Run any Skill in Manus with one click

data-api-builder-auth

Plan and implement Data API Builder auth scenarios across anonymous, Entra ID, API policy filtering, and SQL RLS patterns. Use when choosing or deploying DAB auth architecture.

Run Skill in Manus

Overview

Plan and implement Data API Builder auth scenarios across anonymous, Entra ID, API policy filtering, and SQL RLS patterns. Use when choosing or deploying DAB auth architecture.

Install command

npx skills add https://github.com/JerryNixon/dab-quickstarts --skill data-api-builder-auth

Copy and paste this command into Claude Code to install the skill

Source

JerryNixon/dab-quickstarts

Stars0

Forks0

UpdatedMarch 31, 2026 at 19:01

File Explorer

10 files

SKILL.md

readonly

name	data-api-builder-auth
description	Plan and implement Data API Builder auth scenarios across anonymous, Entra ID, API policy filtering, and SQL RLS patterns. Use when choosing or deploying DAB auth architecture.

Data API Builder Authentication Scenarios

Use this skill to choose and implement the right DAB auth pattern based on quickstarts 1-5.

When to use

Decide between anonymous, Entra ID, API-level policy, and SQL RLS
Migrate from one auth model to another
Implement auth changes in dab-config.json, web auth flow, and SQL layer
Deploy auth scenarios to Azure with minimal rework

Scenario map

See the scenario matrix file in this skill's resources folder.

Quick summary:

QS1: Anonymous + SQL Auth
QS2: Anonymous + Managed Identity (API→SQL)
QS3: Entra provider configured, still anonymous role
QS4: Entra + authenticated role + DAB policy (@item ... @claims ...)
QS5: Entra + authenticated role + SQL Row-Level Security (no DAB row policy)

Bundled assets

DAB config templates

qs1-anonymous-sql-auth.json
qs3-entra-provider-anonymous-role.json
qs4-entra-authenticated-policy.json
qs5-entra-authenticated-rls-ready.json

SQL RLS templates

UserFilterPredicate.sql
UserFilterPolicy.sql

Scripts

new-dab-auth-config.ps1
auth-scenario-checklist.ps1

Implementation workflow

Pick target scenario (qs1, qs3, qs4, or qs5 template baseline).
Generate dab-config.json from template using script.
Fill placeholders (__AUDIENCE__, __ISSUER__, __WEB_URL_AZURE__).
If moving to RLS, add SQL objects and remove DAB row policies.
Validate and run:
- dab validate
- start app stack
Verify behavior with scenario checklist script.

Critical correctness checks

For stored procedures, use execute permission, not read.
DAB policy syntax is OData style (@item.Owner eq @claims.preferred_username).
RLS scenario should not keep DAB row policies for the same rule.
Entra provider requires real audience/issuer values (no placeholders at runtime).
Managed Identity changes are infra/runtime connection concerns, not just dab-config.

Troubleshooting (syntax gotchas)

Policy syntax

// WRONG
"policy": { "database": "Owner = preferred_username" }

// CORRECT
"policy": { "database": "@item.Owner eq @claims.preferred_username" }

Auth role mismatch

// WRONG for user-token flow
"role": "anonymous"

// CORRECT for token-protected flow
"role": "authenticated"

RLS duplication

If SQL RLS is enabled (QS5 pattern), avoid duplicating the same row filter policy in DAB unless intentionally layering controls.

Related skills

data-api-builder-config
data-api-builder-cli
azure-data-api-builder
data-api-builder-demo

More from this repository

same repository

aspire-data-api-builder

JerryNixon/dab-quickstarts

Guide for .NET Aspire orchestration of SQL Server + Data API Builder + SQL Commander + MCP Inspector. Use when asked to create an Aspire-based DAB environment.

2026-05-290

azure-data-api-builder

JerryNixon/dab-quickstarts

Deploy Data API Builder to Azure Container Apps with Azure SQL, ACR, and azd. Use when asked to deploy DAB to Azure, create Bicep for DAB, or set up cloud API hosting.

