Granting Permissions in a Fabric Data Warehouse and Lakehouse

Comments 0

Share to social media

We are becoming used to being a bit lazy when granting permissions to Data Warehouses and lakehouses in Fabric. We only go to the workspace level and add the user as a viewer or member.

However, this is far from a good idea.

This practice not only gives the user access to all tables in the warehouse or lakehouse, but also gives access to all objects in the workspace. Bad idea.

The Solution

The solution is on the old and good SQL security practices. A Fabric Data Warehouse has database roles in a very similar way as Azure SQL/SQL Server

A screenshot of a computer

Description automatically generated

You can add to the roles users which have no access in the workspace. In this way, the user will receive access to the Data Warehouse/Lakehouse, but not to the other objects in the workspace.

But what user?

Fabric works in the same tenant as Azure, with the same security environment. Every user available in Azure is also available in Fabric.

For example, the statement below adds a user to the db_datareader role in a data warehouse

alter role db_datareader add member [dennes2@dennesbufaloinfocom.onmicrosoft.com]

After Adding the user

You can use the system table sys.database_principles to identify the users. An Azure user will not appear in this table, unless it received some kind of permission in the warehouse.

For example:

select name, principal_id, type_desc from sys.database_principals

A screenshot of a computer

Description automatically generated

Danger: It’s interesting to notice this user doesn’t appear in the option Manage Permissions in the Data Warehouse/lakehouse. The granular permission management is good, but it can also be dangerous because you can lose track of who has access to what.

A screenshot of a browser

Description automatically generated

More Granular Access Permissions

The Database Roles available give permission to read all tables or write on all tables. What if you would like to have more granular control than this?

You also have the DB Custom Roles. You can create a completely custom role; define the granular permissions you would like and add the user to the custom role.

The code will be like this:

A screenshot of a computer

Description automatically generated

Checking Group Membership of a User

We need to be capable of checking the groups the user belongs to. This is especially important because these permissions don’t appear inside Manage Permissions.

We can do this making some joins with system tables, but it’s not a so simple query:

The table sys.database_role_members needs to be joined twice with sys.database_principals, one to retrieve the name of the user who belongs to a group and the other to retrieve the name of the group.

A screenshot of a computer

Description automatically generated

Lakehouse

All these features also work in a SQL Endpoint of a lakehouse, but with some additional details:

  • The SQL Endpoint in a lakehouse is already read-only
  • There were restrictions about if spark code in a notebook would respect the rules. This evolves all the time, take care and check the current state of this.

Summary

We can and we should be managing permissions in our Fabric environment in a granular way. We need to leave behind old practices from Power BI era and increase the security level of our solutions

Article tags

Load comments

About the author

Dennes Torres

See Profile

Dennes Torres is a Data Platform MVP and Software Architect living in Malta who loves SQL Server and software development and has more than 20 years of experience. Dennes can improve Data Platform Architectures and transform data in knowledge. He moved to Malta after more than 10 years leading devSQL PASS Chapter in Rio de Janeiro and now is a member of the leadership team of MMDPUG PASS Chapter in Malta organizing meetings, events, and webcasts about SQL Server. He is an MCT, MCSE in Data Platforms and BI, with more titles in software development. You can get in touch on his blog https://dennestorres.com or at his work https://dtowersoftware.com