March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early bird discount ends December 31.
Register NowBe one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now
Hi,
I'm trying to apply the CLS for a warehouse to a specific user account (reader1).
I'm following this article: SQL granular permissions in Microsoft Fabric
Well, as the first thing, I've executed this SQL script:
GRANT SELECT ON def.mytable
(
[column_1],
[column_2,
[column_to_hide]
) TO [reader1@___.com];
Then, I've granted the item permissions to the reader1 account in this way:
Using SQL Server Management Studio, considering the warehouse connection string, I obtain an error when I try to connect to the warehouse with the reader1 account:
Inside Fabric, when I open the warehouse and I try to run a SELECT * FROM mytable or SELECT column_to_hide FROM my table I can see normally the column that I wanted to hide.
Any suggests to me in order to apply rightly the column-level security to a warehouse, please? Many thanks
@pmscorca In the SSMS login dialog, can you try to go to the Connection Properties and select the Connect to database there.
Then write the name of the Warehouse or Lakehouse.
It worked for me.
Hi @pmscorca ,
Thanks for the reply from frithjof_v .
Glad to hear that one of your issues has been resolved, and for your other issue, I ran a test.
When I click connect, I will enter the web landing page, and select the account with the same username in SSMS to log in.
At this point, you can return to the SSMS to see that the connection was successful.
Please check if your steps are different from mine, especially the login and username need to be the same.
If you have any other questions please feel free to contact me.
Best Regards,
Yang
Community Support Team
If there is any post helps, then please consider Accept it as the solution to help the other members find it more quickly.
If I misunderstand your needs or you still have problems on it, please feel free to let us know. Thanks a lot!
Which is your role in the workspace?
Hi @pmscorca ,
At least Contributor is required.
If you have any other questions please feel free to contact me.
Best Regards,
Yang
Community Support Team
If there is any post helps, then please consider Accept it as the solution to help the other members find it more quickly.
If I misunderstand your needs or you still have problems on it, please feel free to let us know. Thanks a lot!
Interesting, so we cannot connect from SSMS without being Contributor or higher?
Then in reality, read-only users cannot connect from SSMS.
Also, I think Contributors can alter (increase) their own permissions, because they have CONTROL access:
https://learn.microsoft.com/en-us/fabric/data-warehouse/workspace-roles#workspace-roles
So I don't think adding CLS to a Contributor would be secure. Because they can alter the security themselves afterwards.
I haven't tested it, though.
There are ways in which we can control access on changing the permissions to any object for a user.
For instance, below is the sample code for restricting any user on changing security policies applied.
DENY ALTER ANY SECURITY POLICY TO [xxxx.xxx@domain.com];
GO
You should not give ReadData, because that gives access to all the data in the Warehouse's SQL Endpoint.
Instead, try sharing the warehouse while keeping all the Additional Permissions boxes unchecked (empty).
"If no additional permissions are selected - The shared recipient by default receives "Read" permission, which only allows the recipient to connect to the SQL analytics endpoint, the equivalent of CONNECT permissions in SQL Server. The shared recipient won't be able to query any table or view or execute any function or stored procedure unless they're provided access to objects within the Warehouse using T-SQL GRANT statement."
And then use T-SQL GRANT to only grant access to the required data.
Hi, thanks for your reply.
I've solved the CLS issue keeping all the Additional Permissions boxes unchecked.
It remains to understand because I cannot access to the warehouse by SSMS with the reader1 user account.
Which authentication method are you using?
Microsoft Entra MFA
Then I don't have any suggestion. Hopefully someone else can chime in with a suggestion regarding the login error.
Have you tried connecting from Power BI Desktop, or a Dataflow, using the SQL Server connector? Just to see if that works.
March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount!
Your insights matter. That’s why we created a quick survey to learn about your experience finding answers to technical questions.
Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.
User | Count |
---|---|
5 | |
4 | |
3 | |
2 | |
1 |