0
# SQL Pool Security
1
2
Comprehensive security management including auditing, vulnerability assessments, data classification, masking, and threat protection. These capabilities provide enterprise-grade security controls for SQL pools within Azure Synapse Analytics.
3
4
## Capabilities
5
6
### Blob Auditing Policies
7
8
Configure blob auditing to track database activities and write audit logs to Azure Storage.
9
10
```python { .api }
11
def get_blob_auditing_policy(resource_group_name: str, workspace_name: str, sql_pool_name: str, blob_auditing_policy_name: str) -> SqlPoolBlobAuditingPolicy:
12
"""
13
Get a blob auditing policy.
14
15
Parameters:
16
- resource_group_name (str): Name of the resource group
17
- workspace_name (str): Name of the workspace
18
- sql_pool_name (str): Name of the SQL pool
19
- blob_auditing_policy_name (str): Name of the blob auditing policy
20
21
Returns:
22
SqlPoolBlobAuditingPolicy: Blob auditing policy
23
"""
24
25
def create_or_update_blob_auditing_policy(resource_group_name: str, workspace_name: str, sql_pool_name: str, blob_auditing_policy_name: str, parameters: SqlPoolBlobAuditingPolicy) -> SqlPoolBlobAuditingPolicy:
26
"""
27
Create or update blob auditing policy.
28
29
Parameters:
30
- resource_group_name (str): Name of the resource group
31
- workspace_name (str): Name of the workspace
32
- sql_pool_name (str): Name of the SQL pool
33
- blob_auditing_policy_name (str): Name of the blob auditing policy
34
- parameters (SqlPoolBlobAuditingPolicy): Auditing policy configuration
35
36
Returns:
37
SqlPoolBlobAuditingPolicy: Updated auditing policy
38
"""
39
40
def list_by_sql_pool(resource_group_name: str, workspace_name: str, sql_pool_name: str) -> ItemPaged[SqlPoolBlobAuditingPolicy]:
41
"""
42
List blob auditing policies for a SQL pool.
43
44
Parameters:
45
- resource_group_name (str): Name of the resource group
46
- workspace_name (str): Name of the workspace
47
- sql_pool_name (str): Name of the SQL pool
48
49
Returns:
50
ItemPaged[SqlPoolBlobAuditingPolicy]: Paged collection of auditing policies
51
"""
52
```
53
54
### Extended Blob Auditing Policies
55
56
Configure extended blob auditing with additional settings and retention policies.
57
58
```python { .api }
59
def get_extended_blob_auditing_policy(resource_group_name: str, workspace_name: str, sql_pool_name: str, blob_auditing_policy_name: str) -> ExtendedSqlPoolBlobAuditingPolicy:
60
"""
61
Get extended blob auditing policy.
62
63
Parameters:
64
- resource_group_name (str): Name of the resource group
65
- workspace_name (str): Name of the workspace
66
- sql_pool_name (str): Name of the SQL pool
67
- blob_auditing_policy_name (str): Name of the blob auditing policy
68
69
Returns:
70
ExtendedSqlPoolBlobAuditingPolicy: Extended blob auditing policy
71
"""
72
73
def create_or_update_extended_blob_auditing_policy(resource_group_name: str, workspace_name: str, sql_pool_name: str, blob_auditing_policy_name: str, parameters: ExtendedSqlPoolBlobAuditingPolicy) -> ExtendedSqlPoolBlobAuditingPolicy:
74
"""
75
Create or update extended blob auditing policy.
76
77
Parameters:
78
- resource_group_name (str): Name of the resource group
79
- workspace_name (str): Name of the workspace
80
- sql_pool_name (str): Name of the SQL pool
81
- blob_auditing_policy_name (str): Name of the blob auditing policy
82
- parameters (ExtendedSqlPoolBlobAuditingPolicy): Extended auditing policy configuration
83
84
Returns:
85
ExtendedSqlPoolBlobAuditingPolicy: Updated extended auditing policy
86
"""
87
88
def list_by_sql_pool_extended(resource_group_name: str, workspace_name: str, sql_pool_name: str) -> ItemPaged[ExtendedSqlPoolBlobAuditingPolicy]:
89
"""
90
List extended blob auditing policies for a SQL pool.
