🏭🗒️Microsoft Fabric: OneLake Role-Based Access Control (RBAC) [Notes] 🆕

Disclaimer: This is work in progress intended to consolidate information from various sources for learning purposes. For the latest information please consult the documentation (see the links below)! 

Last updated: 28-Mar-2025

[Microsoft Fabric] OneLake Role-based access control (RBAC)

• {def} security framework that allows to manage access to resources by assigning roles to users or groups 
• applies to Lakehouse Items only [1]
• restricts data access for users with Workspace Viewer or read access to a lakehouse [1]
• doesn't apply to Workspace Admins, Members, or Contributors [1]
• ⇒ supports only Read level of permissions [1]
• uses role assignments to apply permissions to its members
• assigned to 
• individuals
• security groups
• Microsoft 365 groups
• distribution lists
• ⇐ every member of the user group gets the assigned role [1]
• users in multiple groups get the highest level of permission that is provided by the roles [1]
• managed through the lakehouse data access settings [1]
• when a lakehouse is created, OneLake generates a default RBAC Role named Default Readers [1]
• allows all users with ReadAll permission to read all folders in the Item [1]
• permissions always inherit to the entire hierarchy of the folder's files and subfolders [1]
• provides automatic traversal of parent items to ensure that data is easy to discover [1]
• ⇐ similar to Windows folder permissions [1]
• [shortcuts] shortcuts to other OneLake locations have specialized behavior [1]
• the access to a OneLake shortcut is determined by the target permissions of the shortcut [1]
• when listing shortcuts, no call is made to check the target access [1]
• ⇒ when listing a directory all internal shortcuts will be returned regardless of a user's access to the target [1]
• when a user tries to open the shortcut the access check will evaluate and a user will only see data they have the required permissions to see [1]
•  enable you to restrict the data access in OneLake only to specific folders [1]
• {action} share a lakehouse
• grants other users or a group of users access to a lakehouse without giving access to the workspace and the rest of its items [1]
• found through 
• Data Hub 
• 'Shared with Me' section in Microsoft Fabrics
• [shortcuts] permissions always inherit to all Internal shortcuts where a folder is defined as target [1]
• when a user accesses data through a shortcut to another OneLake location, the identity of the calling user is used to authorize access to the data in the target path of the shortcut [1]
• ⇒ the user must have OneLake RBAC permissions in the target location to read the data [1]
• defining RBAC permissions for the internal shortcut is not allowed [1]
• must be defined on the target folder located in the target item [1]
• OneLake enables RBAC permissions only for shortcuts targeting folders in lakehouse items [1]

Previous Post <<||>>  Next Post

References:

[1] Microsoft Learn (2024) Fabric: Role-based access control (RBAC) [link]

[2] Microsoft Learn (2024) Best practices for OneLake security [link]

Resources:

[R1] Microsoft Learn (2025) Fabric: What's new in Microsoft Fabric? [link]

Acronyms:

ADLS - Azure Data Lake Storage
RBAC - Role-Based Access Control

🏭🗒️Microsoft Fabric: Workspaces [Notes]

Disclaimer: This is work in progress intended to consolidate information from various sources for learning purposes. For the latest information please consult the documentation (see the links below)! 

