Column-level security in Fabric data warehousing
Applies to: 
SQL analytics endpoint and Warehouse in Microsoft Fabric
Column-level security simplifies the design and coding of security in your application, allowing you to restrict column access to protect sensitive data. For example, ensuring that specific users can access only certain columns of a table pertinent to their department.
Column-level security at the data level
The access restriction logic is located in the database tier, not in any single application tier. The database applies the access restrictions every time data access is attempted, from any application or reporting platform including Power BI. This restriction makes your security more reliable and robust by reducing the surface area of your overall security system.
Column-level security only applies to queries on a Warehouse or SQL analytics endpoint in Fabric. Power BI queries on a warehouse in Direct Lake mode will fall back to Direct Query mode to abide by column-level security.
Restrict access to certain columns to certain users
In addition, column-level security is simpler and than designing additional views to filter out columns for imposing access restrictions on the users.
Implement column-level security with theĀ GRANT T-SQL statement. For simplicity of management, assigning permissions to roles is preferred to using individuals.
Column-level security is applied to shared warehouse or lakehouse, because the underlying data source hasn't changed.
Only Microsoft Entra authentication is supported.
Examples
This example will create a table and will limit the columns that charlie@contoso.com can see in the customers table.
CREATE TABLE dbo.Customers
(CustomerID int,
FirstName varchar(100) NULL,
CreditCard char(16) NOT NULL,
LastName varchar(100) NOT NULL,
Phone varchar(12) NULL,
Email varchar(100) NULL);
We will allow Charlie to only access the columns related to the customer, but not the sensitive CreditCard column:
GRANT SELECT ON Customers(CustomerID, FirstName, LastName, Phone, Email) TO [Charlie@contoso.com];
Queries executed as charlie@contoso.com will fail if they include the CreditCard column:
SELECT * FROM Customers;
Msg 230, Level 14, State 1, Line 12
The SELECT permission was denied on the column 'CreditCard' of the object 'Customers', database 'ContosoSales', schema 'dbo'.
Next step
Related content
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for