, that is, users seeing what they should not see, I'm suggesting Neil to investigate where the permissions are coming from.
The Deny statement worked and user wasn't able to view the column that he's not supposed to.
I'll update the thread with all the permissions this user has, as a part of investigation.
Thanks again, I appreciate all the suggestions and the support this forum gives us.
First of all, I don't use Synapse or Azure Data Warehouse, so this answer is based on general experience of the regular SQL Server database engine.
How is the user accessing the table? Directly, or through a view or a stored procedures.
Generally, when things like this happens, the user typically has permission from somewhere else. That could be membership in a role, or it could be that you have granted permission on the entire table to public.
Column-level security, and the whole permissions model is the same in Synapse SQL as other flavors of SQL Server.
I'm testing the different security features for Synapse Analytics.
The user is basically me or a co-worker who is trying to login to the server and db using the user credentials.
so, the user is accessing SSMS directly and not via stored procedures.
The user has a role of db_datareader onto which I'm trying to limit his access for a specific column of specific tables.
If the user is in db_datareader, this explains why the user sees the column. Adding a user to db_datareader means that you grant that user right SELECT permission on any table in the database. And all columns on all tables.
If you want to keep the user in db_datareader, you will need to use DENY as suggested by David.
But you may also having second thoughts of adding users to db_datareader. You can also grant SELECT permissions on schema level, and stick sensitive information in separate schemas. Obviously, this would require to put the column in this case in a separate table. Or move the entire table to a separate schema, and add a view to the dbo schema that only exposes the public columns.
I like to point out that the ideas I float in the previous section are not necessarily your best choices. I am just presenting some alternatives. It could be that DENY is the best for you, but I have given you a caution.
Hi @Erland Sommarskog , Yes I'd like to keep the user in db_datareader role and apply column level security using deny,
because the table requirement isn't suitable to split it into a different schema with different rules.
But I'll definitely keep your suggestions in mind.
Thanks a ton!