Synapse linked service access control based on security group

Question

Synapse linked service access control based on security group

Mohamed Faisal 15

I have a requirement to limit access to linked service based on security group.

I have tried below approach,

created two user managed identity and created credentials in synapse(managedidentity_project1, managedidentity_project2)
created two credentials in synapse based on user managed identity
- credential_project1->managedidentity_project1_
- credential_project2->managedidentity_project2_
Assigned secret get, secret list access on key Vault to user managed identity
- managedidentity_project1 - secret get & secret list access_
- _managedidentity_project2) - secret get & secret list access
Created two Azure Key Vault linked service based on user managed identity authentication.
- ls_keyvault_project1 ->_ managedidentity_project1_
- ls_keyvault_project2 ->_ managedidentity_project2_
Created two blob storage linked service based on account key authentication and used key Vault linked service to fetch account key.
- lsstorage_project1 ->ls_keyvault_project1 ->_ managedidentity_project1_
- lsstorage_project2 ->ls_keyvault_project2 ->_ managedidentity_project2_
- Created two blob storage dataset based on above two linked service.
- ds_project1->lsstorage_project1 ->ls_keyvault_project1 ->_ managedidentity_project1_
- ds_project2->lsstorage_project2 ->ls_keyvault_project2 ->_ managedidentity_project2_
- create two security group and assigned user members
- securitygroup_project1 ->user_project1_
- securitygroup_project2_->user_project2_
- Assigned Synapse artifact publisher role to both security groups
- Assigned workspace item level access to credentials to security group
- credential_project1->synapse Credential user->securitygroup_project1
- credential_project2->synapse Credential user->securitygroup_project2
- for debugging, assigned managedidentity credential access to two security groups, without this I was getting error
- workspacesystemidentity->synapse Credential user->securitygroup_project1
- workspacesystemidentity->synapse Credential user->securitygroup_project2
When I logged with user user_project1, I could able to test connection and preview data using both datasets((ds_project1 & ds_project2). I am expecting workspace item level access will enforce access control by preventing data access using dataset(ds_project2). Also I tried setting workspace item level access to specific linked service but i don't see any difference in access. Any advice on implementing access control at linked service level will help.
- Created two blob storage dataset based on above two linked service.
- create two security group and assigned user members
- Assigned Synapse artifact publisher role to both security groups
- Assigned workspace item level access to credentials to security group
for debugging, assigned managedidentity credential access to two security groups, without this I was getting error
- lsstorage_project1 ->ls_keyvault_project1 ->_ managedidentity_project1_
- lsstorage_project2 ->ls_keyvault_project2 ->_ managedidentity_project2_
- Created two blob storage dataset based on above two linked service.
- ds_project1->lsstorage_project1 ->ls_keyvault_project1 ->_ managedidentity_project1_
- ds_project2->lsstorage_project2 ->ls_keyvault_project2 ->_ managedidentity_project2_
- create two security group and assigned user members
- securitygroup_project1 ->user_project1_
- securitygroup_project2_->user_project2_
- Assigned Synapse artifact publisher role to both security groups
- Assigned workspace item level access to credentials to security group
- credential_project1->synapse Credential user->securitygroup_project1
- credential_project2->synapse Credential user->securitygroup_project2
- for debugging, assigned managedidentity credential access to two security groups, without this I was getting error
- workspacesystemidentity->synapse Credential user->securitygroup_project1
- workspacesystemidentity->synapse Credential user->securitygroup_project2

When I logged with user user_project1, I could able to test connection and preview data using both datasets((ds_project1 & ds_project2). I am expecting workspace item level access will enforce access control by preventing data access using dataset(ds_project2). Also I tried setting workspace item level access to specific linked service but i don't see any difference in access.

Any advice on implementing access control at linked service level will help.

Mohamed Faisal 15 Reputation points

2023-05-01T13:26:06.5533333+00:00
Unable to format my question, Reposting same

I have a requirement to limit access to linked service based on security group.

I have tried below approach,

created two user managed identity and created credentials in synapse(managedidentity_project1, managedidentity_project2)

created two credentials in synapse based on user managed identity

credential_project1->managedidentity_project1_

credential_project2->managedidentity_project2_

Assigned secret get, secret list access on key Vault to user managed identity

managedidentity_project1 - secret get & secret list access_

_managedidentity_project2) - secret get & secret list access

Created two Azure Key Vault linked service based on user managed identity authentication.

ls_keyvault_project1 ->_ managedidentity_project1_

ls_keyvault_project2 ->_ managedidentity_project2_

Created two blob storage linked service based on account key authentication and used key Vault linked service to fetch account key.

lsstorage_project1 ->ls_keyvault_project1 ->_ managedidentity_project1_

lsstorage_project2 ->ls_keyvault_project2 ->_ managedidentity_project2_

Created two blob storage dataset based on above two linked service.

