Share via

Azure RBAC for SQL Server Access Control

Nalini Bhavaraju 40 Reputation points
2025-04-29T18:09:13.96+00:00

How can Azure Role-Based Access Control (RBAC) be configured for Azure SQL Server to meet the following requirements?

  • Two databases exist under the same SQL server within a resource group.
  • Users should have the ability to view all databases/resources under the SQL Server.
  • Users should be able to create and update but not delete tables, views, or schemas for one database, while the other database should only allow read access.
  • Users should not be able to delete any databases, server, tables, views, or schemas.
  • Users should not be able to perform role management on any resources like server, database, tables, or schemas.

The contributor role was explored, but it permits deletion of resources, which is not desired. What steps or roles should be considered to fulfill these requirements?

Azure SQL Database

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Adithya Prasad K 750 Reputation points Microsoft External Staff
    2025-04-29T18:31:48.31+00:00

    Hi Nalini Bhavaraju,
    It sounds like you're looking to configure Azure RBAC for SQL Server to meet some specific access requirements for your databases. Here's a general approach you can take to achieve this:

    Viewing Access: To allow users to view all databases/resources under the SQL Server, you can assign them the SQL Server Reader role at the SQL Server level. This gives them the ability to view resources without making any changes.

    Specific Database Permissions:

    For the first database, where users need to create and update tables/views/schemas but cannot delete them, you will need to use a combination of database-level roles. Assign them the db_datawriter role to allow them to create and update tables and views, and do not assign the db_owner role to prevent them from deleting any objects.

    To ensure users cannot delete any database objects, you'll have to manage this through permissions set at the database level instead of RBAC. You might also want to consider row-level security depending on how granular you want the control to be.

    Read-Only Access: For the second database, assign the users the db_datareader role, which allows them to read data without making any changes.

    Preventing Deletions and Role Management: Avoid using roles like SQL DB Contributor or Contributor, as they allow for deletions. By applying the specific database roles mentioned, you should prevent users from deleting databases, tables, schemas, etc.

    Creating Custom Roles: If needed, you can create a custom role that includes only the permissions necessary for your users, such as allowing create and update access without delete permissions.

    Here's a quick reference for the roles:

    • SQL Server Reader: Allows viewing of SQL Server resources.
    • db_datareader: Allows read access to all tables in the database.
    • db_datawriter: Allows insert, update, and delete access to all tables in the database (the users will need a custom role if deletion is to be restricted).

    I recommend reviewing more detailed permissions and role settings in Azure documentation related to database access control to tailor it precisely to your needs.

    Hope this helps! If you have any more questions or need further clarification, feel free to ask!

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.