We are excited to announce a new Azure Data Explorer (Kusto) feature: Row Level Security (RLS) policy, which gives you fine control over who can access data inside your tables. You can now prevent specific users from viewing certain rows in a table, and you can also mask the data they see. For example, you can set an RLS policy that masks personally identifiable information (PII), enabling developers to query production environments for troubleshooting purposes without violating compliance regulations.
Here are some other scenarios where RLS shines:
There are only two simple steps to enable RLS on a table. Here’s how it works:
Suppose we have a table called Customers. When support representatives view it, we don’t want them to see the credit card numbers. So we create a Row Level Security policy to achieve that.
The first step is to create a function that will do the masking:
.create-or-alter function with () MaskCreditCardDataForSupportReps() {
let InSupportRep = current_principal_is_member_of('aadgroup=support_reps@mycompany.com');
let AllData = Customers | where InSupportRep != true;
let PartialData = Customers | where InSupportRep | extend CreditCardNumber = strcat("****-****-****-", substring(CreditCardNumber, strlen(CreditCardNumber)-4, 4)), Expiration = "**/**";
union AllData, PartialData
}
The second step is to enable the policy on the table:
.alter table Customers policy row_level_security enable "MaskCreditCardDataForSupportReps"
Now, when users access the Customers table, they’ll actually get the results of the MaskCreditCardDataForSupportReps function, which returns:
Row Level Security policy is now available for Public Preview. Find out more about it here: https://docs.microsoft.com/en-us/azure/kusto/management/rowlevelsecuritypolicy
UPDATE: Row Level Security policy is going to be Generally Available on Oct 14th, 2020.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.