Microsoft Fabric Updates Blog

Secure, comply, collaborate: Item Permissions in Fabric Data Warehouse

• Announcements
• Data Warehouse
• Fabric platform
• Microsoft Fabric

• kwietnia 2, 2025 autor: Freddie Santos 48 171 Wyświetlenia

In today’s data-driven world, managing access to data is crucial for maintaining security, ensuring compliance, and optimizing collaboration. Item permissions play a vital role in controlling who can access, modify, and share data within an organization. This blog post will delve into the rationale behind the need for item permissions, what permissions can be assigned to users, and how to implement them effectively.

What are Item Permissions in Fabric Data Warehouse?

Item permissions are a set of controls that allow organizations to manage access to specific data items within a Fabric Data Warehouse artifact. These permissions determine specific actions that users can perform, such as enabling, configuring, and querying SQL Audit Logs for compliance and security analysis. Additionally, users can monitor activity on the data warehouse by accessing monitoring DMVs, query insights, and even terminating long-running queries if necessary.

The introduction of the Reshare permission further enhances collaboration by allowing users who have been granted access to an object to share the artifacts with others.

Item permissions are essential for several reasons:

1. Security: Protecting sensitive data from unauthorized access is paramount. By assigning specific permissions, organizations can ensure that only authorized personnel can view or modify critical information.
2. Compliance: Many industries are subject to regulatory requirements that mandate strict control over data access. Item permissions help organizations comply with these regulations by providing a clear audit trail of who accessed what data and when.
3. Collaboration: Effective data management involves enabling collaboration while maintaining control. Item permissions allow teams to work together on shared data without compromising security.

What Permissions can be assigned to users?

When it comes to assigning permissions, it’s important to understand the different types of permissions available and their implications. Here are some core and custom permissions that can be assigned to users:

• Read: allows users to view the data.
• Write: grants users the ability to modify the data.
• Reshare: enables users to share data with others.
• Monitor: provides users with the ability to monitor database activities and kill sessions.
• Audit: allows users to configure and access audit logs.
• Restore: permits users to perform in-place restores of data.

How to assign Permissions

Assigning permissions can be done through user interfaces on the share dialog:

After you click on the option, we will be able to see the options surfaced on the dialog menu:

In the example, we are sharing the Data Warehouse Artifact to Caroline, and including the item permissions that will grant Audit, Monitor and Read to her user, users with admin roles inherit those permissions, it is not necessary to grant any additional permission.

After we click on grant, we can validate the effective permissions that a user has in a specific Data Warehouse on the Managed permission option:

Exploring monitor, reshare, and audit Permissions

Now, let’s dive deeper into the monitor, reshare, and audit permissions, their functionalities, and potential use cases.

Monitor Permission

The Monitor permission is crucial for overseeing database activities, it allows users to:

• Run monitoring DMVs (sys.dm_exec_connections, sys.dm_exec_sessions, sys.dm_exec_requests).
• Access query insights views.
• Kill sessions.

Example: A database administrator can grant the Monitor permission to performance team to track long-running queries and terminate any that are causing performance issues.

Reshare Permission

The Reshare permission enables users to share data with others. This is particularly useful for collaborative projects where multiple team members need access to the same data.

Example: A project manager can reshare a Data Warehouse with team members, allowing them to contribute to the project without compromising security.

Restore Permission

The restore permission is by default granted only to Admins and cannot be shared with other users.

The main goal of this permission is to explicit display the users that can perform the in-place restore operation on the Data Warehouse.

Audit Permission

The Audit permission is essential for maintaining compliance and tracking data access. It allows users to configure and access audit logs, providing visibility into database operations.

Example: An auditor can use the Audit permission to review access logs and ensure that data handling practices comply with regulatory requirements.

After users have granted access to the Audit Permissions, they can configure the SQL Audit Logs with Audit API and query the logs with sys.fn_get_audit_file_v2

Conclusion

Item permissions are a fundamental aspect of data management, providing the necessary controls to secure, comply, and collaborate effectively. By understanding and implementing permissions like Monitor, Reshare, and Audit, organizations can enhance their data security posture and foster a collaborative environment. Submit your feedback on Fabric Ideas and join the conversation on the Fabric Community.