Last updated: 25-Mar-2025

[Microsoft Fabric] Workspace

• {def} a collection of items that brings together different functionality in a single environment designed for collaboration
• {default} created in organization's shared capacity
• workspaces can be assigned to other capacities
• includes My Workspaces
• via Workspace settings >> Premium
• shared environment that holds live items
• any changes made directly within the workspace immediately take effect and impact all users
• components
• header
• contains
• name 
• brief description of the workspace
• links to other functionality
• toolbar 
• contains 
• controls for managing items to the workspace 
• controls for managing files
• view area
• enables selecting a view
• {type} list view
• {subitem} task flow
• area in which users can create or view a graphical representation of the data project [3]
• ⇐ shows the logical flow of the project [3]
• ⇐ it doesn't show the flow of data [3]
• can be hided via Show/Hide arrows
• {subitem} items list
• area in which the users can see the items and folders in the workspace [3]
• one can filter the items list by selecting the tasks, if any defined [3]
• {subitem} resize bar
• elements that allow to resize the task flow and items list by dragging the resize bar up or down [3]
• {type} lineage view
• shows the flow of data between the items in the workspace [3]
• {feature} workspace settings 
• allows to manage and update the workspace [3]
• {feature} contact list 
• allows to specify which users receive notification about issues occurring in the workspace [3] 
• {default} contains workspace's creator [3]
• {feature} SharePoint integration 
• allows to configure a M365 Group whose SharePoint document library is available to workspace users [3]
• ⇐ the group is created outside of MF first [3]
• restrictions may apply to the environment
• {best practice} give access to the workspace to the same M365 Group whose file storage is configured [3]
• MF doesn't synchronize permissions between users or groups with workspace access, and users or groups with M365 Group membership [3]
• {feature} workspace identity
• an automatically managed service principal that can be associated with a Fabric workspace [6]
• workspaces with a workspace identity can securely read or write to firewall-enabled ADSL Gen2 accounts through trusted workspace access for OneLake shortcuts [6]
• Fabric creates a service principal in Microsoft Entra ID to represent the identity [6]
• ⇐ an accompanying app registration is also created [6]
• Fabric automatically manages the credentials associated with workspace identities [6]
• ⇒ prevents credential leaks and downtime due to improper credential handling [6]
• used to obtain Microsoft Entra tokens without the customer having to manage any credentials [6]
• Fabric items can use the identity when connecting to resources that support Microsoft Entra authentication [6]
• can be created in the workspace settings of any workspace except My workspaces
• automatically assigned to the workspace contributor role and has access to workspace items [6]
• {feature} workspace roles
• allows to manage who can do what in a workspace [4]
• sit on top of OneLake and divide the data lake into separate containers that can be secured independently [4]
• extend the Power BI workspace roles by associating new MF capabilities 
• e.g. data integration, data exploration
• can be assigned to 
• individual users
• security groups
• Microsoft 365 groups
• distribution lists
• {role} Admin
• {role} Member
• {role} Contributor
• {role} Viewer
• user groups
• members get the role(s) assigned
• users existing in several group get the highest level of permission that's provided by the roles that they're assigned [4]
• {concept} [nested group]
• {concept} current workspace
• the active open workspace
• {action} create new workspace
• {action} pin workspace
• {action} delete workspace
• everything contained within the workspace is deleted for all group members [3]
• the associated app is also removed from AppSource [3]
• {warning} if the workspace has a workspace identity, that workspace identity will be irretrievably lost [3]
• this may cause Fabric items relying on the workspace identity for trusted workspace access or authentication to break [3]
• only admins can perform the operation
• {action} manage workspace
  
• {action} take ownership of Fabric items
• Fabric items may stop working correctly [5]
• {scenario} the owner leaves the organization [5]
• {scenario}the owner don't sign in for more than 90 days [5]
• in such cases, anyone with read and write permissions on an item can take ownership of the item [5]
• become the owner of any child items the item might have
• {limitation} one can't take over ownership of child items directly [5]
• ⇐ one can take ownership only through the parent item [5]
• {limitation} workspace retention
• personal workspace
• {default} 30 days [8]
• collaborative workspace
• {default} 7 days [8]
• configurable between 7 to 90 days [8]
• via Define workspace retention period setting [8]
•  during the retention period, Fabric administrators can restore, respectively delete permanently the workspace [8]
• after that, the workspace is deleted permanently and it and its contents are irretrievably lost [8]
• {limitation} can contain a maximum of 1000 items [8]
• includes both parent and child items [8]
• refers to Fabric and Power BI items [8]
• workspaces with more items have 180-day extension period applied automatically as of 10-Apr-2025 [8]
• {limitation} certain special characters aren't supported in workspace names when using an XMLA endpoint [3]
• {limitation} a user or a service principal can be a member of up to 1000 workspaces [3]
• {feature} auditing
• several activities are audited for workspaces [3]
• CreateFolder
• DeleteFolder
• UpdateFolder
• UpdateFolderAccess
• {feature} workspace monitoring 
• Eventhouse secure read-only database that collects and organizes logs and metrics from a range of Fabric items in the workspace [1]
• accessible only to workspace users with at least a contributor role [1]
• users can access and analyze logs and metrics [1]
• the data is aggregated or detailed [1]
• can be queried via KQL or SQL [1]
• supports both historical log analysis and real-time data streaming [1]
• accessible from the workspace [1]
• one can build and save query sets and dashboards to simplify data exploration [1]
• use the workspace settings to delete the database [1]
•  wait about 15 minutes before recreating a deleted database [1]
• {action} share the database
• users need workspace member or admin role [1]
• {limitation} one can enable either 
• workspace monitoring 
• log analytics
• if enabled, the log analytics configuration must be deleted first before enabling workspace monitoring [1]
• one should wait for a few hours before enabling workspace monitoring [1]
• {limitation} retention period for monitoring data: 30 days [1]
• {limitation}the ingestion can't be configured to filter for specific log type or category [1]
• e.g. error or workload type.
• {limitation} user data operation logs aren't available even though the table is available in the monitoring database [1]
• {prerequisite} Power BI Premium or Fabric capacity [1]
• {prerequisite} workspace admins can turn on monitoring for their workspaces tenant setting is enabled [1]
• enabling the setting, requires Fabric administrator rights [1]
• {prerequisite} admin role in the workspace [1]
• workspace permissions
•  the first security boundary for data within OneLake [7]
• each workspace represents a single domain or project area where teams can collaborate on data [7]
• security is managed through Fabric workspace roles [7]
• items can have permissions configured separately from the workspace roles [7]
• permissions can be configured either by [7]
• sharing an item 
• managing the permissions of an item

