Cannot make myself Synapse Administrator from CLI but only from Portal

Rafi Trad 61

I am an owner on the subscription level. I created a Synapse workspace, and wanted to make myself its administrator from Azure CLI (cloud shell).

When running:

   az synapse role assignment create --workspace-name $SynapseWorkspaceName \  
     --role "Synapse Administrator" \  
     --assignee-object-id $MyId \  
     --assignee-principal-type User

I am faced with the odd error:
(Unauthorized) The principal 'x-x-x-x' does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/read, Scope: workspaces/y/.
Code: Unauthorized
Message: The principal 'x-x-x-x' does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/read, Scope: workspaces/y/.

Using --assignee or --scope is not changing anything.

If I use Portal, I am able to assign the role successfully. The user is the same, and from CLI I can assign other roles on other resources. Why is this happening when I am an owner?

BhargavaGunnam-MSFT 26,306 Reputation points Microsoft Employee

2022-11-09T02:16:24.703+00:00

Hello @Rafi Trad ,

Welcome to the MS Q&A platform.

This is strange.

Can you please check if you can run the below command?

az synapse role definition list --workspace-name <yourworkspace>

Do you have multiple tenants and trying to execute the command in the wrong tenant by any chance?
Rafi Trad 61 Reputation points

2022-11-09T09:30:04.787+00:00

it is indeed strange. I am creating a host of resources on the same tenant and I can confirm I am using the correct tenant and subscription when having a look through Portal, and when running:

az account show

So I am on the correct tenancy.

When I try to list the role definition list of the workspace in question, I get the same error, complaining I don't get to read Synapse workspaces in spite of being a subscription owner and global admin:

az synapse role definition list --workspace-name synw-x

(Unauthorized) The principal 'x-x-x-x' does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/read, Scope: workspaces/synw-x/.
Code: Unauthorized
Message: The principal 'x-x-x-x' does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/read, Scope: workspaces/synw-x/.

I tried to run the same command on another synapse workspace that we had created entirely from Portal, and I face no errors.

The thing that baffles me is: why can Portal assign the role while CLI can't? This is a big deterrent when you are trying to automate Azure operations..
BhargavaGunnam-MSFT 26,306 Reputation points Microsoft Employee

2022-11-14T16:09:07.747+00:00

Hello @Rafi Trad ,
I am checking to see if you have any further questions here.
Rafi Trad 61 Reputation points

2022-11-14T16:17:02.57+00:00

Hi @BhargavaGunnam-MSFT , no more questions, I have accepted your answer already. Thank you.

Accepted answer

BhargavaGunnam-MSFT 26,306 Reputation points Microsoft Employee

2022-11-09T21:25:04.94+00:00
Hello @Rafi Trad ,

As per the discussion with my internal team, for a user to be able to run the commands to add Synapse RBAC roles using CLI, the user themselves should have a Synapse Administrator role at the Synapse Studio level.

When creating a workspace, the workspace owner automatically gets the Synapse administrator roles in the Synapse Studio.

It seems like you have Synapse administrator roles on another synapse studio, due to this reason you were able to use CLI on that workspace.

Please see the below documents explains the Synapse RBAC assignments in Synapse Studio

https://learn.microsoft.com/en-us/azure/synapse-analytics/security/how-to-review-synapse-rbac-role-assignments
https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac#who-can-assign-synapse-rbac-roles

I hope this helps. If you have any questions, please let me know.

------------------------------

Please don't forget to click on and upvote button whenever the information provided helps you. Original posters help the community find answers faster by identifying the correct answer. Here is how

Want a reminder to come back and check responses? Here is how to subscribe to a notification

If you are interested in joining the VM program and help shape the future of Q&A: Here is how you can be part of Q&A Volunteer Moderators
Please sign in to rate this answer.

2 people found this answer helpful.
Rafi Trad 61 Reputation points

2022-11-10T13:40:03.643+00:00

I tried to re-create the resources from scratch, and I can confirm that my user was granted Synapse Administrator role automatically as you said, and I could list and assign roles. However, since I was using the cloud shell to list role assignments, I couldn't see the roles in Portal before I whitelisted my machine's IP.

It is still confusing why I could re-assign the missing roles via Portal but not via CLI in this case, so if you have a comment, that would be appreciated.

