Bewerken

Delen via


Manage database security roles

Applies to: ✅ Microsoft FabricAzure Data Explorer

Principals are granted access to resources through a role-based access control model, where their assigned security roles determine their resource access.

In this article, you'll learn how to use management commands to view existing security roles and add and drop principal association to security roles on the database level.

Permissions

You must have at least Database Admin permissions to run these commands.

Note

To delete a database, you need at least Contributor Azure Resource Manager (ARM) permissions. To assign ARM permissions, see Assign Azure roles using the Azure portal.

Database level security roles

The following table shows the possible security roles on the database level and describes the permissions granted for each role.

Role Permissions
admins View and modify the database and database entities.
users View the database and create new database entities.
viewers View tables in the database where RestrictedViewAccess isn't turned on.
unrestrictedviewers View the tables in the database even where RestrictedViewAccess is turned on. The principal must also have admins, viewers, or users permissions.
ingestors Ingest data to the database without access to query.
monitors View database metadata such as schemas, operations, and permissions.

Note

It isn't possible to assign the viewer role for only some tables in the database. For different approaches on how to grant a principal view access to a subset of tables, see manage table view access.

Show existing security roles

Before you add or remove principals, you can use the .show command to see a table with all of the principals and roles that are already set on the database.

Syntax

To show all roles:

.show database DatabaseName principals

To show your roles:

.show database DatabaseName principal roles

Learn more about syntax conventions.

Parameters

Name Type Required Description
DatabaseName string ✔️ The name of the database for which to list principals.

Example

The following command lists all security principals that have access to the Samples database.

.show database Samples principals

Example output

Role PrincipalType PrincipalDisplayName PrincipalObjectId PrincipalFQN
Database Samples Admin Microsoft Entra user Abbi Atkins cd709aed-a26c-e3953dec735e aaduser=abbiatkins@fabrikam.com

Add and drop principal association to security roles

This section provides syntax, parameters, and examples for adding and removing principals to and from security roles.

Syntax

Action database DatabaseName Role ( Principal [, Principal...] ) [skip-results] [ Description ]

Learn more about syntax conventions.

Parameters

Name Type Required Description
Action string ✔️ The command .add, .drop, or .set.
.add adds the specified principals, .drop removes the specified principals, and .set adds the specified principals and removes all previous ones.
DatabaseName string ✔️ The name of the database for which to add principals.
Role string ✔️ The role to assign to the principal. For databases, roles can be admins, users, viewers, unrestrictedviewers, ingestors, or monitors.
Principal string ✔️ One or more principals or managed identities. To reference managed identities, use the "App" format using the managed identity object ID or managed identity client (application) ID. For guidance on how to specify these principals, see Referencing Microsoft Entra principals and groups.
skip-results string If provided, the command won't return the updated list of database principals.
Description string Text to describe the change that displays when using the .show command.
Name Type Required Description
Action string ✔️ The command .add, .drop, or .set.
.add adds the specified principals, .drop removes the specified principals, and .set adds the specified principals and removes all previous ones.
DatabaseName string ✔️ The name of the database for which to add principals.
Role string ✔️ The role to assign to the principal. For databases, this can be admins, users, viewers, unrestrictedviewers, ingestors, or monitors.
Principal string ✔️ One or more principals. For guidance on how to specify these principals, see Referencing Microsoft Entra principals and groups.
skip-results string If provided, the command won't return the updated list of database principals.
Description string Text to describe the change that displays when using the .show command.

Note

The .set command with none instead of a list of principals will remove all principals of the specified role.

Examples

In the following examples, you'll see how to add security roles, remove security roles, and add and remove security roles in the same command.

Add security roles with .add

The following example adds a principal to the users role on the Samples database.

.add database Samples users ('aaduser=imikeoein@fabrikam.com')

The following example adds an application to the viewers role on the Samples database.

.add database Samples viewers ('aadapp=4c7e82bd-6adb-46c3-b413-fdd44834c69b;fabrikam.com')

Remove security roles with .drop

The following example removes all principals in the group from the admins role on the Samples database.

.drop database Samples admins ('aadGroup=SomeGroupEmail@fabrikam.com')

Add new security roles and remove the old with .set

The following example removes existing viewers and adds the provided principals as viewers on the Samples database.

.set database Samples viewers ('aaduser=imikeoein@fabrikam.com', 'aaduser=abbiatkins@fabrikam.com')

Remove all security roles with .set

The following command removes all existing viewers on the Samples database.

.set database Samples viewers none