Role-based access control

Applies to: ✅ Microsoft FabricAzure Data Explorer

Azure Data Explorer uses a role-based access control (RBAC) model in which principals get access to resources based on their assigned roles. Roles are defined for a specific cluster, database, table, external table, materialized view, or function. When defined for a cluster, the role applies to all databases in the cluster. When defined for a database, the role applies to all entities in the database.

Azure Resource Manager (ARM) roles, such as subscription owner or cluster owner, grant access permissions for resource administration. For data administration, you need the roles described in this document.

Note

To delete a database, you need at least Contributor ARM permissions on the cluster. To assign ARM permissions, see Assign Azure roles using the Azure portal.

Real-Time Intelligence in Fabric uses a hybrid role-based access control (RBAC) model in which principals get access to resources based on their assigned roles granted from one or both of two sources: Fabric, and Kusto management commands. The user will have the union of the roles granted from both sources.

Within Fabric, roles can be assigned or inherited by assigning a role in a workspace, or by sharing a specific item based on the item permission model.

Fabric roles

Role Permissions granted on items
Workspace Admin Admin RBAC role on all items in the workspace.
Workspace Member Admin RBAC role on all items in the workspace.
Workspace Contributor Admin RBAC role on all items in the workspace.
Workspace Viewer Viewer RBAC role on all items in the workspace.
Item Editor Admin RBAC role on the item.
Item Viewer Viewer RBAC role on the item.

Roles can further be defined on the data plane for a specific database, table, external table, materialized view, or function, by using management commands. In both cases, roles applied at a higher level (Workspace, Eventhouse) are inherited by lower levels (Database, Table).

Roles and permissions

The following table outlines the roles and permissions available at each scope.

The Permissions column displays the access granted to each role.

The Dependencies column lists the minimum roles required to obtain the role in that row. For example, to become a Table Admin, you must first have a role like Database User or a role that includes the permissions of Database User, such as Database Admin or AllDatabasesAdmin. When multiple roles are listed in the Dependencies column, only one of them is needed to obtain the role.

The How the role is obtained column offers ways that the role can be granted or inherited.

The Manage column offers ways to add or remove role principals.

Scope Role Permissions Dependencies Manage
Cluster AllDatabasesAdmin Full permission to all databases in the cluster. May show and alter certain cluster-level policies. Includes all permissions. Azure portal
Cluster AllDatabasesViewer Read all data and metadata of any database in the cluster. Azure portal
Cluster AllDatabasesMonitor Execute .show commands in the context of any database in the cluster. Azure portal
Database Admin Full permission in the scope of a particular database. Includes all lower level permissions. Azure portal or management commands
Database User Read all data and metadata of the database. Create tables and functions, and become the admin for those tables and functions. Azure portal or management commands
Database Viewer Read all data and metadata, except for tables with the RestrictedViewAccess policy turned on. Azure portal or management commands
Database Unrestrictedviewer Read all data and metadata, including in tables with the RestrictedViewAccess policy turned on. Database User or Database Viewer Azure portal or management commands
Database Ingestor Ingest data to all tables in the database without access to query the data. Azure portal or management commands
Database Monitor Execute .show commands in the context of the database and its child entities. Azure portal or management commands
Table Admin Full permission in the scope of a particular table. Database User management commands
Table Ingestor Ingest data to the table without access to query the data. Database User or Database Ingestor management commands
External Table Admin Full permission in the scope of a particular external table. Database User or Database Viewer management commands
Materialized view Admin Full permission to alter the view, delete the view, and grant admin permissions to another principal. Database User or Table Admin management commands
Function Admin Full permission to alter the function, delete the function, and grant admin permissions to another principal. Database User or Table Admin management commands
Scope Role Permissions How the role is obtained
Eventhouse AllDatabasesAdmin Full permission to all databases in the Eventhouse. May show and alter certain Eventhouse-level policies. Includes all permissions. - Inherited as workspace admin, workspace member, or workspace contributor.

Can't be assigned with management commands.
Database Admin Full permission in the scope of a particular database. Includes all lower level permissions. - Inherited as workspace admin, workspace member, or workspace contributor
- Item shared with editing permissions.
- Assigned with management commands
Database User Read all data and metadata of the database. Create tables and functions, and become the admin for those tables and functions. - Assigned with management commands
Database Viewer Read all data and metadata, except for tables with the RestrictedViewAccess policy turned on. - Item shared with viewing permissions.
- Assigned with management commands
Database Unrestrictedviewer Read all data and metadata, including in tables with the RestrictedViewAccess policy turned on. - Assigned with management commands. Dependent on having Database User or Database Viewer.
Database Ingestor Ingest data to all tables in the database without access to query the data. - Assigned with management commands
Database Monitor Execute .show commands in the context of the database and its child entities. - Assigned with management commands
Table Admin Full permission in the scope of a particular table. - Inherited as workspace admin, workspace member, or workspace contributor
- Parent item (KQL Database) shared with editing permissions.
- Assigned with management commands. Dependent on having Database User on the parent database.
Table Ingestor Ingest data to the table without access to query the data. - Assigned with management commands. Dependent on having Database User or Database Ingestor on the parent database.
External Table Admin Full permission in the scope of a particular external table. - Assigned with management commands. Dependent on having Database User or Database Viewer on the parent database.
Materialized view Admin Full permission to alter the view, delete the view, and grant admin permissions to another principal. - Inherited as workspace admin, workspace member, or workspace contributor
- Parent item (KQL Database) shared with editing permissions.
- Assigned with management commands. Dependent on having Database User or Table Admin on the parent items.
Function Admin Full permission to alter the function, delete the function, and grant admin permissions to another principal. - Inherited as workspace admin, workspace member, or workspace contributor
- Parent item (KQL Database) shared with editing permissions.
- Assigned with management commands. Dependent on having Database User or Table Admin on the parent items.