Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
Csummers828
Frequent Visitor

Pipeline - Copy Data allows circumvention of Gateway Connection Security

‎09-23-2024 07:06 AM

We noticed odd behavior in our instance of Fabric. Previously in Power BI, for SQL connections, a developer could only use the database we explictly listed for a server, whether it was for a dataflow, a semantic model, or a pipeline using the Copy Assistant. If someone tries to modify or create a Copy Data block in a pipeline, in the Source tab, they have the ability to select databases that aren't configured in the gateway connection.

That includes databases we don't have Gateway connections for. Is this expected behavior or a bug in Data Factory / Pipelines? Originally we had a service account being leveraged for each server / database. Giving security concerns, this would require a service account for every individual database as well. 

Labels:
Message 1 of 4
594 Views
0
1 ACCEPTED SOLUTION
lbendlin
Super User
Super User

‎09-23-2024 10:54 AM

It was always (and still is) possible to seemingly login to one database but then run queries against another database on the same server, provided the connection user has access to both databases.

 

One subtle hint at that is the presence of both  Sql.Database and Sql.Databases  Power Query functions.

View solution in original post

Message 2 of 4
574 Views
3 REPLIES 3
lbendlin
Super User
Super User

‎09-23-2024 10:54 AM

It was always (and still is) possible to seemingly login to one database but then run queries against another database on the same server, provided the connection user has access to both databases.

 

One subtle hint at that is the presence of both  Sql.Database and Sql.Databases  Power Query functions.

Message 2 of 4
575 Views
Csummers828
Frequent Visitor
In response to lbendlin

‎09-23-2024 11:07 AM

Interesting, I know some have used more advanced scripting in Power Query against the gateway connections, but by default, if a developer tries to use another database that isn't associated with the connection it won't allow them to leveage the connection initially. At least not with the default options available in the GUI they normally use. 

So is our only option to secure other databases using the same server different accounts with different permissions? There's no way to lock this functionality down in the gateway, gateway connections, or in the service itself for Power BI / Fabric? 

Message 3 of 4
572 Views
0
lbendlin
Super User
Super User
In response to Csummers828

‎09-23-2024 11:21 AM

yep, pretty much. Use separate logins.

Message 4 of 4
570 Views

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All