, ,

Different ways to limit access for the users on different schemas in Azure synapse Analytics

Posted by

1. User-Defined Schemas:

  • Create Schemas: Organize tables and objects into distinct schemas to logically separate data.
  • Grant Permissions: Assign specific permissions (SELECT, INSERT, UPDATE, DELETE, EXECUTE) to users or roles on individual schemas.
  • Example:
CREATE SCHEMA Sales;
CREATE TABLE Sales.Customers (CustomerID INT, Name VARCHAR(50));

GRANT SELECT ON SCHEMA::Sales TO SalesRole;

2. Row-Level Security (RLS):

  • Apply Dynamic Filters: Enforce fine-grained access control at the row level based on user attributes or conditions.
  • Create Security Policies: Define RLS policies using predicate functions that filter rows based on user context.
  • Example:
CREATE SECURITY POLICY SalesFilter
    ON dbo.Sales
    WITH (STATE = ON)
    AS PERMISSIVE
    WHERE SalesTerritory = USER_NAME();

3. Server-Level Roles:

  • Predefined Roles: Utilize built-in roles like db_datareader, db_datawriter, db_ddladmin, or custom roles to grant broader permissions across schemas.
  • Assign Roles: Grant appropriate roles to users or groups based on their access needs.
  • Example:
ALTER ROLE db_datareader ADD MEMBER SalesUser;

4. Credentials and External Users:

  • Secure External Access: For accessing Synapse from external tools, create database scoped credentials and external users with specific schema permissions.
  • Map External Users: Map external users to database users with defined permissions.
  • Example:
CREATE DATABASE SCOPED CREDENTIAL MyCredential WITH IDENTITY = 'user1', SECRET = 'password';
CREATE EXTERNAL USER [MyExternalUser] WITH PASSWORD = 'mypassword';
GRANT SELECT ON SCHEMA::Sales TO [MyExternalUser];

5. Dynamic Data Masking (DDM):

  • Obfuscate Sensitive Data: Restrict sensitive data visibility for unauthorized users by masking it with placeholder values.
  • Define Masking Rules: Create DDM policies to specify which columns to mask and the masking method.
  • Example:
CREATE MASKING POLICY SocialSecurityMaskingPolicy
    AS MASKED WITH (FUNCTION = 'partial(0,"XXXX-XX",6)')
    ON Sales.Customers(SocialSecurityNumber);

Additional Considerations:

  • Monitor Access: Track user access and permissions for security auditing and compliance.
  • Regularly Review: Periodically review and update access controls to align with evolving requirements and security best practices.
  • Tailor Approaches: Choose the most suitable methods based on your specific security needs and data organization.
guest
0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x