Events
31 Mar, 11 pm - 2 Apr, 11 pm
The biggest Fabric, Power BI, and SQL learning event. March 31 – April 2. Use code FABINSIDER to save $400.
Register todaySQL granular permissions in Microsoft Fabric
Applies to: ✅ SQL analytics endpoint and Warehouse in Microsoft Fabric
When the default permissions provided by assignment to workspace roles or granted through item permissions are insufficient, standard SQL constructs are available for more granular control.
For SQL analytics endpoint and Warehouse:
- Object-level-security can be managed using GRANT, REVOKE, and DENY T-SQL syntax.
- Users can be assigned to SQL roles, both custom and built-in database roles.
- In order for a user to connect to the database, the user must be assigned to a Workspace role or assigned the item Read permission. Without Read permission at a minimum, the connection fails.
- If you'd like to set up a user's granular permissions before allowing them to connect to the warehouse, permissions can first be set up within SQL. Then, they can be given access by assigning them to a Workspace role or granting item permissions.
CREATE USERcannot be explicitly executed currently. WhenGRANTorDENYis executed, the user is created automatically. The user will not be able to connect until sufficient workspace level rights are given.
When a user connects to the SQL connection string, they can view the permissions available to them using the sys.fn_my_permissions function.
User's database scoped permissions:
SQL
SELECT *
FROM sys.fn_my_permissions(NULL, 'Database');
User's schema scoped permissions:
SQL
SELECT *
FROM sys.fn_my_permissions('<schema-name>', 'Schema');
User's object-scoped permissions:
SQL
SELECT *
FROM sys.fn_my_permissions('<schema-name>.<object-name>', 'Object');
When connected via the SQL connection string, a user with elevated permissions can query granted permissions by using system views. This doesn't show the users or user permissions that are given to users by being assigned to workspace roles or assigned item permissions.
SQL
SELECT DISTINCT pr.principal_id, pr.name, pr.type_desc,
pr.authentication_type_desc, pe.state_desc, pe.permission_name
FROM sys.database_principals AS pr
INNER JOIN sys.database_permissions AS pe
ON pe.grantee_principal_id = pr.principal_id;
You can secure column filters and predicate-based row filters on tables in Warehouse or SQL analytics endpoint to roles and users in Microsoft Fabric. You can also mask sensitive data from non-admins using dynamic data masking.
Additional resources
Training
Module
Secure data access in Microsoft Fabric - Training
Learn the key concepts and strategies for securing data access in Microsoft Fabric.
Certification
Microsoft Certified: Fabric Data Engineer Associate - Certifications
As a Fabric Data Engineer, you should have subject matter expertise with data loading patterns, data architectures, and orchestration processes.