Role-based Authorization in Kusto
Authorization is the process of allowing or disallowing a security principal permission to carry out an action. Kusto uses a role-based access control model, under which authenticated principals are mapped to roles, and get access according to the roles they're assigned.
The Kusto Engine service has the following roles:
|All Databases admin||Can do anything in the scope of any database. Can show and alter certain cluster-level policies|
|Database admin||Can do anything in the scope of a particular database|
|Database user||Can read all data and metadata of the database. Additionally, can create tables and become the table admin for those tables, and create functions in the database.|
|All Databases viewer||Can read all data and metadata of any database|
|Database viewer||Can read all data and metadata of a particular database|
|Database ingestor||Can ingest data into all existing tables in the database, but can't query the data|
|Database unrestrictedviewer||Can query all tables in the database that have the RestrictedViewAccess policy enabled|
|Database monitor||Can execute
|Function admin||Can alter function, delete function, or grant admin permissions to another principal|
|Table admin||Can do anything in the scope of a particular table|
|Table ingestor||Can ingest data in the scope of a particular table, but can't query the data|
To grant a principal from a different tenant access to your cluster, see Allow cross-tenant queries and commands.