ds_project1->lsstorage_project1 ->ls_keyvault_project1 ->_ managedidentity_project1_

ds_project2->lsstorage_project2 ->ls_keyvault_project2 ->_ managedidentity_project2_

create two security group and assigned user members

securitygroup_project1 ->user_project1_

securitygroup_project2_->user_project2_

Assigned Synapse artifact publisher role to both security groups

Assigned workspace item level access to credentials to security group

credential_project1->synapse Credential user->securitygroup_project1

credential_project2->synapse Credential user->securitygroup_project2

for debugging, assigned managedidentity credential access to two security groups, without this I was getting error

workspacesystemidentity->synapse Credential user->securitygroup_project1

workspacesystemidentity->synapse Credential user->securitygroup_project2

When I logged with user user_project1, I could able to test connection and preview data using both datasets((ds_project1 & ds_project2). I am expecting workspace item level access will enforce access control by preventing data access using dataset(ds_project2). Also I tried setting workspace item level access to specific linked service but i don't see any difference in access. Any advice on implementing access control at linked service level will help.

1 answer

Your answer

Answer 1

AnnuKumari-MSFT 34,556 Microsoft Employee Moderator

Hi Mohamed Faisal ,

Welcome to Microsoft Q&A platform and thanks for posting your question here.

As I understand your question here, you are trying to restrict the access of a user or a group to create/delete the linked service . Please let me know if that is not the requirement.

Restrictions on ADF pipeline developers to create connection using linked services can be applied by creating Custom roles.

When there is a requirement that the Azure Data Factory pipeline developers should not create or delete linked services to connect to the data sources that they have access to, the built-in role (Data Factory Contributor) will not restrict them. This calls for the creation of custom roles. However, you need to be cognizant about the number of role assignments that you can have depending on your subscription. This can be verified by choosing your resource group and selection the Role assignments under Access Control (IAM).

You can exclude permissions by selecting the Delete: Delete Linked Service and Write: Create or Update any Linked service

Note: Once the custom role is created, you can assign a user or group to this role. You can login with this user to Azure Data Factory. You will still be able to create a linked service but will not be able to save/publish.

For more information, kindly check out the below documentation: Custom role to restrict Azure Data Factory pipeline developers to create/delete linked services

Hope it helps. Kindly accept the answer by clicking on Accept answer button.

Mohamed Faisal 15 Reputation points

2023-05-02T12:54:38.6533333+00:00

Thanks for your response.

My requirement is how to restrict read access to specific linked service based on AD group.

For example, if I have two linked service one for reading sensitive data and another for reading non-sensite data. I have to restrict read access to sensitive linked service only to sensitive-user-Ad group. And restrict read access to non-sensitive linked service only ro non-sensitive-user-AD group.

I am not using ADF, I am using synapse.
AnnuKumari-MSFT 34,556 Reputation points Microsoft Employee Moderator

2023-05-11T06:48:29.25+00:00

Hi Mohamed Faisal ,

Thank you for the follow up query. I am checking on this internally, will respond here once I get some information. Thanks
AnnuKumari-MSFT 34,556 Reputation points Microsoft Employee Moderator

2023-05-18T04:23:39.83+00:00

Hi Mohamed Faisal ,

Thankyou for the patience , unfortunately we are not getting the kind of response from the team here . if you have a support plan you may file a support ticket, else could you please send an email to azcommunity@microsoft.com with the below details, so that we can create a one-time-free support ticket for you to work closely on this matter.

Subscription ID: <Your Subscription ID>

Subject : Attn Annu

Please let me know once you have done the same.
AnnuKumari-MSFT 34,556 Reputation points Microsoft Employee Moderator

2023-05-19T07:08:25.07+00:00

Hi Mohamed Faisal ,

Did you get a chance to create Support ticket for your query? Kindly share the SR ticket number for tracking the issue. Thanks
Mohamed Faisal 15 Reputation points

2023-05-19T07:46:03.8366667+00:00

Hi @AnnuKumari-MSFT ,

I have sent details in an email, could you please create once off support ticket. Thanks
AnnuKumari-MSFT 34,556 Reputation points Microsoft Employee Moderator

2023-05-26T05:05:40.0833333+00:00

Hi Mohamed Faisal ,

Did you get any resolution for this issue via support? If yes, requesting you to kindly share the resolution details with the community
AnnuKumari-MSFT 34,556 Reputation points Microsoft Employee Moderator

2023-06-05T08:49:49.31+00:00

Hi Mohamed Faisal ,

Just following up to see if you got any response from the support team . Would appreciate If you could share the same with the community. Thanks
Mohamed Faisal 15 Reputation points

2023-06-12T05:27:17.5666667+00:00

Got an update from engineering team

"They have confirmed that this segregation of Linked Services across multiple dev teams within the same workspace and with the current RBAC model it is not possible for now.

It is in our backlog as a feature improvement but we do not currently have an ETA.

I would request you to fill the below feature request form so that it will be emphasize by the product group.
Azure Synapse Analytics · Community

"

Share via

Synapse linked service access control based on security group

1 answer

Your answer