91
92
Parameters:
93
- resource_group_name (str): Name of the resource group
94
- workspace_name (str): Name of the workspace
95
- sql_pool_name (str): Name of the SQL pool
96
97
Returns:
98
ItemPaged[ExtendedSqlPoolBlobAuditingPolicy]: Paged collection of extended auditing policies
99
"""
100
```
101
102
### Security Alert Policies
103
104
Configure threat detection and security alert policies to monitor suspicious activities.
105
106
```python { .api }
107
def get_security_alert_policy(resource_group_name: str, workspace_name: str, sql_pool_name: str, security_alert_policy_name: str) -> SqlPoolSecurityAlertPolicy:
108
"""
109
Get security alert policy.
110
111
Parameters:
112
- resource_group_name (str): Name of the resource group
113
- workspace_name (str): Name of the workspace
114
- sql_pool_name (str): Name of the SQL pool
115
- security_alert_policy_name (str): Name of the security alert policy
116
117
Returns:
118
SqlPoolSecurityAlertPolicy: Security alert policy
119
"""
120
121
def create_or_update_security_alert_policy(resource_group_name: str, workspace_name: str, sql_pool_name: str, security_alert_policy_name: str, parameters: SqlPoolSecurityAlertPolicy) -> SqlPoolSecurityAlertPolicy:
122
"""
123
Create or update security alert policy.
124
125
Parameters:
126
- resource_group_name (str): Name of the resource group
127
- workspace_name (str): Name of the workspace
128
- sql_pool_name (str): Name of the SQL pool
129
- security_alert_policy_name (str): Name of the security alert policy
130
- parameters (SqlPoolSecurityAlertPolicy): Security alert policy configuration
131
132
Returns:
133
SqlPoolSecurityAlertPolicy: Updated security alert policy
134
"""
135
136
def list_security_alert_policies(resource_group_name: str, workspace_name: str, sql_pool_name: str) -> ItemPaged[SqlPoolSecurityAlertPolicy]:
137
"""
138
List security alert policies for a SQL pool.
139
140
Parameters:
141
- resource_group_name (str): Name of the resource group
142
- workspace_name (str): Name of the workspace
143
- sql_pool_name (str): Name of the SQL pool
144
145
Returns:
146
ItemPaged[SqlPoolSecurityAlertPolicy]: Paged collection of security alert policies
147
"""
148
```
149
150
### Vulnerability Assessments
151
152
Configure and manage vulnerability assessments to identify security risks.
153
154
```python { .api }
155
def get_vulnerability_assessment(resource_group_name: str, workspace_name: str, sql_pool_name: str, vulnerability_assessment_name: str) -> SqlPoolVulnerabilityAssessment:
156
"""
157
Get vulnerability assessment settings.
158
159
Parameters:
160
- resource_group_name (str): Name of the resource group
161
- workspace_name (str): Name of the workspace
162
- sql_pool_name (str): Name of the SQL pool
163
- vulnerability_assessment_name (str): Name of the vulnerability assessment
164
165
Returns:
166
SqlPoolVulnerabilityAssessment: Vulnerability assessment settings
167
"""
168
169
def create_or_update_vulnerability_assessment(resource_group_name: str, workspace_name: str, sql_pool_name: str, vulnerability_assessment_name: str, parameters: SqlPoolVulnerabilityAssessment) -> SqlPoolVulnerabilityAssessment:
170
"""
171
Create or update vulnerability assessment settings.
172
173
Parameters:
174
- resource_group_name (str): Name of the resource group
175
- workspace_name (str): Name of the workspace
176
- sql_pool_name (str): Name of the SQL pool
177
- vulnerability_assessment_name (str): Name of the vulnerability assessment
178
- parameters (SqlPoolVulnerabilityAssessment): Vulnerability assessment configuration
179
180
Returns:
181
SqlPoolVulnerabilityAssessment: Updated vulnerability assessment settings
182
"""
183
184
def delete_vulnerability_assessment(resource_group_name: str, workspace_name: str, sql_pool_name: str, vulnerability_assessment_name: str) -> None:
185
"""
186
Remove vulnerability assessment settings.
