Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Enhance your career with this limited time 50% discount on Fabric and Power BI exams. Ends August 31st. Request your voucher.

Reply
ContractRick
Frequent Visitor

Row Level Security Breaks Copy Data Overwrite

‎07-24-2024 08:12 AM

I have a lakehouse that I pull tables into via a Pipeline Copy Data activity. The source is a local SQL server and the destination is a table in the lakehouse set to overwrite. This works great until I apply a Security Policy to the table... Now, despite the pipeline finishing without issue, when I query the table, it still shows the old data and does not appear to have been updated/overwritten.

 

Is there a different way I should be updating the table to keep the RLS? The RLS appears to work as expected with the current data, but not being able to update the table is obviously a deal breaker...

Message 1 of 10
994 Views
0
9 REPLIES 9
frithjof_v
Super User
Super User

‎07-25-2024 03:30 AM

@ContractRick Where (and how) do you apply the security policy? And where (and how) are you querying the table?

 

(I.e. are you applying the security policy to the SQL Analytics Endpoint, and querying the table in the SQL Analytics Endpoint?)

 

 

At first glance, it sounds to me that you have discovered an issue. 

Sounds like you have done a good job at finding a workaround as well!

However I think this sounds like an issue which should be fixed by the product team. Or at least provide insights into why this behaviour is happening. 

Message 5 of 10
950 Views
0
ContractRick
Frequent Visitor
In response to frithjof_v

‎07-25-2024 05:02 AM

The security policy is applied on the SQL Endpoint of the lakehouse. I followed Microsoft's instructions to configure it. I created a new schema, a function that references USER_NAME() against a select statement from a different table (without RLS), and the security policy itself.

Message 6 of 10
943 Views
0
rampie
Advocate I
Advocate I
In response to ContractRick

‎12-11-2024 02:02 PM

HI @ContractRick 

 

Some update of this issue? i'm implementing RLS in the SQL endpoint of my lakehouse, and still the Security Policy is blocking the table refresh, the data updates via pipeline, if add an step that turns off the policy the table can be refreshed, but it's an unnacesary extra step. Have you found a solution?

Message 7 of 10
571 Views
0
ContractRick
Frequent Visitor
In response to rampie

‎12-13-2024 05:03 AM

We gave up on table based RLS. The direct query limitations were too much for us, so we switched to forcing the semantic models to use Direct Lake only, used a fixed identity for the Lakehouse connection, and applied RLS the old fashioned way on the semantic model.

Message 10 of 10
545 Views
0
frithjof_v
Super User
Super User
In response to rampie

‎12-12-2024 06:28 PM

Is this the issue you are encountering?

 

https://learn.microsoft.com/en-us/fabric/get-started/known-issues/known-issue-767-sql-endpoint-table...

Message 8 of 10
555 Views
0
ContractRick
Frequent Visitor
In response to frithjof_v

‎12-13-2024 05:08 AM

Yes, and the "workaround" is what I have already described in one of my own replies on this topic. We gave up on this form of RLS due to the security implications of said workaround as well as the limitations of direct query mode. Forcing Direct Lake mode, using a fixed identity, and applying RLS on the semantic model works well for us.

Message 9 of 10
545 Views
ContractRick
Frequent Visitor

‎07-24-2024 10:30 AM

Through further testing I have discovered that as soon as I drop the security policy, a query of the table shows the latest data that was supposed to have been copied to it. It seems the security policy is somehow blocking the update... I guess I could try running a notebook after the copy data activity to drop and readd the security policy... Seems like a weird workaround though...

Message 2 of 10
978 Views
Anonymous
Not applicable
In response to ContractRick

‎07-24-2024 06:22 PM

Hi @ContractRick ,

It really is a great way to solve a problem, and all in all I'm glad to hear you've resolved it.

Best Regards,

Ada Wang

Message 3 of 10
969 Views
0
ContractRick
Frequent Visitor
In response to Anonymous

‎07-25-2024 10:46 AM

Well, it's not really resolved... I have been bashing my head against the wall for the last 2 days on this. I finally found a method that works, but it's not pretty. Microsoft really needs to fix this!

 

Since Spark SQL can't do anything with SECURITY POLICY nor can it EXEC stored procedures (at least that I am aware of), I had to resort to the following:

  1. Create a connection to the SQL endpoint of the lakehouse using the cloud URL and Organizational credentials
  2. In a pipeline string together 3 activities after the copy data is successful:
    1. Stored procedure that drops the security policy
    2. Wait 60 seconds
    3. Stored procedure that creates the security policy

The stored procedures use parameters for the database name, function, and security policy name, so that they can be used for any tables that need RLS. I tried setting the wait time to be shorter, but found that 1 minute was reliable (I had to do the same thing when dealing with lakehouse tables updated by data flows). I also tried doing it all as 1 stored procedure, but could never get it to work.

 

So for now, this pipeline appears to get the job done, but it does mean that for 1 minute after the copy, users could potentially bypass the RLS...

Message 4 of 10
929 Views
0

Helpful resources

Announcements
July 2025 community update carousel

Fabric Community Update - July 2025

Find out what's new and trending in the Fabric community.

June FBC25 Carousel

Fabric Monthly Update - June 2025

Check out the June 2025 Fabric update to learn about new features.

View All