Share via

ADX KQL Restrict Statement Help

Anonymous
2022-09-01T13:51:45.543+00:00

I am using Azure Data Explorer and need to know how to write and where to put a KQL restrict statement such that only users of a specific group (e.g. 'aadgroup=foo') have access to the tables/functions of a database (e.g. 'censusDevTest'). How is such a statement written, and where?

Azure Data Explorer
Azure Data Explorer

An Azure data analytics service for real-time analysis on large volumes of data streaming from sources including applications, websites, and internet of things devices.

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rahul Gosavi 201 Reputation points
    2022-09-12T12:01:58.43+00:00

    Hello Michael,

    You can do one thing, execute below command to restrict access to particular table or materialized view:

    For Table:
    .alter table <table_name> policy restricted_view_access true

    For Materialized View:
    .alter materialized-view <materialized-view_name>policy restricted_view_access true

    And then assign Database unrestrictedviewer role to specific user. So he will only will be able to access that particular table or mv

    And to managing roles and permissions, please take a look at below link:

    https://learn.microsoft.com/en-us/azure/data-explorer/kusto/management/security-roles#managing-database-security-roles

    If this solves your query, do click on Accept Answer.

    Thanks,
    Rahul

    Was this answer helpful?

    0 comments
  2. Maxim Sergeev 6,591 Reputation points Microsoft Employee
    2022-09-01T17:48:03.17+00:00

    Hi @Anonymous ,

    I assume you are looking for this

    https://learn.microsoft.com/en-us/azure/data-explorer/kusto/management/rowlevelsecuritypolicy

    If you have multiple Azure AD groups, and you want the members of each group to see a different subset of data, use this structure for an RLS query. 

    let IsInGroup1 = current_principal_is_member_of('aadgroup=******@domain.com');  
let IsInGroup2 = current_principal_is_member_of('aadgroup=******@domain.com');  
let IsInGroup3 = current_principal_is_member_of('aadgroup=******@domain.com');  
let DataForGroup1 = Customers | where IsInGroup1 and <filtering specific for group1>;  
let DataForGroup2 = Customers | where IsInGroup2 and <filtering specific for group2>;  
let DataForGroup3 = Customers | where IsInGroup3 and <filtering specific for group3>;  
union DataForGroup1, DataForGroup2, DataForGroup3

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.