Previous Post <<||>> Next Post

References:
[1] Microsoft Learn (2024) Fabric: What is workspace monitoring (preview)? [link]

[2] Microsoft Fabric Update Blog (2024) Announcing preview of Workspace Monitoring? [link]
[3] Microsoft Learn (2024) Fabric: Workspaces in Microsoft Fabric and Power BI [link]
[4] Microsoft Learn (2024) Fabric: Roles in workspaces in Microsoft Fabric [link]
[5] Microsoft Learn (2024) Fabric: Take ownership of Fabric items [link]
[6] Microsoft Learn (2024) Fabric: Workspace identity [link]
[7] Microsoft Learn (2024) Fabric: Role-based access control (RBAC) [link]
[8] Microsoft Learn (2024) Fabric: Manage workspaces [link]

Resources:

[R1] Microsoft Learn (2025) Fabric: What's new in Microsoft Fabric? [link]

Acronyms:
ADSL Gen2 - Azure Data Lake Storage Gen2
KQL - Kusto Query Language
M365 - Microsoft 365
MF - Microsoft Fabric

SQL - Structured Query Language

🌌🏭KQL Reloaded: First Steps (Part V: Database Metadata)

When working with a new data repository, one of the first things to do is to look at database's metadata, when available, and try to get a birds eye view of what's available, how big is the databases in terms of size, tables and user-defined objects, how the schema was defined, how the data are stored, eventually how often backup are taken, what users have access and to what, etc. 

So, after creating some queries in KQL and figuring out how things work, I tried to check what metadata are available, how it can be accessed, etc. The target is not to provide a full list of the available metadata, but to understand what information is available, in what format, how easy is to extract the important metadata, etc. 

So, the first set of metadata is related to database:

// get database metadata metadata
.show databases (ContosoSales)

// get database metadata metadata (multiple databases)
.show databases (ContosoSales, Samples)

// get database schema metadata
.show databases (ContosoSales) schema

// get database schema metadata (multiple databases) 
.show databases (ContosoSales, Samples) schema

// get database schema violations metadata
.show database ContosoSales schema violations

// get database entities metadata
.show databases entities with (showObfuscatedStrings=true)
| where DatabaseName == "ContosoSales"

// get database metadata 
.show databases entities with (resolveFunctionsSchema=true)
| where DatabaseName == "ContosoSales" and EntityType == "Table"
//| summarize count () //get the number of tables

// get a function's details
.show databases entities with (resolveFunctionsSchema=true)
| where DatabaseName == "ContosoSales" 
    and EntityType == "Function" 
    and EntityName == "SalesWithParams"

// get external tables metadata
.show external tables

// get materialized views metadata
.show materialized-views

// get query results metadata
.show stored_query_results

// get entities groups metadata
.show entity_groups

Then, it's useful to look at the database objects. 

// get all tables 
.show tables 
//| count

// get tables metadata
.show tables (Customers, NewSales)

// get tables schema
.show table Customers cslschema

// get schema as json
.show table Customers schema as json

// get table size: Customers
Customers
| extend sizeEstimateOfColumn = estimate_data_size(*)
| summarize totalSize_MB=round(sum(sizeEstimateOfColumn)/1024.00/1024.00,2)

Unfortunately, the public environment has restrictions in what concerns the creation of objects, while for the features available one needs to create some objects to query the corresponding metadata.

Furthermore, it would be interesting to understand who has access to the various repositories, what policies were defined, and so on. 

// get principal roles
.show database ContosoSales principal roles

// get principal roles for table
.show table Customers principal roles

// get principal roles for function:
.show function SalesWithParams principal roles

// get retention policies
.show table Customers policy retention

// get sharding policies
.show table Customers policy sharding

There are many more objects one can explore. It makes sense to document the features, respectively the objects used for the various purposes.

In addition, one should check also the best practices available for the data repository (see [2]).

Happy coding!

Previous Post <<||>> Next Post

References:
[1] Microsoft Learn (2024) Management commands overview [link]
[2] Microsoft Learn (2024) Kusto: Best practices for schema management [link]

💎🏭SQL Reloaded: Microsoft Fabric's SQL Databases (Part VIII: Permissions) [new feature]

Data-based solutions usually target a set of users who (ideally) have restricted permissions to the functionality. Therefore, as part of the process are defined several personas that target different use cases, for which the permissions must be restricted accordingly. 

