Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get Fabric Certified for FREE during Fabric Data Days. Don't miss your chance! Request now

Reply
pmscorca
Post Prodigy
Post Prodigy

Issue applying the column-level security for a warehouse to a specific user account

‎10-23-2024 02:29 AM

Hi,

I'm trying to apply the CLS for a warehouse to a specific user account (reader1).

I'm following this article: SQL granular permissions in Microsoft Fabric 

Well, as the first thing, I've executed this SQL script:

GRANT SELECT ON def.mytable
(
[column_1],
[column_2,
[column_to_hide]
) TO [reader1@___.com];

Then, I've granted the item permissions to the reader1 account in this way:

pmscorca_0-1729675441990.png

Using SQL Server Management Studio, considering the warehouse connection string, I obtain an error when I try to connect to the warehouse with the reader1 account:

pmscorca_1-1729675653474.png

Inside Fabric, when I open the warehouse and I try to run a SELECT * FROM mytable or SELECT column_to_hide FROM my table I can see normally the column that I wanted to hide.

Any suggests to me in order to apply rightly the column-level security to a warehouse, please? Many thanks

Labels:
Message 1 of 12
1,581 Views
0
11 REPLIES 11
frithjof_v
Super User
Super User

‎11-06-2024 03:04 AM

@pmscorca In the SSMS login dialog, can you try to go to the Connection Properties and select the Connect to database there.

 

Then write the name of the Warehouse or Lakehouse.

 

It worked for me.

Message 12 of 12
1,030 Views
0
Anonymous
Not applicable

‎10-23-2024 07:37 PM

Hi @pmscorca ,

 

Thanks for the reply from frithjof_v .

 

Glad to hear that one of your issues has been resolved, and for your other issue, I ran a test.

vhuijieymsft_0-1729737292435.png

 

When I click connect, I will enter the web landing page, and select the account with the same username in SSMS to log in.

vhuijieymsft_1-1729737306663.png

vhuijieymsft_4-1729737405664.png

 

At this point, you can return to the SSMS to see that the connection was successful.

vhuijieymsft_3-1729737317016.png

 

Please check if your steps are different from mine, especially the login and username need to be the same.

 

If you have any other questions please feel free to contact me.

 

Best Regards,
Yang
Community Support Team

 

If there is any post helps, then please consider Accept it as the solution  to help the other members find it more quickly.
If I misunderstand your needs or you still have problems on it, please feel free to let us know. Thanks a lot!

Message 7 of 12
1,487 Views
0
pmscorca
Post Prodigy
Post Prodigy
In response to Anonymous

‎10-24-2024 11:12 AM

Which is your role in the workspace?

Message 8 of 12
1,471 Views
0
Anonymous
Not applicable
In response to pmscorca

‎10-25-2024 12:10 AM

Hi @pmscorca ,

 

At least Contributor is required.

vhuijieymsft_0-1729840161365.png

 

If you have any other questions please feel free to contact me.

 

Best Regards,
Yang
Community Support Team

 

If there is any post helps, then please consider Accept it as the solution  to help the other members find it more quickly.
If I misunderstand your needs or you still have problems on it, please feel free to let us know. Thanks a lot!

Message 9 of 12
1,425 Views
0
frithjof_v
Super User
Super User
In response to Anonymous

‎10-25-2024 12:57 AM

Interesting, so we cannot connect from SSMS without being Contributor or higher?

 

Then in reality, read-only users cannot connect from SSMS.

 

Also, I think Contributors can alter (increase) their own permissions, because they have CONTROL access:

 

https://learn.microsoft.com/en-us/fabric/data-warehouse/workspace-roles#workspace-roles

 

So I don't think adding CLS to a Contributor would be secure. Because they can alter the security themselves afterwards.

I haven't tested it, though.

Message 10 of 12
1,423 Views
0
Srisakthi
Super User
Super User
In response to frithjof_v

‎10-25-2024 01:25 AM

There are ways in which we can control access on changing the permissions to any object for a user.

For instance, below is the sample code for restricting any user on changing security policies applied.

DENY ALTER ANY SECURITY POLICY TO [xxxx.xxx@domain.com];
GO

Message 11 of 12
1,417 Views
0
frithjof_v
Super User
Super User

‎10-23-2024 03:07 AM

You should not give ReadData, because that gives access to all the data in the Warehouse's SQL Endpoint.

 

Instead, try sharing the warehouse while keeping all the Additional Permissions boxes unchecked (empty).

 

https://learn.microsoft.com/en-us/fabric/data-warehouse/share-warehouse-manage-permissions#fabric-se...

 

"If no additional permissions are selected - The shared recipient by default receives "Read" permission, which only allows the recipient to connect to the SQL analytics endpoint, the equivalent of CONNECT permissions in SQL Server. The shared recipient won't be able to query any table or view or execute any function or stored procedure unless they're provided access to objects within the Warehouse using T-SQL GRANT statement."

 

And then use T-SQL GRANT to only grant access to the required data.

Message 2 of 12
1,559 Views
pmscorca
Post Prodigy
Post Prodigy
In response to frithjof_v

‎10-23-2024 03:58 AM

Hi, thanks for your reply.

I've solved the CLS issue keeping all the Additional Permissions boxes unchecked.

It remains to understand because I cannot access to the warehouse by SSMS with the reader1 user account.

Message 3 of 12
1,551 Views
0
frithjof_v
Super User
Super User
In response to pmscorca

‎10-23-2024 05:18 AM

Which authentication method are you using?

 

https://learn.microsoft.com/en-us/fabric/data-warehouse/connectivity#get-started-with-sql-server-man...

 

Message 4 of 12
1,535 Views
0
pmscorca
Post Prodigy
Post Prodigy
In response to frithjof_v

‎10-23-2024 06:31 AM

Microsoft Entra MFA

Message 5 of 12
1,527 Views
0
frithjof_v
Super User
Super User
In response to pmscorca

‎10-23-2024 07:42 AM

Then I don't have any suggestion. Hopefully someone else can chime in with a suggestion regarding the login error.

 

Have you tried connecting from Power BI Desktop, or a Dataflow, using the SQL Server connector? Just to see if that works.

Message 6 of 12
1,513 Views
0

Helpful resources

Announcements
November Fabric Update Carousel

Fabric Monthly Update - November 2025

Check out the November 2025 Fabric update to learn about new features.

Fabric Data Days Carousel

Fabric Data Days

Advance your Data & AI career with 50 days of live learning, contests, hands-on challenges, study groups & certifications and more!

FabCon Atlanta 2026 carousel

FabCon Atlanta 2026

Join us at FabCon Atlanta, March 16-20, for the ultimate Fabric, Power BI, AI and SQL community-led event. Save $200 with code FABCOMM.

View All