187
188
Parameters:
189
- resource_group_name (str): Name of the resource group
190
- workspace_name (str): Name of the workspace
191
- sql_pool_name (str): Name of the SQL pool
192
- vulnerability_assessment_name (str): Name of the vulnerability assessment
193
"""
194
195
def list_vulnerability_assessments(resource_group_name: str, workspace_name: str, sql_pool_name: str) -> ItemPaged[SqlPoolVulnerabilityAssessment]:
196
"""
197
List vulnerability assessments for a SQL pool.
198
199
Parameters:
200
- resource_group_name (str): Name of the resource group
201
- workspace_name (str): Name of the workspace
202
- sql_pool_name (str): Name of the SQL pool
203
204
Returns:
205
ItemPaged[SqlPoolVulnerabilityAssessment]: Paged collection of vulnerability assessments
206
"""
207
```
208
209
### Vulnerability Assessment Scans
210
211
Execute and manage vulnerability assessment scans.
212
213
```python { .api }
214
def list_scans(resource_group_name: str, workspace_name: str, sql_pool_name: str, vulnerability_assessment_name: str) -> ItemPaged[VulnerabilityAssessmentScanRecord]:
215
"""
216
List vulnerability assessment scans.
217
218
Parameters:
219
- resource_group_name (str): Name of the resource group
220
- workspace_name (str): Name of the workspace
221
- sql_pool_name (str): Name of the SQL pool
222
- vulnerability_assessment_name (str): Name of the vulnerability assessment
223
224
Returns:
225
ItemPaged[VulnerabilityAssessmentScanRecord]: Paged collection of scan records
226
"""
227
228
def get_scan(resource_group_name: str, workspace_name: str, sql_pool_name: str, vulnerability_assessment_name: str, scan_id: str) -> VulnerabilityAssessmentScanRecord:
229
"""
230
Get vulnerability assessment scan.
231
232
Parameters:
233
- resource_group_name (str): Name of the resource group
234
- workspace_name (str): Name of the workspace
235
- sql_pool_name (str): Name of the SQL pool
236
- vulnerability_assessment_name (str): Name of the vulnerability assessment
237
- scan_id (str): Scan ID
238
239
Returns:
240
VulnerabilityAssessmentScanRecord: Scan record
241
"""
242
243
def initiate_scan(resource_group_name: str, workspace_name: str, sql_pool_name: str, vulnerability_assessment_name: str, scan_id: str) -> LROPoller[VulnerabilityAssessmentScanRecord]:
244
"""
245
Initiate a vulnerability assessment scan.
246
247
Parameters:
248
- resource_group_name (str): Name of the resource group
249
- workspace_name (str): Name of the workspace
250
- sql_pool_name (str): Name of the SQL pool
251
- vulnerability_assessment_name (str): Name of the vulnerability assessment
252
- scan_id (str): Scan ID
253
254
Returns:
255
LROPoller[VulnerabilityAssessmentScanRecord]: Long-running operation poller
256
"""
257
```
258
259
### Data Classification and Sensitivity Labels
260
261
Manage data classification and sensitivity labels for compliance and governance.
262
263
```python { .api }
264
def get_sensitivity_label(resource_group_name: str, workspace_name: str, sql_pool_name: str, schema_name: str, table_name: str, column_name: str, sensitivity_label_source: str) -> SensitivityLabel:
265
"""
266
Get sensitivity label for a column.
267
268
Parameters:
269
- resource_group_name (str): Name of the resource group
270
- workspace_name (str): Name of the workspace
271
- sql_pool_name (str): Name of the SQL pool
272
- schema_name (str): Schema name
273
- table_name (str): Table name
274
- column_name (str): Column name
275
- sensitivity_label_source (str): Sensitivity label source
276
277
Returns:
278
SensitivityLabel: Sensitivity label
279
"""
280
281
def create_or_update_sensitivity_label(resource_group_name: str, workspace_name: str, sql_pool_name: str, schema_name: str, table_name: str, column_name: str, sensitivity_label_source: str, parameters: SensitivityLabel) -> SensitivityLabel:
282
"""
283
Create or update sensitivity label.
