Skip to content

Repo sync for protected branch #2664

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
learn-build-service-prod merged 4 commits into from
Jun 29, 2025
Merged

Repo sync for protected branch #2664

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
9b85677
updated columns
JustPies Jun 23, 2025
4f59876
Merge pull request #6937 from JustPies/jpvalidation-6-23
prmerger-automator[bot] Jun 28, 2025
5cad668
Merge pull request #6944 from MicrosoftDocs/main
learn-build-service-prod[bot] Jun 29, 2025
a710c90
Merging changes synced from https://github.com/MicrosoftDocs/dataexpl…
Jun 29, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
26 changes: 13 additions & 13 deletions data-explorer/kusto/access-control/role-based-access-control.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,19 +80,19 @@ The **Manage** column offers ways to add or remove role principals.

| Scope | Role | Permissions | How the role is obtained |
| ---- | ---- | ----------- | ------------------------- |
| Eventhouse | AllDatabasesAdmin | Full permission to all databases in the Eventhouse. May show and alter certain Eventhouse-level policies. Includes all permissions. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor**. <br> <br> Can't be assigned with management commands. |
| Database | Admin | Full permission in the scope of a particular database. Includes all lower level permissions. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor** <br> - [Item shared](/fabric/get-started/share-items#item-permission-model) with editing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md) |
| Database | User | Read all data and metadata of the database. Create tables and functions, and become the admin for those tables and functions. | - Assigned with [management commands](../management/manage-database-security-roles.md) |
| Database | Viewer | Read all data and metadata, except for tables with the [RestrictedViewAccess policy](../management/show-table-restricted-view-access-policy-command.md) turned on. | - [Item shared](/fabric/get-started/share-items#item-permission-model) with viewing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md) |
| Database | Unrestrictedviewer | Read all data and metadata, including in tables with the [RestrictedViewAccess policy](../management/show-table-restricted-view-access-policy-command.md) turned on. | - Assigned with [management commands](../management/manage-database-security-roles.md). Dependent on having **Database User** or **Database Viewer**. |
| Database | Ingestor | Ingest data to all tables in the database without access to query the data. | - Assigned with [management commands](../management/manage-database-security-roles.md) |
| Database | Monitor | Execute `.show` commands in the context of the database and its child entities. | - Assigned with [management commands](../management/manage-database-security-roles.md) |
| Table | Admin | Full permission in the scope of a particular table. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor** <br> - Parent item (KQL Database) [shared](/fabric/get-started/share-items#item-permission-model) with editing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md). Dependent on having **Database User** on the parent database. |
| Table | Ingestor | Ingest data to the table without access to query the data. | - Assigned with [management commands](../management/manage-table-security-roles.md). Dependent on having **Database User** or **Database Ingestor** on the parent database. |
| External Table | Admin | Full permission in the scope of a particular external table. | - Assigned with [management commands](../management/manage-external-table-security-roles.md). Dependent on having **Database User** or **Database Viewer** on the parent database. |
| Materialized view | Admin | Full permission to alter the view, delete the view, and grant admin permissions to another principal. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor** <br> - Parent item (KQL Database) [shared](/fabric/get-started/share-items#item-permission-model) with editing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md). Dependent on having **Database User** or **Table Admin** on the parent items. |
| Function | Admin | Full permission to alter the function, delete the function, and grant admin permissions to another principal. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor** <br> - Parent item (KQL Database) [shared](/fabric/get-started/share-items#item-permission-model) with editing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md). Dependent on having **Database User** or **Table Admin** on the parent items. |
| Graph | GraphAdmin | Full permission in the scope of a particular graph model. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor** <br> - Parent item (KQL Database) [shared](/fabric/get-started/share-items#item-permission-model) with editing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md). Dependent on having **Database User** or **Table Admin** on the parent items. | |
| Eventhouse | AllDatabasesAdmin | Full permission to all databases in the Eventhouse. May show and alter certain Eventhouse-level policies. Includes all permissions. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor**. <br> <br> Can't be assigned with management commands. |
| Database | Admin | Full permission in the scope of a particular database. Includes all lower level permissions. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor** <br> - [Item shared](/fabric/get-started/share-items#item-permission-model) with editing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md) |
| Database | User | Read all data and metadata of the database. Create tables and functions, and become the admin for those tables and functions. | - Assigned with [management commands](../management/manage-database-security-roles.md) |
| Database | Viewer | Read all data and metadata, except for tables with the [RestrictedViewAccess policy](../management/show-table-restricted-view-access-policy-command.md) turned on. | - [Item shared](/fabric/get-started/share-items#item-permission-model) with viewing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md) |
| Database | Unrestrictedviewer | Read all data and metadata, including in tables with the [RestrictedViewAccess policy](../management/show-table-restricted-view-access-policy-command.md) turned on. | - Assigned with [management commands](../management/manage-database-security-roles.md). Dependent on having **Database User** or **Database Viewer**. |
| Database | Ingestor | Ingest data to all tables in the database without access to query the data. | - Assigned with [management commands](../management/manage-database-security-roles.md) |
| Database | Monitor | Execute `.show` commands in the context of the database and its child entities. | - Assigned with [management commands](../management/manage-database-security-roles.md) |
| Table | Admin | Full permission in the scope of a particular table. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor** <br> - Parent item (KQL Database) [shared](/fabric/get-started/share-items#item-permission-model) with editing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md). Dependent on having **Database User** on the parent database. |
| Table | Ingestor | Ingest data to the table without access to query the data. | - Assigned with [management commands](../management/manage-table-security-roles.md). Dependent on having **Database User** or **Database Ingestor** on the parent database. |
| External Table | Admin | Full permission in the scope of a particular external table. | - Assigned with [management commands](../management/manage-external-table-security-roles.md). Dependent on having **Database User** or **Database Viewer** on the parent database. |
| Materialized view | Admin | Full permission to alter the view, delete the view, and grant admin permissions to another principal. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor** <br> - Parent item (KQL Database) [shared](/fabric/get-started/share-items#item-permission-model) with editing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md). Dependent on having **Database User** or **Table Admin** on the parent items. |
| Function | Admin | Full permission to alter the function, delete the function, and grant admin permissions to another principal. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor** <br> - Parent item (KQL Database) [shared](/fabric/get-started/share-items#item-permission-model) with editing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md). Dependent on having **Database User** or **Table Admin** on the parent items. |
| Graph | GraphAdmin | Full permission in the scope of a particular graph model. | - Inherited as workspace **admin**, workspace **member**, or workspace **contributor** <br> - Parent item (KQL Database) [shared](/fabric/get-started/share-items#item-permission-model) with editing permissions. <br> - Assigned with [management commands](../management/manage-database-security-roles.md). Dependent on having **Database User** or **Table Admin** on the parent items. |
::: moniker-end

## Related content
Expand Down