In the simplest scenario the user must have access to the underlying objects for querying the data. Supposing that an Entra User was created already, the respective user must be given access also in the Fabric database (see [1], [2]). From database's main menu follow the path to assign read permissions:
Security >> Manage SQL Security >> (select role: db_datareader)

Manage SQL Security

Manage access >> Add >> (search for User)

Manage access

(select user) >> Share database >> (select additional permissions) >> Save

Manage additional permissions

The easiest way to test whether the permissions work before building the functionality is to login over SQL Server Management Studio (SSMS) and check the access using the Microsoft Entra MFA. Ideally, one should have a User's credentials that can be used only for testing purposes. After the above setup was done, the new User was able to access the data. 

A second User can be created for testing with the maximum of permissions allowed on the SQL database side, which is useful for troubleshooting. Alternatively, one can use only one User for testing and assign or remove the permissions as needed by the test scenario. 

It's a good idea to try to understand what's happening in the background. For example, the expectation was that for the Entra User created above also a SQL user is created, which doesn't seem to be the case, at least per current functionality available. 

 Before diving deeper, it's useful to retrieve User's details: 

-- retrieve current user
SELECT SUser_Name() sys_user_name
, User_Id() user_id 
, USER_NAME() user_name
, current_user [current_user]
, user [user]; 

Output:

sys_user_name	user_id	user_name	current_user	user
JamesClavell@[domain].onmicrosoft.com	0	JamesClavell@[domain].onmicrosoft.com	JamesClavell@[domain].onmicrosoft.com	JamesClavell@[domain].onmicrosoft.com

Retrieving the current User is useful especially when testing in parallel functionality with different Users. Strangely, User's ID is 0 when only read permissions were assigned. However, a valid User identifier is added for example when to the User is assigned also the db_datawriter role. Removing afterwards the db_datawriter role to the User keeps as expected User's ID. For troubleshooting purposes, at least per current functionality, it might be a good idea to create the Users with a valid User ID (e.g. by assigning temporarily the db_datawriter role to the User). 

The next step is to look at the Users with access to the database:

-- database access 
SELECT USR.uid
, USR.name
--, USR.sid 
, USR.hasdbaccess 
, USR.islogin
, USR.issqluser
--, USR.createdate 
--, USR.updatedate 
FROM sys.sysusers USR
WHERE USR.hasdbaccess = 1
  AND USR.islogin = 1
ORDER BY uid

Output:

uid	name	hasdbaccess	islogin	issqluser
1	dbo	1	1	1
6	CharlesDickens@[...].onmicrosoft.com	1	1	0
7	TestUser	1	1	1
9	JamesClavell@[...].onmicrosoft.com	1	1	0

For testing purposes, besides the standard dbo role and two Entra-based roles, it was created also a SQL role to which was granted access to the SalesLT schema (see initial post):

-- create the user
CREATE USER TestUser WITHOUT LOGIN;

-- assign access to SalesLT schema 
GRANT SELECT ON SCHEMA::SalesLT TO TestUser;
  
-- test impersonation (run together)
EXECUTE AS USER = 'TestUser';

SELECT * FROM SalesLT.Customer;

REVERT; 

Notes:
1) Strangely, even if access was given explicitly only to the SalesLT schema, the TestUser User has access also to sys.sysusers and other DMVs. That's valid also for the access over SSMS
2) For the above created User there are no records in the sys.user_token and sys.login_token DMVs, in contrast with the user(s) created for administering the SQL database. 

Let's look at the permissions granted explicitly:

-- permissions granted explicitly
SELECT DPR.principal_id
, DPR.name
, DPR.type_desc
, DPR.authentication_type_desc
, DPE.state_desc
, DPE.permission_name
FROM sys.database_principals DPR
     JOIN sys.database_permissions DPE
	   ON DPR.principal_id = DPE.grantee_principal_id
WHERE DPR.principal_id != 0 -- removing the public user
ORDER BY DPR.principal_id
, DPE.permission_name;

Result:

principal_id	name	type_desc	authentication_type_desc	state_desc	permission_name
1	dbo	SQL_USER	INSTANCE	GRANT	CONNECT
6	CharlesDickens@[...].onmicrosoft.com	EXTERNAL_USER	EXTERNAL	GRANT	AUTHENTICATE
6	CharlesDickens@[...].onmicrosoft.com	EXTERNAL_USER	EXTERNAL	GRANT	CONNECT
7	TestUser	SQL_USER	NONE	GRANT	CONNECT
7	TestUser	SQL_USER	NONE	GRANT	SELECT
9	JamesClavell@[...].onmicrosoft.com	EXTERNAL_USER	EXTERNAL	GRANT	CONNECT

During troubleshooting it might be useful to check current user's permissions at the various levels via sys.fn_my_permissions:

-- retrieve database-scoped permissions for current user
SELECT *
FROM sys.fn_my_permissions(NULL, 'Database');

-- retrieve schema-scoped permissions for current user
SELECT *
FROM sys.fn_my_permissions('SalesLT', 'Schema');

-- retrieve object-scoped permissions for current user
SELECT *
FROM sys.fn_my_permissions('SalesLT.Customer', 'Object')
WHERE permission_name = 'SELECT';

Notes:
1) See also [1] and [4] in what concerns the limitations that apply to managing permissions in SQL databases.

