Role-based access control

Applies to: ✅ Azure Data Explorer

Azure Data Explorer uses a role-based access control (RBAC) model in which principals get access to resources based on their assigned roles. Roles are defined for a specific cluster, database, table, external table, materialized view, or function. When defined for a cluster, the role applies to all databases in the cluster. When defined for a database, the role applies to all entities in the database.

Azure Resource Manager (ARM) roles, such as subscription owner or cluster owner, grant access permissions for resource administration. For data administration, you need the roles described in this document.

Note

To delete a database, you need at least Contributor ARM permissions on the cluster. To assign ARM permissions, see Assign Azure roles using the Azure portal.

Roles and permissions

The following table outlines the roles and permissions available at each scope.

The Permissions column displays the access granted to each role.

The Dependencies column lists the minimum roles required to obtain the role in that row. For example, to become a Table Admin, you must first have a role like Database User or a role that includes the permissions of Database User, such as Database Admin or AllDatabasesAdmin. When multiple roles are listed in the Dependencies column, only one of them is needed to obtain the role.

The Manage column offers ways to add or remove role principals.

Scope Role Permissions Dependencies Manage
Cluster AllDatabasesAdmin Full permission to all databases in the cluster. May show and alter certain cluster-level policies. Includes all permissions. Azure portal
Cluster AllDatabasesViewer Read all data and metadata of any database in the cluster. Azure portal
Cluster AllDatabasesMonitor Execute .show commands in the context of any database in the cluster. Azure portal
Database Admin Full permission in the scope of a particular database. Includes all lower level permissions. Azure portal or management commands
Database User Read all data and metadata of the database. Create tables and functions, and become the admin for those tables and functions. Azure portal or management commands
Database Viewer Read all data and metadata, except for tables with the RestrictedViewAccess policy turned on. Azure portal or management commands
Database Unrestrictedviewer Read all data and metadata, including in tables with the RestrictedViewAccess policy turned on. Database User or Database Viewer Azure portal or management commands
Database Ingestor Ingest data to all tables in the database without access to query the data. Azure portal or management commands
Database Monitor Execute .show commands in the context of the database and its child entities. Azure portal or management commands
Table Admin Full permission in the scope of a particular table. Database User management commands
Table Ingestor Ingest data to the table without access to query the data. Database User or Database Ingestor management commands
External Table Admin Full permission in the scope of a particular external table. Database User or Database Viewer management commands
Materialized view Admin Full permission to alter the view, delete the view, and grant admin permissions to another principal. Database User or Table Admin management commands
Function Admin Full permission to alter the function, delete the function, and grant admin permissions to another principal. Database User or Table Admin management commands