deny_permission
Deny permissions to a principal for a securable in Fabric. Supports database, schema, and object scopes with optional column-level restrictions.
Instructions
Deny permissions on a securable to a principal.
Executes DENY <permissions> ON <scope> TO <principal>.
Blocked by FABRIC_MCP_READONLY. Does NOT require
FABRIC_MCP_ALLOW_DESTRUCTIVE.
Args:
workspace: Workspace name or GUID.
item: Warehouse or SQL endpoint name or GUID.
permissions: Comma-separated permission tokens (e.g. "SELECT").
principal: Principal name to deny (Entra UPN, app GUID, or role name).
scope: Securable class -- "DATABASE" (default), "SCHEMA", or
"OBJECT".
schema: Schema name (required when scope is "SCHEMA").
object_name: Qualified object name <schema>.<object> (required when
scope is "OBJECT").
columns: Optional list of column names for column-level security
(OBJECT scope only; permissions must be SELECT, UPDATE, or
REFERENCES). Pass None (omit) for no column restriction.
Passing an empty list raises a ToolError.
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| item | Yes | ||
| scope | No | DATABASE | |
| schema | No | ||
| columns | No | ||
| principal | Yes | ||
| workspace | Yes | ||
| object_name | No | ||
| permissions | Yes |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
No arguments | |||