Happy coding!

Previous Post <<||>> Next Post

References:
[1] Microsoft Learn (2024) Microsoft Fabric: Share your SQL database and manage permissions [link]
[2] Microsoft Learn (2024) Microsoft Fabric: Share data and manage access to your SQL database in Microsoft Fabric  [link]
[3] Microsoft Learn (2024) Authorization in SQL database in Microsoft Fabric [link]
[4] Microsoft Learn (2024) Authentication in SQL database in Microsoft Fabric [link]

[5] Microsoft Fabric Learn (2025) Manage access for SQL databases in Microsoft Fabric with workspace roles and item permissions [link] 

𖣯Strategic Management: The Impact of New Technologies (Part III: Checking the Vital Signs)

An organization which went through a major change, like the replacement of a strategic system (e.g. ERP/BI implementations), needs to go through a period of attentive supervision to address the inherent issues that ideally need to be handled as they arise, to minimize their future effects. Some organizations might even go through a convalescence period, which risks to prolong itself if the appropriate remedies aren’t found. Therefore, one needs an entity, who/which has the skills to recognize the symptoms, understand what’s happening and why, respectively of identifying the appropriate actions.

Given technologies’ multi-layered complexity and the volume of knowledge for understanding them, the role of the doctor can be seldom taken by one person. Moreover, the patient is an organization, each person in the organization having usually local knowledge about the patient. The needed knowledge is dispersed trough the organization, and one needs to tap into that knowledge, identify the people close to technologies and business area, respectively allow such people exchange information on a regular basis.

The people who should know the best the organization are in theory the management, however they are usually too far away from technologies and often too busy with management topics. IT professionals are close to technologies, though sometimes too far away from the patient. The users have a too narrow overview, while from logistical and economic reasons the number of people involved should be kept to a minimum. A compromise is to designate one person from each business area who works with any of the strategic systems, and assure that they have the technical and business knowledge required. It’s nothing but the key-user concept, though for it to work the key-users need not only knowledge but also the empowerment to act when the symptoms appear.

Big organizations have also a product owner for each application who supervises the application through its entire lifecycle, and who needs to coordinate with the IT, business and service providers. This is probably a good idea in order to assure that the ROI is reached over time, respectively that the needs of the system are considered within the IT operation context. In small organizations, the role can be taken by a technical or a business resource with deeper skills then the average user, usually a key-user. However, unless joined with the key-user role, the product owner’s focus will be the product and seldom the business themes.

The issues that need to be overcome after major changes are usually cross-functional, being imperative for people to work together and find solutions. Unfortunately, it’s also in human nature to wait until the issues are big enough to get the proper attention. Unless the key-users have the time allocated already for such topics, the issues will be lost in the heap of operational and tactical activities. This time must be allocated for all key-users and the technical resources needed to support them.

Some organizations build temporary working parties (groups of experts working together to achieve specific goals) or similar groups. However, the statute of such group needs to be permanent if the organization wants to continuously have its health in check, to build the needed expertize and awareness about occurred or potential issues. Centers of excellence/expertize (CoE) or competency centers (CC) are such working groups with permanent statute, having defined roles, responsibilities, and processes for supporting and promoting the effective use of technologies within the organization, respectively of monitoring and systematically addressing the risks and opportunities associated with them.

There’s also the null hypothesis, doing nothing, relying solely on employees’ professionalism, though without defined responsibility, accountability and empowerment, it can get messy.

Previous Post <<||>> Next Post

💎💫SQL Reloaded: Useful Queries for Dynamics 365 F&O and not only (Part II: Security )

The security architecture of Microsoft Dynamics 365 for Finance and Operations (D365FO) is based on a role-based model in which the access is not granted individually to users but through security roles. A set of roles are assigned to a user, each role having access to a set of privileges. In between duties can be assigned to one or more roles, respectively duties can contain several privileges. The model comes with a default set of security roles, which can be further extended to reflect organization's needs. 

