Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
ContractRick
Frequent Visitor

Row Level Security Breaks Copy Data Overwrite

‎07-24-2024 08:12 AM

I have a lakehouse that I pull tables into via a Pipeline Copy Data activity. The source is a local SQL server and the destination is a table in the lakehouse set to overwrite. This works great until I apply a Security Policy to the table... Now, despite the pipeline finishing without issue, when I query the table, it still shows the old data and does not appear to have been updated/overwritten.

 

Is there a different way I should be updating the table to keep the RLS? The RLS appears to work as expected with the current data, but not being able to update the table is obviously a deal breaker...

Message 1 of 10
510 Views
0
9 REPLIES 9
frithjof_v
Community Champion
Community Champion

‎07-25-2024 03:30 AM

@ContractRick Where (and how) do you apply the security policy? And where (and how) are you querying the table?

 

(I.e. are you applying the security policy to the SQL Analytics Endpoint, and querying the table in the SQL Analytics Endpoint?)

 

 

At first glance, it sounds to me that you have discovered an issue. 

Sounds like you have done a good job at finding a workaround as well!

However I think this sounds like an issue which should be fixed by the product team. Or at least provide insights into why this behaviour is happening. 

Message 5 of 10
466 Views
0
ContractRick
Frequent Visitor
In response to frithjof_v

‎07-25-2024 05:02 AM

The security policy is applied on the SQL Endpoint of the lakehouse. I followed Microsoft's instructions to configure it. I created a new schema, a function that references USER_NAME() against a select statement from a different table (without RLS), and the security policy itself.

Message 6 of 10
459 Views
0
rampie
Frequent Visitor
In response to ContractRick

‎12-11-2024 02:02 PM

HI @ContractRick 

 

Some update of this issue? i'm implementing RLS in the SQL endpoint of my lakehouse, and still the Security Policy is blocking the table refresh, the data updates via pipeline, if add an step that turns off the policy the table can be refreshed, but it's an unnacesary extra step. Have you found a solution?

Message 7 of 10
87 Views
0
ContractRick
Frequent Visitor
In response to rampie

‎12-13-2024 05:03 AM

We gave up on table based RLS. The direct query limitations were too much for us, so we switched to forcing the semantic models to use Direct Lake only, used a fixed identity for the Lakehouse connection, and applied RLS the old fashioned way on the semantic model.

Message 10 of 10
61 Views
0
frithjof_v
Community Champion
Community Champion
In response to rampie

‎12-12-2024 06:28 PM

Is this the issue you are encountering?

 

https://learn.microsoft.com/en-us/fabric/get-started/known-issues/known-issue-767-sql-endpoint-table...

Message 8 of 10
71 Views
0
ContractRick
Frequent Visitor
In response to frithjof_v

‎12-13-2024 05:08 AM

Yes, and the "workaround" is what I have already described in one of my own replies on this topic. We gave up on this form of RLS due to the security implications of said workaround as well as the limitations of direct query mode. Forcing Direct Lake mode, using a fixed identity, and applying RLS on the semantic model works well for us.

Message 9 of 10
61 Views
ContractRick
Frequent Visitor

‎07-24-2024 10:30 AM

Through further testing I have discovered that as soon as I drop the security policy, a query of the table shows the latest data that was supposed to have been copied to it. It seems the security policy is somehow blocking the update... I guess I could try running a notebook after the copy data activity to drop and readd the security policy... Seems like a weird workaround though...

Message 2 of 10
494 Views
Anonymous
Not applicable
In response to ContractRick

‎07-24-2024 06:22 PM

Hi @ContractRick ,

It really is a great way to solve a problem, and all in all I'm glad to hear you've resolved it.

Best Regards,

Ada Wang

Message 3 of 10
485 Views
0
ContractRick
Frequent Visitor
In response to Anonymous

‎07-25-2024 10:46 AM

Well, it's not really resolved... I have been bashing my head against the wall for the last 2 days on this. I finally found a method that works, but it's not pretty. Microsoft really needs to fix this!

 

Since Spark SQL can't do anything with SECURITY POLICY nor can it EXEC stored procedures (at least that I am aware of), I had to resort to the following:

  1. Create a connection to the SQL endpoint of the lakehouse using the cloud URL and Organizational credentials
  2. In a pipeline string together 3 activities after the copy data is successful:
    1. Stored procedure that drops the security policy
    2. Wait 60 seconds
    3. Stored procedure that creates the security policy

The stored procedures use parameters for the database name, function, and security policy name, so that they can be used for any tables that need RLS. I tried setting the wait time to be shorter, but found that 1 minute was reliable (I had to do the same thing when dealing with lakehouse tables updated by data flows). I also tried doing it all as 1 stored procedure, but could never get it to work.

 

So for now, this pipeline appears to get the job done, but it does mean that for 1 minute after the copy, users could potentially bypass the RLS...

Message 4 of 10
445 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All