| title | description | ms.topic | ms.date |
|---|---|---|---|
Manage database security roles |
Learn how to use management commands to view, add, and remove security roles on a database level. |
reference |
07/07/2025 |
[!INCLUDE applies] [!INCLUDE fabric] [!INCLUDE azure-data-explorer]
Principals are granted access to resources through a role-based access control model, where their assigned security roles determine their resource access.
In this article, you'll learn how to use management commands to view existing security roles and add and drop principal association to security roles on the database level.
You must have at least Database Admin permissions to run these commands.
Note
To delete a database, you need at least Contributor Azure Resource Manager (ARM) permissions. To assign ARM permissions, see Assign Azure roles using the Azure portal.
The following table shows the possible security roles on the database level and describes the permissions granted for each role.
| Role | Permissions |
|---|---|
admins |
View and modify the database and database entities. |
users |
View the database and create new database entities. |
viewers |
View tables in the database where RestrictedViewAccess isn't turned on. |
unrestrictedviewers |
View the tables in the database even where RestrictedViewAccess is turned on. The principal must also have admins, viewers, or users permissions. |
ingestors |
Ingest data to the database without access to query. |
monitors |
View database metadata such as schemas, operations, and permissions. |
Note
It isn't possible to assign the viewer role for only some tables in the database. For different approaches on how to grant a principal view access to a subset of tables, see manage table view access.
Before you add or remove principals, you can use the .show command to see a table with all of the principals and roles that are already set on the database.
To show all roles:
.show database DatabaseName principals
To show your roles:
.show database DatabaseName principal roles
[!INCLUDE syntax-conventions-note]
[!INCLUDE show-display-name-other-tenant]
| Name | Type | Required | Description |
|---|---|---|---|
| DatabaseName | string |
✔️ | The name of the database for which to list principals. |
The following command lists all security principals that have access to the Samples database.
.show database Samples principalsExample output
| Role | PrincipalType | PrincipalDisplayName | PrincipalObjectId | PrincipalFQN |
|---|---|---|---|---|
| Database Samples Admin | Microsoft Entra user | Abbi Atkins | cd709aed-a26c-e3953dec735e | aaduser=abbiatkins@fabrikam.com |
This section provides syntax, parameters, and examples for adding and removing principals to and from security roles.
Action database DatabaseName Role ( Principal [, Principal...] ) [skip-results] [ Description ]
[!INCLUDE syntax-conventions-note]
::: moniker range="azure-data-explorer"
| Name | Type | Required | Description |
|---|---|---|---|
| Action | string |
✔️ | The command .add, .drop, or .set..add adds the specified principals, .drop removes the specified principals, and .set adds the specified principals and removes all previous ones. |
| DatabaseName | string |
✔️ | The name of the database for which to add principals. |
| Role | string |
✔️ | The role to assign to the principal. For databases, roles can be admins, users, viewers, unrestrictedviewers, ingestors, or monitors. |
| Principal | string |
✔️ | One or more principals or managed identities. To reference managed identities, use the "App" format using the managed identity object ID or managed identity client (application) ID. For guidance on how to specify these principals, see Referencing Microsoft Entra principals and groups. |
skip-results |
string |
If provided, the command won't return the updated list of database principals. | |
| Description | string |
Text to describe the change that displays when using the .show command. |
::: moniker-end
::: moniker range="microsoft-fabric"
| Name | Type | Required | Description |
|---|---|---|---|
| Action | string |
✔️ | The command .add, .drop, or .set..add adds the specified principals, .drop removes the specified principals, and .set adds the specified principals and removes all previous ones. |
| DatabaseName | string |
✔️ | The name of the database for which to add principals. |
| Role | string |
✔️ | The role to assign to the principal. For databases, this can be admins, users, viewers, unrestrictedviewers, ingestors, or monitors. |
| Principal | string |
✔️ | One or more principals. For guidance on how to specify these principals, see Referencing Microsoft Entra principals and groups. |
skip-results |
string |
If provided, the command won't return the updated list of database principals. | |
| Description | string |
Text to describe the change that displays when using the .show command. |
::: moniker-end
Note
The .set command with none instead of a list of principals will remove all principals of the specified role.
In the following examples, you'll see how to add security roles, remove security roles, and add and remove security roles in the same command.
The following example adds a principal to the users role on the Samples database.
.add database Samples users ('aaduser=imikeoein@fabrikam.com')The following example adds an application to the viewers role on the Samples database.
.add database Samples viewers ('aadapp=4c7e82bd-6adb-46c3-b413-fdd44834c69b;fabrikam.com')The following example removes all principals in the group from the admins role on the Samples database.
.drop database Samples admins ('aadGroup=SomeGroupEmail@fabrikam.com')The following example removes existing viewers and adds the provided principals as viewers on the Samples database.
.set database Samples viewers ('aaduser=imikeoein@fabrikam.com', 'aaduser=abbiatkins@fabrikam.com')The following command removes all existing viewers on the Samples database.
.set database Samples viewers none