Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Don't miss out! 2025 Microsoft Fabric Community Conference, March 31 - April 2, Las Vegas, Nevada. Use code MSCUST for a $150 discount. Prices go up February 11th. Register now.

Reply
SwedishJAS
New Member

Clarification on Access Control for SQL Endpoints in Fabric Workspaces

‎01-14-2025 02:08 AM

Hi everyone,

I’m trying to better understand the current access control model for SQL endpoints in Microsoft Fabric. Based on my experience, it seems that:

  1. Any user with a Viewer role in a workspace automatically gains read access to all SQL endpoints within that workspace.
  2. Permissions set via Manage Permissions on the SQL endpoint cannot override or restrict the inherited access from workspace roles.
  3. Users must be added to the workspace (with at least a Viewer role) to authenticate and access a SQL endpoint, even if they have explicit permissions set via Manage Permissions for the endpoint.

This effectively means that if I want to limit access to a specific dataset or SQL endpoint to only a subset of users, I would need to create a dedicated workspace for that resource, even if it means duplicating workspaces for similar datasets.

Questions:

  • Is this the intended behavior, or am I missing a configuration that allows for more granular access control?
  • Are there any plans to introduce a feature that allows for finer-grained permissions at the SQL endpoint level without relying entirely on workspace roles?
  • Alternatively, would it be possible to implement an access role that grants authentication and data access to specific resources (like SQL endpoints) without also granting view or edit permissions for other resources in the workspace?

I’m finding it challenging to manage access without segmenting resources into separate workspaces, which feels cumbersome and counterintuitive.

Looking forward to hearing your thoughts and insights!

Best regards,
Jens

Labels:
Message 1 of 6
367 Views
0
3 ACCEPTED SOLUTIONS
AndyDDC
Super User
Super User

‎01-14-2025 05:56 AM

Hi @SwedishJAS you don't have to add any permissions at the workspace level if you need granular permissions for a SQL Endpoint.  To run through a scenario, if I had a user "User One" and I just wanted them to have read access on all tables in a particular SQL Endpoint I would

 

  • Go to the Lakehouse/Warehouse and select Manage Permissions
  • Select Add User and find the user/group e.g. User One
  • At this stage I can select Read All SQL Endpoint Data

I could just leave this setting and click OK, then User One has access to the SQL Endoint I have granted.  I don't need to add User One at the workspace level.

 

If I want even more granular control I can:

 

  • Go to the Lakehouse/Warehouse and select Manage Permissions
  • Select Add User and find the user/group e.g. User One
  • Do not select any options in the dialog box (this provides access called CONNECT)
  • Then I can go into the SQL Endpoint and issue granular permissions like GRANT SELECT ON <object> TO User/Group

Hope this helps

View solution in original post

Message 2 of 6
340 Views
0
AndyDDC
Super User
Super User
In response to SwedishJAS

‎01-15-2025 01:27 AM

Can you point me towards documentation/videos that state that users need to be added to Workspaces?  I have confirmed that adding users to a workspace is not required, I have tested this myself with both SSMS and browsing the OneLake catalog.

 

What version of SSMS are you using?

View solution in original post

Message 4 of 6
293 Views
0
v-nmadadi-msft
Community Support
Community Support
In response to SwedishJAS

‎01-16-2025 08:32 PM

Hi @SwedishJAS ,
I tried to reproduce your exact scenario and tried around various combinations of workspace roles and permissions to check how to connect to SQL endpoint without granting access to Workspace.

vnmadadimsft_0-1737088159995.png

When i gave the user Read and ReadAll permission without giving any workspace role was able to connect to SSMS without any issue, faces the same issue as you while connecting with only Read permission.

Hope this helps you 

Did I answer your question? Mark my post as a solution, this will help others!

If my response(s) assisted you in any way, don't forget to give "Kudos"


Thanks and Regards

View solution in original post

Message 6 of 6
239 Views
5 REPLIES 5
SwedishJAS
New Member

‎01-15-2025 12:01 AM

 

Hi AndyDDC,

Thank you for your detailed explanation and walkthrough! Your solution was actually my first approach since it really makes sense that users can be added to the SQL Endpoint without being part of the workspace permissions.