284
285
Parameters:
286
- resource_group_name (str): Name of the resource group
287
- workspace_name (str): Name of the workspace
288
- sql_pool_name (str): Name of the SQL pool
289
- schema_name (str): Schema name
290
- table_name (str): Table name
291
- column_name (str): Column name
292
- sensitivity_label_source (str): Sensitivity label source
293
- parameters (SensitivityLabel): Sensitivity label configuration
294
295
Returns:
296
SensitivityLabel: Updated sensitivity label
297
"""
298
299
def delete_sensitivity_label(resource_group_name: str, workspace_name: str, sql_pool_name: str, schema_name: str, table_name: str, column_name: str, sensitivity_label_source: str) -> None:
300
"""
301
Delete sensitivity label.
302
303
Parameters:
304
- resource_group_name (str): Name of the resource group
305
- workspace_name (str): Name of the workspace
306
- sql_pool_name (str): Name of the SQL pool
307
- schema_name (str): Schema name
308
- table_name (str): Table name
309
- column_name (str): Column name
310
- sensitivity_label_source (str): Sensitivity label source
311
"""
312
313
def list_current_sensitivity_labels(resource_group_name: str, workspace_name: str, sql_pool_name: str, **kwargs) -> ItemPaged[SensitivityLabel]:
314
"""
315
List current sensitivity labels for a SQL pool.
316
317
Parameters:
318
- resource_group_name (str): Name of the resource group
319
- workspace_name (str): Name of the workspace
320
- sql_pool_name (str): Name of the SQL pool
321
- **kwargs: Additional filtering parameters
322
323
Returns:
324
ItemPaged[SensitivityLabel]: Paged collection of sensitivity labels
325
"""
326
```
327
328
### Data Masking
329
330
Configure dynamic data masking to protect sensitive data.
331
332
```python { .api }
333
def get_data_masking_policy(resource_group_name: str, workspace_name: str, sql_pool_name: str, data_masking_policy_name: str) -> DataMaskingPolicy:
334
"""
335
Get data masking policy.
336
337
Parameters:
338
- resource_group_name (str): Name of the resource group
339
- workspace_name (str): Name of the workspace
340
- sql_pool_name (str): Name of the SQL pool
341
- data_masking_policy_name (str): Name of the data masking policy
342
343
Returns:
344
DataMaskingPolicy: Data masking policy
345
"""
346
347
def create_or_update_data_masking_policy(resource_group_name: str, workspace_name: str, sql_pool_name: str, parameters: DataMaskingPolicy) -> DataMaskingPolicy:
348
"""
349
Create or update data masking policy.
350
351
Parameters:
352
- resource_group_name (str): Name of the resource group
353
- workspace_name (str): Name of the workspace
354
- sql_pool_name (str): Name of the SQL pool
355
- parameters (DataMaskingPolicy): Data masking policy configuration
356
357
Returns:
358
DataMaskingPolicy: Updated data masking policy
359
"""
360
361
def get_data_masking_rule(resource_group_name: str, workspace_name: str, sql_pool_name: str, data_masking_rule_name: str) -> DataMaskingRule:
362
"""
363
Get data masking rule.
364
365
Parameters:
366
- resource_group_name (str): Name of the resource group
367
- workspace_name (str): Name of the workspace
368
- sql_pool_name (str): Name of the SQL pool
369
- data_masking_rule_name (str): Name of the data masking rule
370
371
Returns:
372
DataMaskingRule: Data masking rule
373
"""
374
375
def create_or_update_data_masking_rule(resource_group_name: str, workspace_name: str, sql_pool_name: str, data_masking_rule_name: str, parameters: DataMaskingRule) -> DataMaskingRule:
376
"""
377
Create or update data masking rule.
