Setting different permissions for SAS Token on ADLS Gen2

Question

Hello,

I'm interested to know if it's possible to set two different sets of permissions for an access policy on ADLS Gen2 Storage - one at the container level, and another at the folder level. I'm looking for a setup like this:

1. Access Policy setting at container level - rl
2. Access Policy setting at folder level - rlw

Could someone please share any resources or insights that could help me achieve this? Thank you!

Answer 1

Hello PS,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you would like to Set different permissions for SAS Token on ADLS Gen2

To achieve different sets of permissions at different levels (container and folder) in Azure Data Lake Storage Gen2 (ADLS Gen2), you'll need to understand and apply both Shared Access Signatures (SAS) and Access Control Lists (ACLs).

• First, Set Up SAS Token for Container-Level Access which will allow access to the entire container with read and list permissions but does not grant write permissions.
• Secondly, Set Up SAS Token for Folder-Level Access which will be used to access a specific folder with Read`, List, and Write permissions.
• Then, apply Access Control Lists (ACLs) for Fine-Grained Control
• Finally, combine SAS Token and ACL to:
  • Grants basic Read and List permissions at the container level.
  • Allow more specific permissions at the folder level. Ensure the folder-level SAS token and ACLs are applied properly for the desired Read, List, and Write access.

For documentation as requested:

https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-overview

https://docs.microsoft.com/en-us/azure/storage/common/storage-sas-create

https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-acls-overview

You can also read more from the additional resources available by the right side of this page.

Accept Answer

I hope this is helpful! Do not hesitate to let me know if you have any other questions.

** Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful ** so that others in the community facing similar issues can easily find the solution.

Best Regards,

Sina Salam

Answer 2

Hello PS,

Greetings! Welcome to Microsoft Q&A Platform.

Yes, you’re right. ACLs (Access Control Lists) and SAS (Shared Access Signature) tokens operate independently in Azure. ACLs are used to manage permissions at the file and directory level within Azure Data Lake Storage Gen2, while SAS tokens provide a way to grant limited access to Azure Storage resources without sharing the account key. Since ACLs are not applicable to SAS tokens, you can manage access using either method,

Using SAS Tokens:

• Generate a SAS token with the required permissions for the folder.
• Use this SAS token to access the folder and perform the allowed operations.

Using ACLs:

• Set ACLs on the folder to specify permissions for users or groups.
• Ensure that the users or services accessing the folder have the necessary permissions set by the ACLs.
• If you need to provide access to external users or services without sharing your account key, SAS tokens are the way to go and for internal access control within your organization, ACLs provide more granular permissions.Hope this helps! Please let us know if you have any further queries. I’m happy to assist you further.      

---

Please "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.