Answered my own question...
From: https://learn.microsoft.com/en-us/azure/synapse-analytics/security/how-to-set-up-access-control#configure-database-scoped-permissions
Synapse SQL Administrator gives db_datareader and db_datawriter on serverless pool databases. Instead, customer can create a user in synapse serverless and assign only db_datareader. This user/account does not need RBAC in Synapse Studio, but needs Storage Account Reader RBAC
Configure Database-scoped permissions
You can grant users access to a single serverless SQL database with the steps outlined in this example:
Create a login. Change to the master database context.
SQL
Copy
--In the master database
CREATE LOGIN [alias@keyman .com] FROM EXTERNAL PROVIDER;
Create user in your database. Change context to your database.
SQL
Copy
-- In your database
CREATE USER alias FROM LOGIN [alias@keyman .com];
Add user as a member of the specified role in your database (in this case, the db_owner role).
SQL
Copy
ALTER ROLE db_owner ADD member alias; -- Type USER name from step 2