Restricted view access policy

Applies to: ✅ Microsoft FabricAzure Data Explorer

The restricted view access policy is an optional security feature that governs view permissions on a table. By default, the policy is disabled. When enabled, the policy adds an extra layer of permission requirements for principals to access and view the table.

For a table with an enabled restricted view access policy, only principals assigned the UnrestrictedViewer role have the necessary permissions to view the table. Even principals with roles like Table Admin or Database Admin are restricted unless granted the UnrestrictedViewer role.

Note

The UnrestrictedViewer role needs to be combined with another role assigned at the database level, such as Database Admin, Database User, or Database Viewer. If a principal doesn't have any of these prerequisite roles, they won't be able to query the database, which means they won't be able to query any table within the database.

While the restricted view access policy is specific to individual tables, the UnrestrictedViewer role operates at the database level. Thereby, a principal with the UnrestrictedViewer role has view permissions for all tables within the database. For more detailed information on managing table view access, see Manage view access to tables.

Limitations