Do Dynamic data masking applied to Azure SQL database table's columns propagate to the Analysis Services tabular model?

AzureLearnChstr 26 Reputation points
2021-08-20T18:54:32.897+00:00

Do Dynamic granular level data masking permissions applied to Azure SQL database table's columns propagate to the Analysis Services tabular model based upon that table?
For example:
a) I have a Table A in an Azure SQL database. Table A has the columns :: empno int not null primary key, ename varchar(50) not null, sal decimal(10,2), SSN varchar(16) NULL); Columns sal and SSN have the following mask MASKED WITH (FUNCTION = 'default()'). The table has dummy data.
b) These two masked columns have granular level permissions, so that only persons belonging to AD group named user_group1 can see their unmasked data
c) I have verified that only users belonging to user_group1 can see the unmasked values in these columns in Azure Data Studio, others cannot
d) As an administrator, I have created a Tabular model based upon this table, and have deployed it to the Azure Analysis service. All users in my organization have been given Reader access to the tabular model

My questions are:

  1. Will all users other than the ones belonging to the user_group1 see the data masked in these two columns that are part of the tabular model?
  2. How do I propagate these granular dynamic masking rules to the Tabular model based upon this table, so that only certain users can see certain unmasked columns whereas other can not?

Thanks.

Azure SQL Database
Azure Analysis Services
Azure Analysis Services
An Azure service that provides an enterprise-grade analytics engine.
479 questions
0 comments No comments
{count} votes

Accepted answer
  1. Nandan Hegde 36,146 Reputation points MVP Volunteer Moderator
    2021-08-23T05:22:47.317+00:00

    Hey,
    To answer your query :

    1. Dynamic data masking is a feature of Azure SQL database. You might be processing the tabular model connecting to Azure SQL database via a SQL account.
      In that scenario, the data within the tabular model would be masked or unmasked based on what access the SQL account that is configured to connect to Azure SQL db from tabular model has.

    Every user having read access to the tabular model would see the same data (either masked or unmasked).

    You can use the function of Object level security to hide sensitive columns from certain users:
    https://learn.microsoft.com/en-us/analysis-services/tabular-models/object-level-security?view=asallproducts-allversions

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. AzureLearnChstr 26 Reputation points
    2021-08-23T20:56:13.567+00:00

    Thank you! I wish there was a way to extend the granular masking ability to the tabular model too.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.