Restrict 语句

适用于:✅Azure 数据资源管理器Azure MonitorMicrosoft Sentinel

Restrict 语句限制一组表/视图实体,这些实体对其后的查询语句可见。 例如,在包含两个表(AB)的数据库中,应用程序可以防止查询的其余部分访问 B,并且只能通过使用视图“查看”表 A 的有限形式。

Restrict 语句主要适用于中间层应用程序,这些应用程序接受来自用户的查询并希望对这些查询应用行级安全机制。 中间层应用程序可以在用户的查询前加上逻辑模型,这是一组 let 语句,用于定义视图以限制用户对数据的访问权限(例如 T | where UserId == "...")。 作为要添加的最后一个语句,它会将用户限制为只能访问该逻辑模型。

注意

Restrict 语句可用于限制对另一个数据库或群集中的实体的访问(群集名称不支持通配符)。

语法

restrict access to (EntitySpecifiers)

详细了解语法约定

参数

客户 类型​​ 必需 说明
EntitySpecifiers string ✔️ 一个或多个逗号分隔实体说明符。 可能的值为:
- 由 let 语句定义为表格视图的标识符
- 表或函数引用,类似于联合语句使用的表或函数引用
- 模式声明定义的模式

注意

  • 所有并非由 restrict 语句指定的表、表格视图或模式将对查询的其余部分变为“不可见”。
  • Let、set 和 tabular 语句用分号串在一起/分隔,否则它们将不被视为同一查询的一部分。

示例

Let 语句

以下示例使用在 restrict 语句之前出现的 let 语句

// Limit access to 'Test' let statement only
let Test = () { print x=1 };
restrict access to (Test);

表或函数

以下示例使用对数据库元数据中定义的函数的引用。

// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata, 
// and other database 'DB2' has Table2 defined in the metadata

restrict access to (database().Table1, database().Func1, database('DB2').Table2);

模式

以下示例使用可以匹配多个 let 语句或表/函数的通配符模式。

let Test1 = () { print x=1 };
let Test2 = () { print y=1 };
restrict access to (*);
// Now access is restricted to Test1, Test2 and no tables/functions are accessible.

// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata.
// Assuming that database 'DB2' has table Table2 and Func2 defined in the metadata
restrict access to (database().*);
// Now access is restricted to all tables/functions of the current database ('DB2' is not accessible).

// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata.
// Assuming that database 'DB2' has table Table2 and Func2 defined in the metadata
restrict access to (database('DB2').*);
// Now access is restricted to all tables/functions of the database 'DB2'

阻止用户查询其他用户数据

下面的示例演示了中间层应用程序如何在用户的查询前面加上一个逻辑模型,以防止用户查询任何其他用户的数据。

// Assume the database has a single table, UserData,
// with a column called UserID and other columns that hold
// per-user private information.
//
// The middle-tier application generates the following statements.
// Note that "username@domain.com" is something the middle-tier application
// derives per-user as it authenticates the user.
let RestrictedData = view () { Data | where UserID == "username@domain.com" };
restrict access to (RestrictedData);
// The rest of the query is something that the user types.
// This part can only reference RestrictedData; attempting to reference Data
// will fail.
RestrictedData | summarize MonthlySalary=sum(Salary) by Year, Month
// Restricting access to Table1 in the current database (database() called without parameters)
restrict access to (database().Table1);
Table1 | count

// Restricting access to Table1 in the current database and Table2 in database 'DB2'
restrict access to (database().Table1, database('DB2').Table2);
union 
    (Table1),
    (database('DB2').Table2))
| count

// Restricting access to Test statement only
let Test = () { range x from 1 to 10 step 1 };
restrict access to (Test);
Test
 
// Assume that there is a table called Table1, Table2 in the database
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);
 
// When those statements appear before the command - the next works
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);
View1 |  count
 
// When those statements appear before the command - the next access is not allowed
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);
Table1 |  count