Navigating through the model via the D365FO's UI isn't that straightforward as it should be. Probably it's much easier to export to Excel the associations between roles and privileges, respectively between roles and duties, or search punctually for a certain value within the same dataset directly in the database. The following queries can be run into a non-production environment:

-- security role's assigned privileges
SELECT SRO.AOTName [Role AOT Name]
, SRO.Name [Role Name]
, SRO.Description [Role Description]
, SPI.Identifier [Privilege Identifier]
, SPI.Name [Privilege Name]
, SPI.Description [Privilege Description]
FROM dbo.SecurityRolePrivilegeExplodedGraph SRP
     JOIN dbo.SecurityRole SRO
          ON SRP.SecurityRole = SRO.RecId
         JOIN dbo.SecurityPrivilege SPI
           ON SRP.SecurityPrivilege = SPI.RecId
WHERE SPI.NAME IN ('Maintain accounts receivable aging period definitions'
, 'Maintain accounts payable aging period definitions')
ORDER BY SRO.AOTName

-- security role's assigned duties
SELECT  SRO.AOTName [Role AOT Name]
, SRO.Name [Role Name]
, SRO.Description [Role Description]
, SDU.Identifier [Duty Identifier]
, SDU.Name [Duty Name]
, SDU.Description [Duty Description]
FROM dbo.SecurityRoleDutyExplodedGraph SRP
     JOIN dbo.SecurityRole SRO
          ON SRP.SecurityRole = SRO.RecId
        JOIN dbo.SecurityDuty SDU
          ON SRP.SecurityDuty = SDU.RecId
WHERE SRO.Name LIKE 'Accounting Manager%'
ORDER BY SDU.Identifier 

Below you can find a short description of the security tables considered above:

Table	Description
SecurityDuty	contains the list of duties defined by the security AOT role node
SecurityPrivilege	contains the list of privileges defined by the security AOT role node
SecurityRole	contains the list of roles defined by the security AOT role node
SecurityRoleDutyExplodedGraph	contains the list of role to duty mappings and role to privilege mappings as defined by the AOT security role
SecurityRoleExplodedGraph	contains all role relationships, direct or indirect, as defined by the AOT sub role nodes of the security role nodes.
SecurityRolePrivilegeExplodedGraph	contains the list of role to privilege mappings and role to privilege mappings as defined by the AOT security role
SecurityUserRole	contains the user to role mappings

Previous Post <<||>> Next Post

Resources:
[1] Microsoft Dynamics 365 (2020) Security architecture [source]
[2] Microsoft Dynamics 365 (2020) Role-based security [source]

🧱IT: Chief Information Officer [CIO] (Definitions)

"The job responsibility of managing the information technology and computer systems that support enterprise business goals." (Evan Levy & Jill Dyché, "Customer Data Integration", 2006)

"The head of information technology within a company." (Bettina M Davis & Wendy L Combsand, "Demystifying Technical Training: Partnership, Strategy, and Execution", 2009)

"The executive who heads the information services division of an organization. The CIO, usually reporting directly to the Chief Executive Officer, has the responsibility for all the organization's computing and data communications." (Paulraj Ponniah, "Data Warehousing Fundamentals for IT Professionals", 2010)

"A job title for the head of the Information Technology group within an organization. They often report to Chief Executive Officer. The prominence of this position has risen greatly as information technology has become a more important part of organizations." (DAMA International, "The DAMA Dictionary of Data Management", 2011)

"The person who is in charge of information technology (IT) strategy and the computer, network, and third-party (for example, cloud) systems required to support an enterprise’s objectives and goals." (William Stallings, "Effective Cybersecurity: A Guide to Using Best Practices and Standards", 2018)

🔦Process Management: Roles (Definitions)

"A job type defined in terms of a set of responsibilities." (Atul Apte, "Java Connector Architecture: Building Custom Connectors and Adapters", 2002)

"A set of expectations for behavior; describes the extent to which each individual performs activities related to project." (Timothy J  Kloppenborg et al, "Project Leadership", 2003)

"Specified responsibilities that identify a set of related activities to be performed by a designated individual (e.g., a project manager)." (Richard D Stutzke, "Estimating Software-Intensive Systems: Projects, Products, and Processes", 2005)

"A definition of the behavior and responsibilities of an individual or set of individuals working together as a team." (Bruce MacIsaac & Per Kroll, "Agility and Discipline Made Easy: Practices from OpenUP and RUP", 2006)

"A defined set of work tasks, dependencies, and responsibilities that can be assigned to an individual as a work package. A role describes a collection of tasks that constitute one component of a process, and would normally be performed by an individual." (Sally A Miller et al, "People CMM: A Framework for Human Capital Management" 2nd Ed., 2009)

"The set of expectations in a social system that define the services individuals or groups are supposed to provide." (Alexander Grashow et al, "The Practice of Adaptive Leadership", 2009)

"The characteristic and expected behaviors of an individual, derived from his or her responsibilities and preferences in providing value to the organization." (David Lyle & John G Schmidt, "Lean Integration", 2010)

"1.Generally, a label assigned to a set of connected behaviors, rights and obligations. 2.In data modeling, the way in which entities of one type relate to entities of another type in a relationship. 3.In data security, a name used to refer to the logical set of related responsibilities assignable to a person or organization, and to parties with these assigned responsibilities." (DAMA International, "The DAMA Dictionary of Data Management", 2011)

