Press "Enter" to skip to content

Category: Security

Microsoft Fabric Permissions Models for Sharing Data with End Users

Published 2025-02-24 by Kevin Feasel

Jon Vöge builds a list:

Consider the following scenario:

  • I am building a data platform on Microsoft Fabric, using Lakehouses as the primary storage engine.
  • My end users need to consume data from the data platform as users of Power BI reports which connects to data from the Lakehouses, as developers of ad hoc models and report using data from the Lakehouses, and through ad hoc SQL queries on the Lakehouses.
  • I want to use DirectLake for Power BI reports to take advantage of frequency data ingestion and transformation, and improve the actionability of my reports.
  • My data is sensitive, and users, regardless of whether they consume reports or develop their own, need to be restricted by Row Level Security to only see some of the data.

Read on for eight different approaches to the problem and Jon’s thoughts on each approach.

Comments closed

The Challenge of TDE in PostgreSQL

Published 2025-02-24 by Kevin Feasel

Bruce Momjian shares an update:

I first blogged about Transparent Data Encryption (tde) in 2019, which was more thoroughly analyzed in a blog post in 2023. An email exchange in December 2024 summarized the most up-to-date status of this feature:

When I started focusing on tde, it was going to require changes to buffer reads/writes, wal, and require a way to store secret keys. I thought those changes would be acceptable given tde’s security value. Once file I/O changes were required, I think the balance tilted to tde requiring too many code changes given its security value (not policy compliance value).

Read on for Bruce’s take now. Coming from the SQL Server world, where TDE has been in the product since 2008, I generally agree that there are better ways to ensure regulatory compliance. It’s not like TDE is actively harmful or anything, but considering that all of the relevant keys and certificates need to be on the local server to begin with, this prevents a limited number of situations from exposing your data, and there tend to be less resource-intensive alternatives for those situations.

Comments closed

Backup to URL via Managed Identity in SQL Server 2022

Published 2025-02-18 by Kevin Feasel

Joey D’Antoni doesn’t trust user logins:

Backing up databases to the cloud is not a new thing. Microsoft introduced the BACKUP TO URL functionality to SQL Server 2012 SP1 CU2. I’m not going to tell you how long ago. Still, it wasn’t last month, and Microsoft recently celebrated the 15th anniversary of Azure so that you can get an idea. When the feature started—it was minimal; you could only backup a database of up to a single terabyte and couldn’t stripe over multiple files. Additionally, you had to use the access key to the storage account, which gave complete control over the storage account—that wasn’t a good thing.

Read on for a quick overview of the feature and guidance on how it all works.

Comments closed

Migrating a SQL Server Password without Knowing the Plaintext Value

Published 2025-02-18 by Kevin Feasel

Vlad Drumea rebuilds a machine:

Export-DbaLogin does a great job of exporting all logins, but it doesn’t offer a way to migrate the sa password to another instance.
In this case, I didn’t have the sa password and was required to ensure that the rebuilt instance is a 1:1 copy of the original one (edition excluded).

This also meant that the existing password used for sa had to be transferred to the rebuilt instance.

Read on to see how you can accomplish this.

Comments closed

The Pain of Permissions

Published 2025-02-18 by Kevin Feasel

Hugo Kornelis talks about pain:

But I have been in contracts where I was the only employee able to spell SQL, and hence all other database tasks also fell in my lap. Including permissions.

And yes. I have been in projects where the idea was to investigate all current permissions, check which are and which are not needed, and then correct everything that was wrong.

We never got past stage 1. Even in a moderate sized company, with moderate sized database applications, getting a full overview of who has which permission was sheer hell.

The best I’ve ever been able to do is execute as each user and then query sys.fn_my_permissions. Otherwise, you won’t know the full scope of a user’s permissions because there are group permissions that querying other DMVs as a sysadmin won’t give you. And frankly, even this isn’t a foolproof operation.

Comments closed

Creating Logins and Users via dbatools

Published 2025-02-17 by Kevin Feasel

Chad Callihan creates a new user:

I can’t remember where I heard the analogy, but think of a SQL Server Login as the key to a hotel. While a Login will get you in the hotel, you need a room-specific key (User) to access specific rooms (or databases) in that hotel.

When it comes to creating new logins and users, dbatools can help make it a more manageable process. This is especially helpful when you’re deploying the same login and/or user to multiple servers at a time.

That’s a nice analogy, and Chad follows it up with a pair of dbatools cmdlets you may find helpful.

Comments closed

Object Ownership in Databricks

Published 2025-02-03 by Kevin Feasel

Chen Hirsh shares a tale of woe:

Have you ever made a change in your system and immediately regretted it? A few weeks ago, I did just that while working with a customer on their Databricks platform. His IT guys made some changes, moving a user to another domain. In Databrick, this is considered a new user, so I added the new user and gave him the same permissions as the old user.

And then, without thinking twice, I deleted the old user from Databricks.

Things did not go well from there. Read on to learn what happened, why, and how to avoid this problem in the future.

Comments closed

Running a Microsoft Fabric Notebook from ADO via Service Principal

Published 2025-02-03 by Kevin Feasel

Kevin Chant needs a service principal to help:

In this post I want to share one way that you can authenticate as a service principal to run a Microsoft Fabric notebook from Azure DevOps.

Some of you may recall that I previously covered how to run a Microsoft Fabric notebook from Azure DevOps.

I decided to published a newer version of the aforementioned post to amplify the fact that the REST API that runs a notebook on demand now supports service principals.

Service principals are the way to go for this, so long as you’re having one Azure-based service communicate with another Azure-based service. No passwords, no API keys, nothing you need to remember or change every 90 days.

The problem is, this works beautifully for assets inside of Azure, but not so much outside of Azure. But that’s a story for a different day.

Comments closed

Finding Privilege Changes in SQL Server’s Default Trace

Published 2025-01-31 by Kevin Feasel

Tom Collins takes a gander:

I’m doing some sql server security privilege troubleshooting , because a customer has reported an incident  – they have privileges yesterday to a certain SQL table but today those privileges no longer. I’d like to know if there is a way to identify what changes were made and by which login those changes occured. Can you supply a method ?

Read on for the answer, though Tom has an important caveat.

Comments closed