Allowed operator in Azure Data Explorer RLS function

Question

I'm attempting to implement RLS in ADX on already ingested data. The RLS policy function I'm creating looks like this.

.create-or-alter function with (docstring = 'Restricts access to data.', folder = 'RLS') RestrictAccess(TableName: string) {

    table(TableName)

    | join kind=leftsemi (

            AccessTable

            | extend 

                current_member=case(

                    current_principal_is_member_of('aadgroup=00000000-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'foo',

                    current_principal_is_member_of('aadgroup=11111111-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'bar',

                    current_principal_is_member_of('aadgroup=22222222-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'baz',

                    'unknown'

                )

            | where current_member == groupName

            | distinct deviceId

        ) on deviceId

}

my access table looks like this

.set-or-append async AccessTable with(folder = 'RLS') <|

datatable(deviceId: string, groupName: string)[

    'A0000000-1111-2222-3333-444444444444', 'foo',

    'B0000000-1111-2222-3333-444444444444', 'foo',

    'B0000000-1111-2222-3333-444444444444', 'bar',

    'D0000000-1111-2222-3333-444444444444', 'baz'

];

Then I run the policy like this

.alter table MyTable policy row_level_security enable "RestrictAccess('MyTable')"

However, I get the error

Error

Error during execution of a policy operation: Error in row_level_security query for database("MyDatabase").table("MyTable"): the following operators were blocked: 'summarize' (only the following operators are allowed: 'as', 'distinct', 'extend', 'join', 'limit', 'project', 'project-away', 'project-keep', 'project-rename', 'project-reorder', 'union', 'where')

As you can see, I'm only using allowed operators! What could be the issue?

Answer 1

Hello AdamRnarsson-2213,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you are having issue with Azure Data Explorer RLS function.

Regarding your explanations, I will advise to check the usage of the distinct operator within your RLS policy function first. Try to remove and see if the error persists.

This is an example your code snippet without distinct:

.create-or-alter function with (docstring = 'Restricts access to data.', folder = 'RLS') RestrictAccess(TableName: string) {
    table(TableName)
    | join kind=leftsemi (
        AccessTable
        | extend 
            current_member=case(
                current_principal_is_member_of('aadgroup=00000000-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'foo',
                current_principal_is_member_of('aadgroup=11111111-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'bar',
                current_principal_is_member_of('aadgroup=22222222-BBBB-CCCC-DDDD-EEEEEEEEEEEE'), 'baz',
                'unknown'
            )
        | where current_member == groupName
        | project deviceId
    ) on deviceId
}

Then, make sure there is no implicit use of the summarize operator within your function or any referenced functions and the AccessTable is correctly formatted and does not contain any unexpected data that might cause issues during the join operation. Check out for more about rowl level security https://learn.microsoft.com/en-us/kusto/management/row-level-security-policy?view=microsoft-fabric and ingestion error https://learn.microsoft.com/en-us/azure/data-explorer/error-codes

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

---

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.