"A defined function to be performed by a project team member, such as testing, filing, inspecting, coding." (Cynthia Stackpole, "PMP® Certification All-in-One For Dummies®", 2011)

"Description of specific skills, qualifications and work profiles in software development. These should be filled by the persons (responsible for these roles) in the project." (Tilo Linz et al, "Software Testing Foundations" 4th Ed., 2014)

"Usual or expected functionality of an actor in the context of an activity or a business process; an actor can have one or several roles. " (Gilbert Raymond & Philippe Desfray, "Modeling Enterprise Architecture with TOGAF", 2014)

"A defined function to be performed by a project team member, such as testing, filing, inspecting, or coding." (Project Management Institute, "A Guide to the Project Management Body of Knowledge (PMBOK Guide )", 2017)

"In ITIL, this is a set of responsibilities, activities and authorities granted to a person or team. A role is defined in a process. One person or team may have multiple roles, for example the roles of configuration manager and change manager may be carried out by a single person." (Brian Johnson & Leon-Paul de Rouw, "Collaborative Business Design", 2017)

"A defined function to be performed by a project team member, such as testing, filing, inspecting, coding." (Jeffrey K Pinto, "Project Management: Achieving Competitive Advantage" 5th Ed., 2018)

"A set of responsibilities, activities and authorities granted to a person/team." (ITIL)

🔦Process Management: Process Owner (Definitions)

"The person (or team) responsible for defining and maintaining a process. At the organizational level, the process owner is the person (or team) responsible for the description of a standard process; at the project level, the process owner is the person (or team) responsible for the description of the defined process. A process may therefore have multiple owners at different levels of responsibility." (Sandy Shrum et al, "CMMI®: Guidelines for Process Integration and Product Improvement", 2003)

"The process owner (person or team) is responsible for process definition and maintenance. At the organizational level, the process owner is responsible for the description of the standard process. At the project level, the process owner is responsible for the defined process. A process may therefore have several process owners with varying levels of responsibility." (Lars Dittmann et al, "Automotive SPICE in Practice", 2008)

"The person responsible for defining and maintaining a process. At the organizational level, the process owner is the individual(s) responsible for the description of a standard process or set of related practices. Within a workforce competency, the process owner is the individual(s) responsible for defining and maintaining the competency-based processes associated with that workforce competency. A process may have multiple owners at different levels of responsibility." (Sally A Miller et al, "People CMM: A Framework for Human Capital Management" 2nd Ed., 2009)

"The person responsible for process definition, execution and control." (DAMA International, "The DAMA Dictionary of Data Management", 2011)

"Role responsible for ensuring that a process is fit for purpose" (ITIL)

🔹SQL Server: Server Role (Definitions)

"A named set of security accounts. A SQL Server role can contain Windows NT users, Windows NT groups, SQL Server users, or other SQL Server roles from the same database." (Microsoft Corporation, "SQL Server 7.0 System Administration Training Kit", 1999)

"A predefined role defined at the server level and existing outside individual databases." (Microsoft Corporation, "SQL Server 7.0 System Administration Training Kit", 1999)

"A predefined role that exists at the server level. The scope of the role is limited to the SQL Server instance in which it is defined. Fixed server roles allow you to quickly assign permissions on the server to specific individuals. Roles can be compared to groups in the Window NT/2000 operating systems." (Anthony Sequeira & Brian Alderman, "The SQL Server 2000 Book", 2003)

"A predefined role at the server level that is used to control administrative access to the SQL Server instance." (Marilyn Miller-White et al, "MCITP Administrator: Microsoft® SQL Server™ 2005 Optimization and Maintenance 70-444", 2007)

"A predefined role that exists at the server level. The scope of the role is limited to the SQL Server instance in which it is defined." (Microsoft, "SQL Server 2012 Glossary", 2012)

"These are special groups in SQL Server that are used to limit the amount of administrative access that a user has once logged on to SQL Server." (Joseph L Jorden & Dandy Weyn, "MCTS Microsoft SQL Server 2005: Implementation and Maintenance Study Guide - Exam 70-431", 2006)

🔹SQL Server: Fixed Database Role (Definitions)

"A predefined role defined at the database level and existing in each database." (Microsoft Corporation, "SQL Server 7.0 System Administration Training Kit", 1999)

"A predefined role that exists in each database. The scope of the role is limited to the database in which it is defined. You use fixed database roles to quickly define permissions within a particular database. Roles can be compared to groups in the Window NT/2000 operating systems." (Anthony Sequeira & Brian Alderman, "The SQL Server 2000 Book", 2003)

"These are special groups in each SQL Server database that already have permissions applied and are used to limit the permissions that a user has inside the database." (Joseph L Jorden & Dandy Weyn, "MCTS Microsoft SQL Server 2005: Implementation and Maintenance Study Guide - Exam 70-431", 2006)

