Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Grow your Fabric skills and prepare for the DP-600 certification exam by completing the latest Microsoft Fabric challenge.

Reply
fabricator1
Advocate II
Advocate II

TDS endpoint and workspace viewer role

‎12-28-2023 07:33 AM

Hi, 


Can a user with Viewer role in the workspace, use Power BI Desktop or SSMS to connect and read data from a Lakehouse SQL Analytics Endpoint?

I thought Power BI Desktop and SSMS are using the TDS endpoint, and thus a Viewer would only be able to read Lakehouse data through the TDS endpoint if granted permission by a contributor, member or admin (ref. the table below).

However, I am testing with a user who has Viewer role and this user is able to read data from the Lakehouse SQL Analytics Endpoint in Power BI Desktop by using the connection string. (We haven't given this user any granular permissions.)

Is the SQL Analytics Endpoint connection string the same thing as the Lakehouse TDS endpoint, or are they different?

When looking at the actual permissions on my Lakehouse SQL Analytics Endpoint, I can see that Workspace Viewer automatically gets Read and ReadData permissions.

Curious to learn more about this 🙂 Thanks!

Roles in workspaces in Microsoft Fabric - Microsoft Fabric | Microsoft Learn

fabricator1_0-1703776691687.png

 

Message 1 of 4
498 Views
0
1 ACCEPTED SOLUTION
v-cboorla-msft
Community Support
Community Support
In response to v-cboorla-msft

‎01-02-2024 03:00 AM

Hi @fabricator1 

 

That is correct - a user who is just assigned a viewer role can read data in SQL Analytics Endpoint. As per the documentation here (see link), one can connect and also read data for each Warehouse / SQL Endpoint within the workspace. Viewers have SQL permissions to read data from tables/views using T-SQL. So what you are seeing is as per design.
https://learn.microsoft.com/en-us/fabric/data-warehouse/workspace-roles#:~:text=user%C2%A0SQL%20perm...

If the permissions provided by workspace roles are too coarse, one can leverage granular permissions; however, for granular permissions to work, one must either
(a) assign a workspace role (i.e. viewer role); or
(b) assign an item level access.
A Workspace or Item level assignment enables connectivity. Once either (a) or (b) is in place, one can then configure granular permissions to restrict access to specific objects etc. Please refer the documented.
SQL granular permissions - Microsoft Fabric | Microsoft Learn

"Is the SQL Analytics Endpoint connection string the same thing as the Lakehouse TDS endpoint, or are they different?"
In Fabric, we have a Lakehouse SQL analytics endpoint which is accessible via TDS or to put it in other words, the endpoint uses TDS protocol. In Fabric, this is also referred to as a SQL Connection String. This is documented in detail here.
Connectivity to data warehousing - Microsoft Fabric | Microsoft Learn
[MS-TDS]: Overview | Microsoft Learn

 

I hope this information helps. Please do let us know if you have any further questions. Glad to help.

 

Thanks.

View solution in original post

Message 3 of 4
311 Views
3 REPLIES 3
v-cboorla-msft
Community Support
Community Support

‎12-28-2023 11:15 PM

Hi @fabricator1 

 

Thanks for using Fabric Community. 
At this time, we are reaching out to the internal team to get some help on this.

We will update you once we hear back from them.


Thanks

Message 2 of 4
447 Views
0
v-cboorla-msft
Community Support
Community Support
In response to v-cboorla-msft

‎01-02-2024 03:00 AM

Hi @fabricator1 

 

That is correct - a user who is just assigned a viewer role can read data in SQL Analytics Endpoint. As per the documentation here (see link), one can connect and also read data for each Warehouse / SQL Endpoint within the workspace. Viewers have SQL permissions to read data from tables/views using T-SQL. So what you are seeing is as per design.
https://learn.microsoft.com/en-us/fabric/data-warehouse/workspace-roles#:~:text=user%C2%A0SQL%20perm...

If the permissions provided by workspace roles are too coarse, one can leverage granular permissions; however, for granular permissions to work, one must either
(a) assign a workspace role (i.e. viewer role); or
(b) assign an item level access.
A Workspace or Item level assignment enables connectivity. Once either (a) or (b) is in place, one can then configure granular permissions to restrict access to specific objects etc. Please refer the documented.
SQL granular permissions - Microsoft Fabric | Microsoft Learn

"Is the SQL Analytics Endpoint connection string the same thing as the Lakehouse TDS endpoint, or are they different?"
In Fabric, we have a Lakehouse SQL analytics endpoint which is accessible via TDS or to put it in other words, the endpoint uses TDS protocol. In Fabric, this is also referred to as a SQL Connection String. This is documented in detail here.
Connectivity to data warehousing - Microsoft Fabric | Microsoft Learn
[MS-TDS]: Overview | Microsoft Learn

 

I hope this information helps. Please do let us know if you have any further questions. Glad to help.

 

Thanks.

Message 3 of 4
312 Views
v-cboorla-msft
Community Support
Community Support
In response to v-cboorla-msft

‎01-02-2024 03:16 AM

Hi @fabricator1 

 

Glad that your query got resolved.

Please continue using Fabric Community for any help regarding your queries.

Message 4 of 4
291 Views
0

Helpful resources

Announcements
Expanding the Synapse Forums

New forum boards available in Synapse

Ask questions in Data Engineering, Data Science, Data Warehouse and General Discussion.

RTI Forums Carousel3

New forum boards available in Real-Time Intelligence.

Ask questions in Eventhouse and KQL, Eventstream, and Reflex.

MayFBCUpdateCarousel

Fabric Monthly Update - May 2024

Check out the May 2024 Fabric update to learn about new features.

View All