question

Gargs-ChesterFLD avatar image
0 Votes"
Gargs-ChesterFLD asked OuryBa-MSFT commented

Do Dynamic data masking applied to Azure SQL database table's columns propagate to the Analysis Services tabular model?

Do Dynamic granular level data masking permissions applied to Azure SQL database table's columns propagate to the Analysis Services tabular model based upon that table?
For example:
a) I have a Table A in an Azure SQL database. Table A has the columns :: empno int not null primary key, ename varchar(50) not null, sal decimal(10,2), SSN varchar(16) NULL); Columns sal and SSN have the following mask MASKED WITH (FUNCTION = 'default()'). The table has dummy data.
b) These two masked columns have granular level permissions, so that only persons belonging to AD group named user_group1 can see their unmasked data
c) I have verified that only users belonging to user_group1 can see the unmasked values in these columns in Azure Data Studio, others cannot
d) As an administrator, I have created a Tabular model based upon this table, and have deployed it to the Azure Analysis service. All users in my organization have been given Reader access to the tabular model

My questions are:
1) Will all users other than the ones belonging to the user_group1 see the data masked in these two columns that are part of the tabular model?
2) How do I propagate these granular dynamic masking rules to the Tabular model based upon this table, so that only certain users can see certain unmasked columns whereas other can not?

Thanks.

azure-sql-databaseazure-analysis-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

NandanHegde-7720 avatar image
0 Votes"
NandanHegde-7720 answered

Hey,
To answer your query :
1) Dynamic data masking is a feature of Azure SQL database. You might be processing the tabular model connecting to Azure SQL database via a SQL account.
In that scenario, the data within the tabular model would be masked or unmasked based on what access the SQL account that is configured to connect to Azure SQL db from tabular model has.

Every user having read access to the tabular model would see the same data (either masked or unmasked).

You can use the function of Object level security to hide sensitive columns from certain users:
https://docs.microsoft.com/en-us/analysis-services/tabular-models/object-level-security?view=asallproducts-allversions

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Gargs-ChesterFLD avatar image
0 Votes"
Gargs-ChesterFLD answered OuryBa-MSFT commented

Thank you! I wish there was a way to extend the granular masking ability to the tabular model too.

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @Gargs-ChesterFLD

Thank you for this suggestion to [extend the granular masking ability to the tabular model]. We appreciate it. We will share and elevate your suggestion with the product team.

Note: Azure is working on a new Self-Serve option for customers to share and vote on product feedback. When available, you will be able to go to https://feedback.azure.com/ and share/up-vote product feature ideas.

Regards,
Oury

1 Vote 1 ·