378
379
Parameters:
380
- resource_group_name (str): Name of the resource group
381
- workspace_name (str): Name of the workspace
382
- sql_pool_name (str): Name of the SQL pool
383
- data_masking_rule_name (str): Name of the data masking rule
384
- parameters (DataMaskingRule): Data masking rule configuration
385
386
Returns:
387
DataMaskingRule: Updated data masking rule
388
"""
389
390
def list_data_masking_rules(resource_group_name: str, workspace_name: str, sql_pool_name: str) -> ItemPaged[DataMaskingRule]:
391
"""
392
List data masking rules for a SQL pool.
393
394
Parameters:
395
- resource_group_name (str): Name of the resource group
396
- workspace_name (str): Name of the workspace
397
- sql_pool_name (str): Name of the SQL pool
398
399
Returns:
400
ItemPaged[DataMaskingRule]: Paged collection of data masking rules
401
"""
402
```
403
404
## Types
405
406
### SqlPoolBlobAuditingPolicy
407
408
```python { .api }
409
class SqlPoolBlobAuditingPolicy:
410
"""
411
A blob auditing policy.
412
413
Attributes:
414
- id (str): Resource ID
415
- name (str): Resource name
416
- type (str): Resource type
417
- kind (str): Resource kind
418
- state (str): Policy state
419
- storage_endpoint (str): Storage endpoint
420
- storage_account_access_key (str): Storage account access key
421
- retention_days (int): Retention days
422
- audit_actions_and_groups (list): Actions and groups to audit
423
- storage_account_subscription_id (str): Storage account subscription ID
424
- is_storage_secondary_key_in_use (bool): Use secondary storage key
425
- is_azure_monitor_target_enabled (bool): Enable Azure Monitor target
426
- queue_delay_ms (int): Queue delay in milliseconds
427
"""
428
```
429
430
### SqlPoolSecurityAlertPolicy
431
432
```python { .api }
433
class SqlPoolSecurityAlertPolicy:
434
"""
435
A security alert policy.
436
437
Attributes:
438
- id (str): Resource ID
439
- name (str): Resource name
440
- type (str): Resource type
441
- state (str): Policy state
442
- disabled_alerts (list): Disabled alert types
443
- email_addresses (list): Email addresses for alerts
444
- email_account_admins (bool): Email account administrators
445
- storage_endpoint (str): Storage endpoint
446
- storage_account_access_key (str): Storage account access key
447
- retention_days (int): Retention days
448
- creation_time (datetime): Creation time
449
"""
450
```
451
452
### SqlPoolVulnerabilityAssessment
453
454
```python { .api }
455
class SqlPoolVulnerabilityAssessment:
456
"""
457
A vulnerability assessment.
458
459
Attributes:
460
- id (str): Resource ID
461
- name (str): Resource name
462
- type (str): Resource type
463
- storage_container_path (str): Storage container path
464
- storage_container_sas_key (str): Storage container SAS key
465
- storage_account_access_key (str): Storage account access key
466
- recurring_scans (VulnerabilityAssessmentRecurringScansProperties): Recurring scan settings
467
"""
468
```
469
470
### SensitivityLabel
471
472
```python { .api }
473
class SensitivityLabel:
474
"""
475
A sensitivity label.
476
477
Attributes:
478
- id (str): Resource ID
479
- name (str): Resource name
480
- type (str): Resource type
481
- managed_by (str): Managed by
482
- schema_name (str): Schema name
483
- table_name (str): Table name
484
- column_name (str): Column name
485
- label_name (str): Label name
486
- label_id (str): Label ID
487
- information_type (str): Information type
488
- information_type_id (str): Information type ID
489
- is_disabled (bool): Is disabled
490
- rank (str): Sensitivity rank
491
"""
492
```
493
494
### DataMaskingPolicy
495
496
```python { .api }
497
class DataMaskingPolicy:
498
"""
499
A data masking policy.
500
501
Attributes:
502
- id (str): Resource ID
503
- name (str): Resource name
504
- type (str): Resource type
505
- location (str): Resource location
506
- kind (str): Resource kind
507
- managed_by (str): Managed by
508
- data_masking_state (str): Data masking state
509
- exempt_principals (str): Exempt principals
510
- application_principals (str): Application principals
511
- masking_level (str): Masking level
512
"""
513
```
514
515
### DataMaskingRule
516
517
```python { .api }
518
class DataMaskingRule:
519
"""
520
A data masking rule.
