Authorization is the process of allowing or disallowing a security principal permission to carry out an action. Azure Data Explorer uses a role-based access control model, under which authenticated principals are mapped to roles, and get access according to the roles they're assigned.
The engine service has the following roles:
|All Databases admin||Can do anything in the scope of any database. Includes all lower level
|Database admin||Can do anything in the scope of a particular database. Includes all lower level permissions.|
|Database user||Can read all data and metadata of the database. Additionally, can create tables and become the table admin for those tables, and create functions in the database.|
|All Databases viewer||Can read all data and metadata of any database.|
|Database viewer||Can read all data and metadata of a particular database.|
|Database ingestor||Can ingest data into all existing tables in the database, but can't query the data.|
||Can query all tables in the database that have the RestrictedViewAccess policy enabled.|
|All Databases monitor||Can execute
|Database monitor||Can execute
|Function admin||Can alter function, delete function, or grant admin permissions to another principal.|
|Table admin||Can do anything in the scope of a particular table.|
|Table ingestor||Can ingest data in the scope of a particular table, but can't query the data.|
To assign a database role, see managing roles and permissions.
To grant a principal from a different tenant access to your cluster, see Allow cross-tenant queries and commands.