"A role that is created by SQL Server 2005 in each database with a set of permissions that are predetermined and cannot be altered. Users can be added to one or more fixed database roles." (Marilyn Miller-White et al, "MCITP Administrator: Microsoft® SQL Server™ 2005 Optimization and Maintenance 70-444", 2007)

"A predefined role that exists in each database. The scope of the role is limited to the database in which it is defined." (Microsoft, "SQL Server 2012 Glossary", 2012)

🔹SQL Server: Application Role (Definitions)

"A SQL Server role created to support the security needs of an application. Such a role is activated by a password and the use of the spsetapprole system stored procedure." (Microsoft Corporation, "SQL Server 7.0 System Administration Training Kit", 1999)

"A SQL Server role created to support the security needs of an application. Using application roles is an alternative to allowing users access to SQL Server 2000. You can create an application role and assign it to a particular application, allowing users who use the application to access SQL Server." (Anthony Sequeira & Brian Alderman, "The SQL Server 2000 Book", 2003)

"This is a special type of role that requires activation using the sp_setapprole stored procedure. This is primarily used to keep users from accessing a database with anything other than a custom application." (Joseph L Jorden & Dandy Weyn, "MCTS Microsoft SQL Server 2005: Implementation and Maintenance Study Guide - Exam 70-431", 2006)

"A SQL Server role used by the application, instead of the user, to authenticate against a database solution." (Marilyn Miller-White et al, "MCITP Administrator: Microsoft® SQL Server™ 2005 Optimization and Maintenance 70-444", 2007)

"A SQL Server role used by the application, instead of the user, to authenticate against a database solution." (Victor Isakov et al, "MCITP Administrator: Microsoft SQL Server 2005 Optimization and Maintenance (70-444) Study Guide", 2007)

"A SQL Server role created to support the security needs of an application." (Microsoft, "SQL Server 2012 Glossary", 2012)

🛢DBMS: Role (Definitions)

"Provide individual accountability for users performing system administration and security-related tasks in SQL Server. The System Administrator, System Security Officer, and Operator roles can be granted to individual server login accounts." (Karen Paulsell et al, "Sybase SQL Server: Performance and Tuning Guide", 1996)

"An administrative unit within SQL Server that contains SQL Server logins, Windows NT logins, groups, or other roles." (Microsoft Corporation, "SQL Server 7.0 System Administration Training Kit", 1999)

"In Oracle, a named database object that can receive privileges and in turn be granted to accounts. Simplifies administration of privileges." (Bill Pribyl & Steven Feuerstein, "Learning Oracle PL/SQL", 2001)

"A security account that is a collection of other security accounts that can be treated as a single unit when managing permissions. A role can contain SQL Server logins, other roles, and Windows logins or groups." (Anthony Sequeira & Brian Alderman, "The SQL Server 2000 Book", 2003)

"A group of related privileges that is referenced by a single name. Privileges can be assigned to a role, and a role can be assigned to a database user or to another role. Roles ease the maintenance issues with managing privileges for a large number of users who can be grouped into a relatively small number of categories based on job function." (Bob Bryla, "Oracle Database Foundations", 2004)

"A SQL Server security account is a collection of other security accounts that can be treated as a single unit when managing permissions. A role can contain SQL Server logins, other roles, and Windows logins or groups." (Thomas Moore, "EXAM CRAM™ 2: Designing and Implementing Databases with SQL Server 2000 Enterprise Edition", 2005)

"A definition of security permissions for one or more user accounts or user groups defined in the operating system and applied to an OLAP database or cube." (Reed Jacobsen & Stacia Misner, "Microsoft SQL Server 2005 Analysis Services Step by Step", 2006)

"A set of privileges that permit actions on specified resources. Roles assigned to a user determine the user’s access to resources and operations." (MongoDb, "Glossary", 2008)

"Roles exist at both the server level and the database level. By adding logins to roles, they are automatically granted the permissions of that role. For example, by adding a user to the sysadmin role, the user can do anything on the instance of the server. By adding a user to the dbowner role, the user can do anything in the database." (Darril Gibson, "MCITP SQL Server 2005 Database Developer All-in-One Exam Guide", 2008)

"In Oracle, a named collection of database access privileges that authorize a user to connect to a database and use the database system resources." (Carlos Coronel et al, "Database Systems: Design, Implementation, and Management" 9th Ed., 2011)

"(1) Name used to refer to the logical set of related responsibilities assignable to a person or organization, and to parties with these assigned responsibilities. (2) A database security mechanism used to grant one or more preassigned privileges to a user." (Craig S Mullins, "Database Administration", 2012)

"A database entity that groups together one or more privileges and that can be assigned, for example, to users, PUBLIC, other roles, or trusted contexts." (Sybase, "Open Server Server-Library/C Reference Manual", 2019)