521
522
Attributes:
523
- id (str): Resource ID
524
- name (str): Resource name
525
- type (str): Resource type
526
- location (str): Resource location
527
- kind (str): Resource kind
528
- id_properties_id (str): Rule ID
529
- alias_name (str): Alias name
530
- rule_state (str): Rule state
531
- schema_name (str): Schema name
532
- table_name (str): Table name
533
- column_name (str): Column name
534
- masking_function (str): Masking function
535
- number_from (str): Number from (for number range masking)
536
- number_to (str): Number to (for number range masking)
537
- prefix_size (str): Prefix size
538
- suffix_size (str): Suffix size
539
- replacement_string (str): Replacement string
540
"""
541
```
542
543
## Usage Examples
544
545
### Configure Blob Auditing
546
547
```python
548
from azure.mgmt.synapse.models import SqlPoolBlobAuditingPolicy
549
550
auditing_policy = SqlPoolBlobAuditingPolicy(
551
state="Enabled",
552
storage_endpoint="https://mystorageaccount.blob.core.windows.net",
553
storage_account_access_key="storage-access-key",
554
retention_days=90,
555
audit_actions_and_groups=[
556
"SUCCESSFUL_DATABASE_AUTHENTICATION_GROUP",
557
"FAILED_DATABASE_AUTHENTICATION_GROUP",
558
"BATCH_COMPLETED_GROUP"
559
],
560
is_azure_monitor_target_enabled=True
561
)
562
563
policy = client.sql_pool_blob_auditing_policies.create_or_update_blob_auditing_policy(
564
resource_group_name="my-resource-group",
565
workspace_name="my-synapse-workspace",
566
sql_pool_name="my-sql-pool",
567
blob_auditing_policy_name="default",
568
parameters=auditing_policy
569
)
570
571
print("Configured blob auditing policy")
572
```
573
574
### Set Up Threat Detection
575
576
```python
577
from azure.mgmt.synapse.models import SqlPoolSecurityAlertPolicy
578
579
security_policy = SqlPoolSecurityAlertPolicy(
580
state="Enabled",
581
email_addresses=["admin@company.com", "security@company.com"],
582
email_account_admins=True,
583
disabled_alerts=[],
584
retention_days=30,
585
storage_endpoint="https://mystorageaccount.blob.core.windows.net",
586
storage_account_access_key="storage-access-key"
587
)
588
589
alert_policy = client.sql_pool_security_alert_policies.create_or_update_security_alert_policy(
590
resource_group_name="my-resource-group",
591
workspace_name="my-synapse-workspace",
592
sql_pool_name="my-sql-pool",
593
security_alert_policy_name="default",
594
parameters=security_policy
595
)
596
597
print("Configured security alert policy")
598
```
599
600
### Configure Data Masking
601
602
```python
603
from azure.mgmt.synapse.models import DataMaskingPolicy, DataMaskingRule
604
605
# Enable data masking
606
masking_policy = DataMaskingPolicy(
607
data_masking_state="Enabled"
608
)
609
610
policy = client.data_masking_policies.create_or_update_data_masking_policy(
611
resource_group_name="my-resource-group",
612
workspace_name="my-synapse-workspace",
613
sql_pool_name="my-sql-pool",
614
parameters=masking_policy
615
)
616
617
# Add masking rule for credit card column
618
masking_rule = DataMaskingRule(
619
schema_name="dbo",
620
table_name="customers",
621
column_name="credit_card_number",
622
masking_function="CreditCardNumber"
623
)
624
625
rule = client.data_masking_rules.create_or_update_data_masking_rule(
626
resource_group_name="my-resource-group",
627
workspace_name="my-synapse-workspace",
628
sql_pool_name="my-sql-pool",
629
data_masking_rule_name="CreditCardRule",
630
parameters=masking_rule
631
)
632
633
print("Configured data masking for credit card numbers")
634
```