BhargavaGunnam-MSFT 26,306 Reputation points Microsoft Employee

2022-11-11T00:17:00.23+00:00

Hello @Rafi Trad ,
Sorry, let me give you some more clarification here.

Synapse access is managed in two places.

1) workspace level
2) Studio level

CLI behavior with synapse:
For a user to be able to run the commands to add Synapse RBAC roles using CLI, the user themselves should have a Synapse Administrator role at the Synapse Studio level.

When creating a workspace, the workspace owner automatically gets the Synapse administrator roles in the Synapse Studio(default behavior).

If you deploy a synapse workspace using the portal, by default, your ID is added as synapse administrator. So you can able to use CLI on this workspace.

But if you didn't create a synapse workspace (someone else in your team did), then you are not a synapse administrator on that workspace. In this case, your CLI won't work. For this to work, ask your teammate to add you as synapse administrator on the studio level. Once you get added, you should be able to use CLI to add RBAC on this workspace level.

I hope this clarifies things for you. Please let me know if you have any further questions.

Rafi Trad 61 Reputation points

2022-11-11T09:24:09.853+00:00

Thank you for the elaborate response, it is greatly appreciated. Let me clarify what I meant:

1- I am a subscription owner, and hence an owner on the workspace level at all times
2- I created Synapse using CLI, so my user is a synapse admin by default
3- I wanted to try assigning roles from CLI, so I manually removed my automatic synapse admin permission on the studio level
4- I went back to CLI and tried to assign the role, and I failed as I explained in this thread
5- I went to Portal and tried to assign the role from there instead, and I could, unlike CLI.

The confusion comes from the discrepancy in steps 4 and 5: in CLI, I couldn't re-assign my Synapse Administrator role, but I could in Portal. It seemed to me that Portal could do things CLI couldn't, which was worrying because I was trying to automate my deployments for efficiency.

In any case, your answer clarifies quite a bit of what happened with me, so I will accept it and thank you.

BhargavaGunnam-MSFT 26,306 Reputation points Microsoft Employee

2022-11-11T16:24:43.69+00:00

Hello @Rafi Trad ,
My answers are <inline>

1- I am a subscription owner, and hence an owner on the workspace level at all times- <correct>
2- I created Synapse using CLI, so my user is a synapse admin by default- <yes, you are a synapse administrator at work space as well as at synapse studio level>
3- I wanted to try assigning roles from CLI, so I manually removed my automatic synapse admin permission on the studio level- <to run CLI commands to add RBAC, you need to have synapse administrator at Synapse Studio level. This is the default behavior>
4- I went back to CLI and tried to assign the role, and I failed as I explained in this thread - <This is failed because you don't have synapse administrator at the studio level.>
5- I went to Portal and tried to assign the role from there instead, and I could, unlike CLI- <Sine you are a subscription owner, you can perform most of the operations via Portal, but CLI has this limitation as synapse access is controlled at two places>

Here is an example:

In the below screenshot, I didn't create the workspace Ktestsynapsews, so my user ID doesn't have a synapse administrator role at the studio level (even though I have owner access on the subscription level). So I am getting an access denied error.

Once I added my user ID as synapse administrator at the studio level, I could run the commands using CLI.

I hope this helps. If you still have any questions, I am happy to assist.
I am looking forward to your reply.

Rafi Trad 61 Reputation points

2022-11-14T16:22:24.68+00:00

Thank you for clarifying that CLI does have limitations compared to Portal. This is unexpected, so it is handy to know of any other limitations apart from the one I discovered by chance, perhaps from an article or any source for further reading, since many would like to use CLI and not Portal for automation and reproducibility.

BhargavaGunnam-MSFT 26,306 Reputation points Microsoft Employee

2022-11-14T17:38:02.543+00:00

Hello @Rafi Trad ,
Thank you so much for accepting the answer and re-taking the survey.
I agree that it would be great if an article or any source explained this limitation. But unfortunately, I do not find any documentation. Sorry, this is not in my control, but I can go back to product groups and check if they have any input on it. I will update you on this thread if I find any more information.
Have a great day.

Rafi Trad 61 Reputation points

2022-11-15T13:04:02.357+00:00

I appreciate your diligence, thank you for taking the time to make sure every confusion is clarified.
Sign in to comment

Cannot make myself Synapse Administrator from CLI but only from Portal

0 additional answers