Manage function roles
Applies to: ✅ Microsoft Fabric ✅ Azure Data Explorer
Principals are granted access to resources through a role-based access control model, where their assigned security roles determine their resource access.
On functions, the only security role is admins. Function admins have the ability to view, modify, and remove the function.
In this article, you'll learn how to use management commands to view existing admins as well as add and remove admins on functions.
Note
A principal must have access on the database or table level to be a Function Admin.
Permissions
You must have Database Admin permissions or be a Function Admin on the specific function to run these commands. For more information, see role-based access control.
Show existing admins
Before you add or remove principals, you can use the .show command to see a table with all of the principals that already have admin access on the function.
Syntax
To show all roles:
.show function FunctionName principals
To show your roles:
.show function FunctionName principal roles
Learn more about syntax conventions.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| FunctionName | string |
✔️ | The name of the function for which to list principals. |
Example
The following command lists all security principals that have access to the SampleFunction function.
.show function SampleFunction principals
Example output
| Role | PrincipalType | PrincipalDisplayName | PrincipalObjectId | PrincipalFQN |
|---|---|---|---|---|
| Function SampleFunction Admin | Microsoft Entra user | Abbi Atkins | cd709aed-a26c-e3953dec735e | aaduser=abbiatkins@fabrikam.com |
Add and drop admins
This section provides syntax, parameters, and examples for adding and removing principals.
Syntax
Action function FunctionName admins ( Principal [, Principal...] ) [skip-results] [ Description ]
Learn more about syntax conventions.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
| Action | string |
✔️ | The command .add, .drop, or .set..add adds the specified principals, .drop removes the specified principals, and .set adds the specified principals and removes all previous ones. |
| FunctionName | string |
✔️ | The name of the function for which to add principals. |
| Principal | string |
✔️ | One or more principals. For guidance on how to specify these principals, see Referencing security principals. |
skip-results |
string |
If provided, the command won't return the updated list of function principals. | |
| Description | string |
Text to describe the change that will be displayed when using the .show command. |
Note
The .set command with none instead of a list of principals will remove all principals.
Examples
In the following examples, you'll see how to add admins, remove admins, and add and remove admins in the same command.
Add admins with .add
The following example adds a principal to the admins role on the SampleFunction function.
.add function SampleFunction admins ('aaduser=imikeoein@fabrikam.com')
Remove admins with .drop
The following example removes all principals in the group from the admins role on the SampleFunction function.
.drop function SampleFunction admins ('aadGroup=SomeGroupEmail@fabrikam.com')
Add new admins and remove the old with .set
The following example removes existing admins and adds the provided principals as admins on the SampleFunction function.
.set function SampleFunction admins ('aaduser=imikeoein@fabrikam.com', 'aaduser=abbiatkins@fabrikam.com')
Remove all admins with .set
The following command removes all existing admins on the SampleFunction function.
.set function SampleFunction admins none