Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Special holiday offer! You and a friend can attend FabCon with a BOGO code. Supplies are limited. Register now.

Reply
SavioFerraz
Kudo Collector
Kudo Collector

Complex Data Engineering Issue: Inconsistent Role Enforcement When Using Snowflake PATs in Fabric

‎12-11-2025 04:24 AM

Hi everyone,

I'm encountering an unexpected and potentially critical security behavior when using Snowflake PATs with Microsoft Fabric connections, and I’d appreciate help validating whether this is expected or a bug.

🟦 Scenario
I have 4 business units, each with its own Snowflake shared database.

Each business unit has a dedicated role that grants access only to its database.

A service account was created in Snowflake.

I generated 4 PATs, each manually restricted to one specific role using Snowflake's role restriction for PATs.

In Fabric, I created 4 separate Snowflake connections, each using:

Username → service account

Password → one of the PATs (each tied to a different restricted role)

Expectation:
Each Fabric connection should only see one database, aligned with its PAT’s assigned role.

🟥 Problem
Regardless of which PAT I use, all 4 Fabric connections show ALL databases during:

Data Pipeline Copy operations

Dataflow Gen2 connections

Any Fabric item connecting to Snowflake

It seems Fabric is using only the service account’s default role, completely ignoring the PAT role restriction, which defeats the purpose of creating role-specific PATs.

🟩 What I verified
In Snowflake: each PAT is correctly restricted to a single role

In Snowflake UI: PAT mappings show proper PAT → role_restriction associations

In Fabric: re-creating the connections doesn’t change the behavior

Testing from Snowflake CLI: PATs respect role restrictions properly outside Fabric

Questions
Does Fabric currently ignore Snowflake PAT role restrictions?
If so, this represents a major security gap.

Is this an acknowledged Fabric bug, or is there a known limitation where Fabric always uses the user’s default role instead of the PAT’s restricted role?

Is the only workaround manually selecting the role in Advanced Options every time a new data movement is created?

Has anyone successfully used PAT-level role restrictions in Fabric with enforced row-level or DB-level isolation?

Any guidance or validation would be extremely helpful — this impacts our data isolation design.

Thanks in advance!

Labels:
Message 1 of 2
254 Views
0
1 ACCEPTED SOLUTION
Vinodh247
Solution Sage
Solution Sage

‎12-11-2025 08:02 AM

 

Fabric currently ignores snowflake PAT role restrictions. Fabric authenticates using the underlying Snowflake user, not the PAT’s role binding. It then issues queries without explicitly setting the role, so Snowflake falls back to the user’s default role. This is a known limitation, not documented well, and it is effectively a role-enforcement bypass when you rely on PAT-level restrictions.

 

Not publicly acknowledged as a bug, but it aligns with existing Fabric–Snowflake connector behaviour: Fabric does not send USE ROLE <role> unless you explicitly set it in advanced options.

 

Workarounds available as of today:

  1. Manually set the role in every pipeline, dataflow, and dataset using the advanced connection string options. Painful, but reliable.

  2. Create separate Snowflake users per business unit and issue PATs for those users. This is the only fully isolated pattern Fabric respects right now.

No, there is no successful pattern today where PAT-level role restrictions alone enforce isolation in Fabric. Role-restricted PATs do not work as intended in Fabric today. If isolation is critical, you must use separate Snowflake users or enforce the role explicitly in every Fabric item.

 


Please 'Kudos' and 'Accept as Solution' if this answered your query.

Regards,
Vinodh
Microsoft MVP [Fabric]

View solution in original post

Message 2 of 2
224 Views
1 REPLY 1
Vinodh247
Solution Sage
Solution Sage

‎12-11-2025 08:02 AM

 

Fabric currently ignores snowflake PAT role restrictions. Fabric authenticates using the underlying Snowflake user, not the PAT’s role binding. It then issues queries without explicitly setting the role, so Snowflake falls back to the user’s default role. This is a known limitation, not documented well, and it is effectively a role-enforcement bypass when you rely on PAT-level restrictions.

 

Not publicly acknowledged as a bug, but it aligns with existing Fabric–Snowflake connector behaviour: Fabric does not send USE ROLE <role> unless you explicitly set it in advanced options.

 

Workarounds available as of today:

  1. Manually set the role in every pipeline, dataflow, and dataset using the advanced connection string options. Painful, but reliable.

  2. Create separate Snowflake users per business unit and issue PATs for those users. This is the only fully isolated pattern Fabric respects right now.

No, there is no successful pattern today where PAT-level role restrictions alone enforce isolation in Fabric. Role-restricted PATs do not work as intended in Fabric today. If isolation is critical, you must use separate Snowflake users or enforce the role explicitly in every Fabric item.

 


Please 'Kudos' and 'Accept as Solution' if this answered your query.

Regards,
Vinodh
Microsoft MVP [Fabric]
Message 2 of 2
225 Views

Helpful resources

Announcements
November Fabric Update Carousel

Fabric Monthly Update - November 2025

Check out the November 2025 Fabric update to learn about new features.

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All
Top Kudoed Authors
View All