Restrict 语句Restrict statement

Restrict 语句限制一组表/视图实体,这些实体对其后的查询语句可见。The restrict statement limits the set of table/view entities which are visible to query statements that follow it. 例如,在包含两个表(AB)的数据库中,应用程序可以防止查询的其余部分访问 B,并且只能通过使用视图“查看”表 A 的有限形式。For example, in a database that includes two tables (A, B), the application can prevent the rest of the query from accessing B and only "see" a limited form of table A by using a view.

Restrict 语句主要适用于中间层应用程序,这些应用程序接受来自用户的查询并希望对这些查询应用行级安全机制。The restrict statement's main scenario is for middle-tier applications that accept queries from users and want to apply a row-level security mechanism over those queries. 中间层应用程序可以在用户的查询前加上逻辑模型,这是一组 let 语句,用于定义视图以限制用户对数据的访问权限(例如 T | where UserId == "...")。The middle-tier application can prefix the user's query with a logical model, a set of let statements defining views that restrict the user's access to data (for example, T | where UserId == "..."). 作为要添加的最后一个语句,它会将用户限制为只能访问该逻辑模型。As the last statement being added, it restricts the user's access to the logical model only.

语法Syntax

restrict access to ( [EntitySpecifier [, ...]] )restrict access to ( [EntitySpecifier [, ...]] )

其中 EntitySpecifier 是以下值之一:Where EntitySpecifier is one of:

  • 由 let 语句定义为表格视图的标识符。An identifier defined by a let statement as a tabular view.
  • 表引用(类似于 union 语句使用的引用)。A table reference (similar to one used by a union statement).
  • 模式声明定义的模式。A pattern defined by a pattern declaration.

所有并非由 restrict 语句指定的表、表格视图或模式将对查询的其余部分变为“不可见”。All tables, tabular views, or patterns that are not specified by the restrict statement become "invisible" to the rest of the query.

备注Notes

Restrict 语句可用于限制对另一个数据库或群集中的实体的访问(群集名称不支持通配符)。The restrict statement can be used to restrict access to entities in another database or cluster (wildcards are not supported in cluster names).

参数Arguments

Restrict 语句可以获取一个或多个参数,这些参数定义实体名称解析期间的许可限制。The restrict statement can get one or more parameters that define the permissive restriction during name resolution of the entity. 实体可以是:The entity can be:

// Limit access to 'Test' let statement only
let Test = () { print x=1 };
restrict access to (Test);
// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata, 
// and other database 'DB2' has Table2 defined in the metadata

restrict access to (database().Table1, database().Func1, database('DB2').Table2);
  • 可以匹配多个 let 语句或表/函数的通配符模式Wildcard patterns that can match multiples of let statements or tables/functions
let Test1 = () { print x=1 };
let Test2 = () { print y=1 };
restrict access to (*);
// Now access is restricted to Test1, Test2 and no tables/functions are accessible.

// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata.
// Assuming that database 'DB2' has table Table2 and Func2 defined in the metadata
restricts access to (database().*);
// Now access is restricted to all tables/functions of the current database ('DB2' is not accessible).

// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata.
// Assuming that database 'DB2' has table Table2 and Func2 defined in the metadata
restricts access to (database('DB2').*);
// Now access is restricted to all tables/functions of the database 'DB2'

示例Examples

下面的示例演示了中间层应用程序如何在用户的查询前面加上一个逻辑模型,以防止用户查询任何其他用户的数据。The following example shows how a middle-tier application can prepend a user's query with a logical model that prevents the user from querying any other user's data.

// Assume the database has a single table, UserData,
// with a column called UserID and other columns that hold
// per-user private information.
//
// The middle-tier application generates the following statements.
// Note that "username@domain.com" is something the middle-tier application
// derives per-user as it authenticates the user.
let RestrictedData = view () { Data | where UserID == "username@domain.com" };
restrict access to (RestrictedData);
// The rest of the query is something that the user types.
// This part can only reference RestrictedData; attempting to reference Data
// will fail.
RestrictedData | summarize IrsLovesMe=sum(Salary) by Year, Month
// Restricting access to Table1 in the current database (database() called without parameters)
restrict access to (database().Table1);
Table1 | count

// Restricting access to Table1 in the current database and Table2 in database 'DB2'
restrict access to (database().Table1, database('DB2').Table2);
union 
    (Table1),
    (database('DB2').Table2))
| count

// Restricting access to Test statement only
let Test = () { range x from 1 to 10 step 1 };
restrict access to (Test);
Test

// Assume that there is a table called Table1, Table2 in the database
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);

// When those statements appear before the command - the next works
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);
View1 |  count

// When those statements appear before the command - the next access is not allowed
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);
Table1 |  count

Azure Monitor 不支持此功能This capability isn't supported in Azure Monitor