Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
pmscorca
Post Patron
Post Patron

Issue applying the column-level security for a warehouse to a specific user account

‎10-23-2024 02:29 AM

Hi,

I'm trying to apply the CLS for a warehouse to a specific user account (reader1).

I'm following this article: SQL granular permissions in Microsoft Fabric 

Well, as the first thing, I've executed this SQL script:

GRANT SELECT ON def.mytable
(
[column_1],
[column_2,
[column_to_hide]
) TO [reader1@___.com];

Then, I've granted the item permissions to the reader1 account in this way:

pmscorca_0-1729675441990.png

Using SQL Server Management Studio, considering the warehouse connection string, I obtain an error when I try to connect to the warehouse with the reader1 account:

pmscorca_1-1729675653474.png

Inside Fabric, when I open the warehouse and I try to run a SELECT * FROM mytable or SELECT column_to_hide FROM my table I can see normally the column that I wanted to hide.

Any suggests to me in order to apply rightly the column-level security to a warehouse, please? Many thanks

Labels:
Message 1 of 12
844 Views
0
11 REPLIES 11
frithjof_v
Community Champion
Community Champion

‎11-06-2024 03:04 AM

@pmscorca In the SSMS login dialog, can you try to go to the Connection Properties and select the Connect to database there.

 

Then write the name of the Warehouse or Lakehouse.

 

It worked for me.

Message 12 of 12
293 Views
0
v-huijiey-msft
Community Support
Community Support

‎10-23-2024 07:37 PM

Hi @pmscorca ,

 

Thanks for the reply from frithjof_v .

 

Glad to hear that one of your issues has been resolved, and for your other issue, I ran a test.

vhuijieymsft_0-1729737292435.png

 

When I click connect, I will enter the web landing page, and select the account with the same username in SSMS to log in.

vhuijieymsft_1-1729737306663.png

vhuijieymsft_4-1729737405664.png

 

At this point, you can return to the SSMS to see that the connection was successful.

vhuijieymsft_3-1729737317016.png

 

Please check if your steps are different from mine, especially the login and username need to be the same.

 

If you have any other questions please feel free to contact me.

 

Best Regards,
Yang
Community Support Team

 

If there is any post helps, then please consider Accept it as the solution  to help the other members find it more quickly.
If I misunderstand your needs or you still have problems on it, please feel free to let us know. Thanks a lot!

Message 7 of 12
750 Views
0
pmscorca
Post Patron
Post Patron
In response to v-huijiey-msft

‎10-24-2024 11:12 AM

Which is your role in the workspace?

Message 8 of 12
734 Views
0
v-huijiey-msft
Community Support
Community Support
In response to pmscorca

‎10-25-2024 12:10 AM

Hi @pmscorca ,

 

At least Contributor is required.

vhuijieymsft_0-1729840161365.png

 

If you have any other questions please feel free to contact me.

 

Best Regards,
Yang
Community Support Team

 

If there is any post helps, then please consider Accept it as the solution  to help the other members find it more quickly.
If I misunderstand your needs or you still have problems on it, please feel free to let us know. Thanks a lot!

Message 9 of 12
688 Views
0
frithjof_v
Community Champion
Community Champion
In response to v-huijiey-msft

‎10-25-2024 12:57 AM

Interesting, so we cannot connect from SSMS without being Contributor or higher?

 

Then in reality, read-only users cannot connect from SSMS.

 

Also, I think Contributors can alter (increase) their own permissions, because they have CONTROL access:

 

https://learn.microsoft.com/en-us/fabric/data-warehouse/workspace-roles#workspace-roles

 

So I don't think adding CLS to a Contributor would be secure. Because they can alter the security themselves afterwards.

I haven't tested it, though.

Message 10 of 12
686 Views
0
Srisakthi
Resolver II
Resolver II
In response to frithjof_v

‎10-25-2024 01:25 AM

There are ways in which we can control access on changing the permissions to any object for a user.

For instance, below is the sample code for restricting any user on changing security policies applied.

DENY ALTER ANY SECURITY POLICY TO [xxxx.xxx@domain.com];
GO

Message 11 of 12
680 Views
0
frithjof_v
Community Champion
Community Champion

‎10-23-2024 03:07 AM

You should not give ReadData, because that gives access to all the data in the Warehouse's SQL Endpoint.

 

Instead, try sharing the warehouse while keeping all the Additional Permissions boxes unchecked (empty).

 

https://learn.microsoft.com/en-us/fabric/data-warehouse/share-warehouse-manage-permissions#fabric-se...

 

"If no additional permissions are selected - The shared recipient by default receives "Read" permission, which only allows the recipient to connect to the SQL analytics endpoint, the equivalent of CONNECT permissions in SQL Server. The shared recipient won't be able to query any table or view or execute any function or stored procedure unless they're provided access to objects within the Warehouse using T-SQL GRANT statement."

 

And then use T-SQL GRANT to only grant access to the required data.

Message 2 of 12
822 Views
pmscorca
Post Patron
Post Patron
In response to frithjof_v

‎10-23-2024 03:58 AM

Hi, thanks for your reply.

I've solved the CLS issue keeping all the Additional Permissions boxes unchecked.

It remains to understand because I cannot access to the warehouse by SSMS with the reader1 user account.

Message 3 of 12
814 Views
0
frithjof_v
Community Champion
Community Champion
In response to pmscorca

‎10-23-2024 05:18 AM

Which authentication method are you using?

 

https://learn.microsoft.com/en-us/fabric/data-warehouse/connectivity#get-started-with-sql-server-man...

 

Message 4 of 12
798 Views
0
pmscorca
Post Patron
Post Patron
In response to frithjof_v

‎10-23-2024 06:31 AM

Microsoft Entra MFA

Message 5 of 12
790 Views
0
frithjof_v
Community Champion
Community Champion
In response to pmscorca

‎10-23-2024 07:42 AM

Then I don't have any suggestion. Hopefully someone else can chime in with a suggestion regarding the login error.

 

Have you tried connecting from Power BI Desktop, or a Dataflow, using the SQL Server connector? Just to see if that works.

Message 6 of 12
776 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!

Dec Fabric Community Survey

We want your feedback!

Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.

ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All