Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Be one of the first to start using Fabric Databases. View on-demand sessions with database experts and the Microsoft product team to learn just how easy it is to get started. Watch now

Reply
kdbuser
Frequent Visitor

Mitigation of Known Fabric Issue which results in loss of permissions after Schema Change

‎11-26-2024 04:36 PM

Hi All,

Is there a way to take down the sql endpoint of a lakehouse to mitigate the risk of this issue
We cant have a scenario where permissions are lost and users can access any row in certain tables even for a short period of time when doing maintenance on weekends

If this is not possible are there any other solutions that people have to mirigate this risk?
Known issue - SQL analytics endpoint tables lose permissions - Microsoft Fabric | Microsoft Learn

Labels:
Message 1 of 6
426 Views
1 ACCEPTED SOLUTION
v-shex-msft
Community Support
Community Support
In response to kdbuser

‎12-03-2024 06:30 PM

HI @kdbuser,

In fact, I mention they are lots of level security existed.
When you tried to apply the detailed 'granular security' level (e.g. row, column, object, etc...) security, you need to have the access permissions at first.
The known issue has appeared on the access level, so the users should firstly lose the accessibility of the SQL endpoint. Since users already can't view records from the endpoint, so you do not need consider the detail level security.

Notice: processed from left to right
Data access(X) -> Read -> Row/Column level security -> Limited records
                        -> Read/Write -> All Records.

 

If you still confused about these, you can also submit an ticket to contact to the Dev team to get further support about this known issue.

Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.

View solution in original post

Message 6 of 6
106 Views
0
5 REPLIES 5
kdbuser
Frequent Visitor

‎11-27-2024 08:21 AM

Hi Xiaoxin,

My only query there is if we expose a table with no row level permissions to a SQL endpoint a user can query the entire table. Are you saying in this instance if permissions are dropped, the expected behaviour would now be different?

Message 3 of 6
362 Views
0
v-shex-msft
Community Support
Community Support
In response to kdbuser

‎11-27-2024 09:48 PM

HI @kdbuser,

In fact, there are a lot of level of security settings that existed.
Currently the known issue is occurred on the model level, so it should firstly affect the semantic model and endpoint accessibility.
For the detailed 'granular security' level (e.g. row, column, object, etc...), they also not works due to currently users currently can't access the model.
Notice: these 'granular security' only applied on read permission users, for the workspace admin and fabric item owner, they still can access to these contents.

In short, please not assign high-level of permissions to users. You can give them access and read permission, and use T-SQL to accurately control and manage the range of contents user can viewed.

Security for data warehousing - Microsoft Fabric | Microsoft Learn

Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.
Message 4 of 6
325 Views
0
kdbuser
Frequent Visitor
In response to v-shex-msft

‎11-28-2024 10:02 AM

Hi Xiaoxin,

The scenario Im concerned about is when users connect via Power BI to the sql endpoint. In the scenario above, if a schema change is applied and the row level security is lost on the SQL tables. The issue is there would be a period where permissions are dropped and we would need to rerun T-SQL to apply permissions as you suggested.

 

Please correct me if Im wrong but if the security policy is dropped as the bug suggests that it would be
https://learn.microsoft.com/en-us/fabric/get-started/known-issues/known-issue-909-sql-analytics-endp...
Anyone connecting via the SQL endpoint would be able to access all the data?
Currently we have endpoints with no security policy on the SQL tables and users can read all rows.

However now that we are looking to apply a security policy to the SQL tables we want to ensure that no one can access the data via Power BI when permissions are lost. That is why Im wondering if the SQL endpoint can be taken offline?

Message 5 of 6
305 Views
0
v-shex-msft
Community Support
Community Support
In response to kdbuser

‎12-03-2024 06:30 PM

HI @kdbuser,

In fact, I mention they are lots of level security existed.
When you tried to apply the detailed 'granular security' level (e.g. row, column, object, etc...) security, you need to have the access permissions at first.
The known issue has appeared on the access level, so the users should firstly lose the accessibility of the SQL endpoint. Since users already can't view records from the endpoint, so you do not need consider the detail level security.

Notice: processed from left to right
Data access(X) -> Read -> Row/Column level security -> Limited records
                        -> Read/Write -> All Records.

 

If you still confused about these, you can also submit an ticket to contact to the Dev team to get further support about this known issue.

Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.
Message 6 of 6
107 Views
0
v-shex-msft
Community Support
Community Support

‎11-26-2024 11:37 PM

HI @kdbuser,

I think it means current permissions has been dropped and not available, and users not able to access the endpoint until the admin re-assign the permissions. 

For lakehouse sharing and security, you can check the following document:

Lakehouse sharing and permission management - Microsoft Fabric | Microsoft Learn
Regards,

Xiaoxin Sheng

Community Support Team _ Xiaoxin
If this post helps, please consider accept as solution to help other members find it more quickly.
Message 2 of 6
381 Views
0

Helpful resources

Announcements
ArunFabCon

Microsoft Fabric Community Conference 2025

Arun Ulag shares exciting details about the Microsoft Fabric Conference 2025, which will be held in Las Vegas, NV.

December 2024

A Year in Review - December 2024

Find out what content was popular in the Fabric community during 2024.

View All