Azure Data Explorer role-based access control
Azure Data Explorer uses a role-based access control (RBAC) model in which principals get access to resources based on their assigned roles. Roles are defined for a specific cluster, database, table, external table, materialized view, or function. When defined for a cluster, the role applies to all databases in the cluster. When defined for a database, the role applies to all entities in the database.
ARM permissions, such as being a subscription owner or a cluster owner, grant access to resources in the control plane. To access data within Azure Data Explorer, the separate data plane permissions described in this document are required.
Roles and permissions
The following table outlines the roles and permissions available at each scope.
The Permissions column displays the access granted to each role.
The Dependencies column lists the minimum roles required to obtain the role in that row. For example, to become a Table Admin, you must first have a role like Database User or a role that includes the permissions of Database User, such as Database Admin or AllDatabasesAdmin. When multiple roles are listed in the Dependencies column, only one of them is needed to obtain the role.
The Manage column offers ways to add or remove role principals.
|Cluster||AllDatabasesAdmin||Full permission to all databases in the cluster. May show and alter certain cluster-level policies. Includes all permissions.||Azure portal|
|Cluster||AllDatabasesViewer||Read all data and metadata of any database in the cluster.||Azure portal|
|Database||Admin||Full permission in the scope of a particular database. Includes all lower level permissions.||Azure portal or management commands|
|Database||User||Read all data and metadata of the database. Create tables and functions, and become the admin for those tables and functions.||Azure portal or management commands|
|Database||Viewer||Read all data and metadata, except for tables with the RestrictedViewAccess policy turned on.||Azure portal or management commands|
|Database||Unrestrictedviewer||Read all data and metadata, including in tables with the RestrictedViewAccess policy turned on.||Database User or Database Viewer||Azure portal or management commands|
|Database||Ingestor||Ingest data to all tables in the database without access to query the data.||Azure portal or management commands|
||Azure portal or management commands|
|Table||Admin||Full permission in the scope of a particular table.||Database User||Management commands|
|Table||Ingestor||Ingest data to the table without access to query the data.||Database User or Database Ingestor||Management commands|
|External Table||Admin||Full permission in the scope of a particular external table.||Database User or Database Viewer||Management commands|
|Materialized view||Admin||Full permission to alter the view, delete the view, and grant admin permissions to another principal.||Database User or Table Admin||Management commands|
|Function||Admin||Full permission to alter the function, delete the function, and grant admin permissions to another principal.||Database User or Table Admin||Management commands|
- To set cluster level permissions, see manage cluster permissions.
- To set permissions for a database, use the Azure portal or use management commands.
- To set permissions for a table, external table, function, or materialized view, use management commands.
- To grant a principal from a different tenant access to a resource, see Allow cross-tenant queries and commands.
- To grant a principal view access to a subset of tables, see manage table view access.