2026-05-290

docker-data-api-builder

JerryNixon/dab-quickstarts

Docker Compose orchestration of SQL Server, Data API Builder, SQL Commander, and MCP Inspector. Use when asked to create docker-compose.yml, set up local containers, or run DAB without Aspire.

2026-05-290

aspire-mcp-inspector

JerryNixon/dab-quickstarts

Add MCP Inspector to a .NET Aspire AppHost for debugging MCP servers such as Data API Builder.

2026-03-310

azure-mcp-inspector

JerryNixon/dab-quickstarts

Deploy MCP Inspector to Azure Container Apps using an nginx same-origin proxy so UI and proxy work behind a single ingress port.

2026-03-310

creating-agent-skills

JerryNixon/dab-quickstarts

Create and audit GitHub Copilot Agent Skills with clear discovery descriptions, correct SKILL.md frontmatter, and reusable multi-step workflows.

2026-03-310

Source

JerryNixon

JerryNixon/dab-quickstarts

View GitHub Repository View Creator Repositories

Install command

Download

Run Skill in Manus

Useful forSOC

Software DevelopersComputer and Mathematical Occupations15-1252L4

name	data-api-builder-auth
description	Plan and implement Data API Builder auth scenarios across anonymous, Entra ID, API policy filtering, and SQL RLS patterns. Use when choosing or deploying DAB auth architecture.

Data API Builder Authentication Scenarios

Use this skill to choose and implement the right DAB auth pattern based on quickstarts 1-5.

When to use

Decide between anonymous, Entra ID, API-level policy, and SQL RLS
Migrate from one auth model to another
Implement auth changes in dab-config.json, web auth flow, and SQL layer
Deploy auth scenarios to Azure with minimal rework

Scenario map

See the scenario matrix file in this skill's resources folder.

Quick summary:

QS1: Anonymous + SQL Auth
QS2: Anonymous + Managed Identity (API→SQL)
QS3: Entra provider configured, still anonymous role
QS4: Entra + authenticated role + DAB policy (@item ... @claims ...)
QS5: Entra + authenticated role + SQL Row-Level Security (no DAB row policy)

Bundled assets

DAB config templates

qs1-anonymous-sql-auth.json
qs3-entra-provider-anonymous-role.json
qs4-entra-authenticated-policy.json
qs5-entra-authenticated-rls-ready.json

SQL RLS templates

UserFilterPredicate.sql
UserFilterPolicy.sql

Scripts

new-dab-auth-config.ps1
auth-scenario-checklist.ps1

Implementation workflow

Pick target scenario (qs1, qs3, qs4, or qs5 template baseline).
Generate dab-config.json from template using script.
Fill placeholders (__AUDIENCE__, __ISSUER__, __WEB_URL_AZURE__).
If moving to RLS, add SQL objects and remove DAB row policies.
Validate and run:
- dab validate
- start app stack
Verify behavior with scenario checklist script.

Critical correctness checks

For stored procedures, use execute permission, not read.
DAB policy syntax is OData style (@item.Owner eq @claims.preferred_username).
RLS scenario should not keep DAB row policies for the same rule.
Entra provider requires real audience/issuer values (no placeholders at runtime).
Managed Identity changes are infra/runtime connection concerns, not just dab-config.

Troubleshooting (syntax gotchas)

Policy syntax

// WRONG
"policy": { "database": "Owner = preferred_username" }

// CORRECT
"policy": { "database": "@item.Owner eq @claims.preferred_username" }

Auth role mismatch

// WRONG for user-token flow
"role": "anonymous"

// CORRECT for token-protected flow
"role": "authenticated"

RLS duplication

If SQL RLS is enabled (QS5 pattern), avoid duplicating the same row filter policy in DAB unless intentionally layering controls.

Related skills

data-api-builder-config
data-api-builder-cli
azure-data-api-builder
data-api-builder-demo