However, I ran into the following issue when attempting to connect to the SQL Endpoint using SQL Server Management Studio (SSMS):

Error message:

 

sql
TITLE: Connect to Server
------------------------------ Cannot connect to xnb6epbstkvehph4bskzardro4-gzozj7rlzjyunl3uzqzmtneqwm.datawarehouse.fabric.microsoft.com. ------------------------------ ADDITIONAL INFORMATION: Login failed for user '<token-identified principal>'. (Microsoft SQL Server, Error: 18456) For help, click: https://docs.microsoft.com/sql/relational-databases/errors-events/mssqlserver-18456-database-engine-error
 

After investigating further, I found that the only way to resolve this issue was to add the user to the workspace. To double-check, I reviewed the documentation, YouTube videos, and discussions, and these sources confirmed that adding the user to the workspace is required.

My question to you is: Have you verified that it actually works for you in practice to add users to the SQL Endpoint without including them in the workspace? Or did you, like me, make the assumption that it should work based on the design?

Thanks again for sharing your solution! It would be very interesting to hear if you've successfully managed to get this working without workspace permissions.


Message 3 of 6
305 Views
0
v-nmadadi-msft
Community Support
Community Support
In response to SwedishJAS

‎01-16-2025 08:32 PM

Hi @SwedishJAS ,
I tried to reproduce your exact scenario and tried around various combinations of workspace roles and permissions to check how to connect to SQL endpoint without granting access to Workspace.

vnmadadimsft_0-1737088159995.png

When i gave the user Read and ReadAll permission without giving any workspace role was able to connect to SSMS without any issue, faces the same issue as you while connecting with only Read permission.

Hope this helps you 

Did I answer your question? Mark my post as a solution, this will help others!

If my response(s) assisted you in any way, don't forget to give "Kudos"


Thanks and Regards

Message 6 of 6
240 Views
AndyDDC
Super User
Super User
In response to SwedishJAS

‎01-15-2025 01:27 AM

Can you point me towards documentation/videos that state that users need to be added to Workspaces?  I have confirmed that adding users to a workspace is not required, I have tested this myself with both SSMS and browsing the OneLake catalog.

 

What version of SSMS are you using?

Message 4 of 6
294 Views
0
SwedishJAS
New Member
In response to AndyDDC

‎01-16-2025 11:12 PM
A big thank you to both of you—I’ll give it another shot next time. This time, I worked around the issue by creating a dedicated workspace for a SQL endpoint. I’m glad that a dedicated Fabric capacity is no longer required. 🙂

I trust your explanations, and that does seem like the most reasonable scenario. I couldn’t find the description I initially interpreted as confirming the worse situation—it might have been incorrect or outdated.

Thanks again for your quick and detailed responses!
/Jens

Message 5 of 6
226 Views
0
AndyDDC
Super User
Super User

‎01-14-2025 05:56 AM

Hi @SwedishJAS you don't have to add any permissions at the workspace level if you need granular permissions for a SQL Endpoint.  To run through a scenario, if I had a user "User One" and I just wanted them to have read access on all tables in a particular SQL Endpoint I would

 

  • Go to the Lakehouse/Warehouse and select Manage Permissions
  • Select Add User and find the user/group e.g. User One
  • At this stage I can select Read All SQL Endpoint Data

I could just leave this setting and click OK, then User One has access to the SQL Endoint I have granted.  I don't need to add User One at the workspace level.

 

If I want even more granular control I can:

 

  • Go to the Lakehouse/Warehouse and select Manage Permissions
  • Select Add User and find the user/group e.g. User One
  • Do not select any options in the dialog box (this provides access called CONNECT)
  • Then I can go into the SQL Endpoint and issue granular permissions like GRANT SELECT ON <object> TO User/Group

Hope this helps

Message 2 of 6
341 Views
0

Helpful resources

Announcements
Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Prices go up Feb. 11th.

JanFabricDE_carousel

Fabric Monthly Update - January 2025

Explore the power of Python Notebooks in Fabric!

JanFabricDW_carousel

Fabric Monthly Update - January 2025

Unlock the latest Fabric Data Warehouse upgrades!

JanFabricDF_carousel

Fabric Monthly Update - January 2025

Take your data replication to the next level with Fabric's latest updates!

View All