Role-based authorization

Authorization is the process of allowing or disallowing a security principal permission to carry out an action. Azure Data Explorer uses a role-based access control model, under which authenticated principals are mapped to roles, and get access according to the roles they're assigned.

The engine service has the following roles:

Role Permissions
All Databases admin Can do anything in the scope of any database. Includes all lower level All Databases permissions. Can show and alter certain cluster-level policies.
Database admin Can do anything in the scope of a particular database. Includes all lower level permissions.
Database user Can read all data and metadata of the database. Additionally, can create tables and become the table admin for those tables, and create functions in the database.
All Databases viewer Can read all data and metadata of any database.
Database viewer Can read all data and metadata of a particular database.
Database ingestor Can ingest data into all existing tables in the database, but can't query the data.
Database unrestrictedviewer Can query all tables in the database that have the RestrictedViewAccess policy enabled.
All Databases monitor Can execute .show commands in the context of any database and its child entities.
Database monitor Can execute .show commands in the context of the database and its child entities.
Function admin Can alter function, delete function, or grant admin permissions to another principal.
Table admin Can do anything in the scope of a particular table.
Table ingestor Can ingest data in the scope of a particular table, but can't query the data.

To assign a database role, see managing roles and permissions.

Note

To grant a principal from a different tenant access to your cluster, see Allow cross-tenant queries and commands.