Support allowMaterializedViewsWithoutRowLevelSecurity on RLS policies (#147)

ashleyvansp · web-flow · commit e51d556aa0b6 · 2026-02-26T14:29:40.000-08:00
diff --git a/KustoSchemaTools/Changes/DatabaseChanges.cs b/KustoSchemaTools/Changes/DatabaseChanges.cs
@@ -48,6 +48,18 @@ public static List<IChange> GenerateChanges(Database oldState, Database newState
 
             result.AddRange(GenerateDeletions(oldState, newState.Deletions, log));
 
+            // Kusto does not expose AllowMaterializedViewsWithoutRowLevelSecurity in any query output,
+            // so propagate the flag from the desired state to the cluster state to avoid phantom diffs.
+            foreach (var table in newState.Tables)
+            {
+                if (table.Value.Policies?.AllowMaterializedViewsWithoutRowLevelSecurity == true
+                    && oldState.Tables.ContainsKey(table.Key)
+                    && oldState.Tables[table.Key].Policies != null)
+                {
+                    oldState.Tables[table.Key].Policies.AllowMaterializedViewsWithoutRowLevelSecurity = true;
+                }
+            }
+
             result.AddRange(GenerateScriptCompareChanges(oldState, newState, db => db.Tables, nameof(newState.Tables), log, (oldItem, newItem) => oldItem != null || newItem.Columns?.Any() == true));
             var mvChanges = GenerateScriptCompareChanges(oldState, newState, db => db.MaterializedViews, nameof(newState.MaterializedViews), log);
             foreach(var mvChange in mvChanges)
diff --git a/KustoSchemaTools/Model/Policy.cs b/KustoSchemaTools/Model/Policy.cs
@@ -10,6 +10,7 @@ public class Policy
         public string? HotCache { get; set; }
         public PartitioningPolicy? Partitioning { get; set; }
         public string? RowLevelSecurity { get; set; }
+        public bool AllowMaterializedViewsWithoutRowLevelSecurity { get; set; } = false;
 
 
         public List<DatabaseScriptContainer> CreateScripts(string name, string entity)
@@ -26,7 +27,10 @@ public List<DatabaseScriptContainer> CreateScripts(string name, string entity)
           
             if (!string.IsNullOrEmpty(RowLevelSecurity))
             {
-                scripts.Add(new DatabaseScriptContainer("RowLevelSecurity", 57, $".alter {entity} {name} policy row_level_security enable ```{RowLevelSecurity}```"));
+                var rlsWithClause = AllowMaterializedViewsWithoutRowLevelSecurity
+                    ? " with (allowMaterializedViewsWithoutRowLevelSecurity=true)"
+                    : "";
+                scripts.Add(new DatabaseScriptContainer("RowLevelSecurity", 57, $".alter {entity} {name} policy row_level_security enable{rlsWithClause} ```{RowLevelSecurity}```"));
             }
             else
             {

Original file line number	Diff line number	Diff line change
`@@ -10,6 +10,7 @@ public class Policy`
`10`	`10`	`public string? HotCache { get; set; }`
`11`	`11`	`public PartitioningPolicy? Partitioning { get; set; }`
`12`	`12`	`public string? RowLevelSecurity { get; set; }`
	`13`	`+ public bool AllowMaterializedViewsWithoutRowLevelSecurity { get; set; } = false;`
`13`	`14`
`14`	`15`
`15`	`16`	`public List<DatabaseScriptContainer> CreateScripts(string name, string entity)`
`@@ -26,7 +27,10 @@ public List<DatabaseScriptContainer> CreateScripts(string name, string entity)`
`26`	`27`
`27`	`28`	`if (!string.IsNullOrEmpty(RowLevelSecurity))`
`28`	`29`	`{`
`29`		- scripts.Add(new DatabaseScriptContainer("RowLevelSecurity", 57, $".alter {entity} {name} policy row_level_security enable ```{RowLevelSecurity}```"));
	`30`	`+ var rlsWithClause = AllowMaterializedViewsWithoutRowLevelSecurity`
	`31`	`+ ? " with (allowMaterializedViewsWithoutRowLevelSecurity=true)"`
	`32`	`+ : "";`
	`33`	+ scripts.Add(new DatabaseScriptContainer("RowLevelSecurity", 57, $".alter {entity} {name} policy row_level_security enable{rlsWithClause} ```{RowLevelSecurity}```"));
`30`	`34`	`}`
`31`	`35`	`else`
`32`	`36`	`{`