Restrict statement

Applies to: ✅Microsoft Fabric✅Azure Data Explorer✅Azure Monitor✅Microsoft Sentinel

Restrict 语句限制一组表/视图实体，这些实体对其后的查询语句可见。 例如，在包含两个表（A、B）的数据库中，应用程序可以防止查询的其余部分访问 B，并且只能通过使用视图“查看”表 A 的有限形式。

Restrict 语句主要适用于中间层应用程序，这些应用程序接受来自用户的查询并希望对这些查询应用行级安全机制。 The middle-tier application can prefix the user's query with a logical model, a set of let statements to define views that restrict the user's access to data, for example ( T | where UserId == "..."). 作为要添加的最后一个语句，它会将用户限制为只能访问该逻辑模型。

Syntax

restrict access to ( EntitySpecifiers)

Learn more about syntax conventions.

Parameters

Examples

本节中的示例演示如何使用语法帮助你入门。

Let statement

The example uses a let statement appearing before restrict statement.

// Limit access to 'Test' let statement only
let Test = () { print x=1 };
restrict access to (Test);

表或函数

The example uses references to tables or functions that are defined in the database metadata.

// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata, 
// and other database 'DB2' has Table2 defined in the metadata

restrict access to (database().Table1, database().Func1, database('DB2').Table2);

Patterns

The example uses wildcard patterns that can match multiples of let statements or tables/functions.

let Test1 = () { print x=1 };
let Test2 = () { print y=1 };
restrict access to (*);
// Now access is restricted to Test1, Test2 and no tables/functions are accessible.

// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata.
// Assuming that database 'DB2' has table Table2 and Func2 defined in the metadata
restrict access to (database().*);
// Now access is restricted to all tables/functions of the current database ('DB2' is not accessible).

// Assuming the database that the query uses has table Table1 and Func1 defined in the metadata.
// Assuming that database 'DB2' has table Table2 and Func2 defined in the metadata
restrict access to (database('DB2').*);
// Now access is restricted to all tables/functions of the database 'DB2'

阻止用户查询其他用户数据

该示例演示中间层应用程序如何使用逻辑模型在用户查询前追加用户查询，从而阻止用户查询任何其他用户的数据。

// Assume the database has a single table, UserData,
// with a column called UserID and other columns that hold
// per-user private information.
//
// The middle-tier application generates the following statements.
// Note that "username@domain.com" is something the middle-tier application
// derives per-user as it authenticates the user.
let RestrictedData = view () { Data | where UserID == "username@domain.com" };
restrict access to (RestrictedData);
// The rest of the query is something that the user types.
// This part can only reference RestrictedData; attempting to reference Data
// will fail.
RestrictedData | summarize MonthlySalary=sum(Salary) by Year, Month

// Restricting access to Table1 in the current database (database() called without parameters)
restrict access to (database().Table1);
Table1 | count

// Restricting access to Table1 in the current database and Table2 in database 'DB2'
restrict access to (database().Table1, database('DB2').Table2);
union 
    (Table1),
    (database('DB2').Table2))
| count

// Restricting access to Test statement only
let Test = () { range x from 1 to 10 step 1 };
restrict access to (Test);
Test
 
// Assume that there is a table called Table1, Table2 in the database
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);
 
// When those statements appear before the command - the next works
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);
View1 |  count
 
// When those statements appear before the command - the next access is not allowed
let View1 = view () { Table1 | project Column1 };
let View2 = view () { Table2 | project Column1, Column2 };
restrict access to (View1, View2);
Table1 |  count