Access role assignment doesn't work properly from the command line

Question

I have a Synapse workspace deployed automatically using Azure DevOps pipeline; it has a predefined user account set as the Azure Active Directory admin. Now, after deployment, I can use this account to login to the workspace using web interface and assign Synapse RBAC roles (Synapse Administrator to this account first, and after that any other roles), but any attempts to do the same via the command line fail with this error:

New-AzSynapseRoleAssignment: The principal does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/read

Any ideas how to fix this problem?

Answer 1

@Andrei F Thanks for using Microsoft Q&A forum and posting your query.

I suspect you created the role assignment by RoleDefinitionName. When you create role assignment by role name, the cmdlet needs to get the role id through role name using api Role Definitions - List Role Definitions - REST API (Azure Synapse) | Microsoft Learn, which need the workspace read permission and resulting in above error.

To resolve the issue, please create role assignment by role id directly instead of role name .

Here are the role ID's:

"roleDefinitions": [
    {
      "roleId": "6e4bf58a-b8e1-4cc3-bbf9-d73143322b78",
      "roleName": "Synapse Administrator"
    },
    {
      "roleId": "7572bffe-f453-4b66-912a-46cc5ef38fda",
      "roleName": "Synapse Contributor"
    },
    {
      "roleId": "dd665582-e433-40ca-b183-1b1b33e73375",
      "roleName": "Synapse Linked Data Manager"
    },
    {
      "roleId": "05930f57-09a3-4c0d-9fa9-6d1eb91c178b",
      "roleName": "Synapse Artifact Publisher"
    },
    {
      "roleId": "53faaa0e-40b6-40c8-a2ff-e38f2d388875",
      "roleName": "Synapse Artifact User"
    },
    {
      "roleId": "e3844cc7-4670-42cb-9349-9bdac1ee7881",
      "roleName": "Synapse Compute Operator"
    },
    {
      "roleId": "5eb298b4-692c-4241-9cf0-f58a3b42bb25",
      "roleName": "Synapse Credential User"
    },
    {
      "roleId": "2a385764-43e8-416c-9825-7b18d05a2c4b",
      "roleName": "Synapse User"
    },
    {
      "roleId": "c3a6d2f1-a26f-4810-9b0f-591308d5cbf1",
      "roleName": "Apache Spark Administrator"
    },
    {
      "roleId": "7af0c69a-a548-47d6-aea3-d00e69bd83aa",
      "roleName": "Synapse SQL Administrator"
    },
    {
      "roleId": "8f9b2195-5b12-4a7c-af30-8f1f46197650",
      "roleName": "Synapse Monitoring Operator"
    }
  ]

 

Hope this helps. Let me know how it goes.

---

Please don’t forget to Accept Answer and Yes for "was this answer helpful" wherever the information provided helps you, this can be beneficial to other community members.

Answer 2

Hi. It was a different problem, but your answer gave me a useful idea :) I had to specify users by ids rather than names to make it work.

Answer 3

Hi

Thanks for reaching out to Microsoft Q&A.

The CLI has some limitations compared to what you can do at portal level when it comes to assigning permissions. There is a question with accepted answer which I think identical to what you are facing, pls go through below and let me know if this helped.

https://learn.microsoft.com/en-us/answers/questions/1080028/cannot-make-myself-synapse-administrator-from-cli

Please Upvote and Accept as answer if the reply was helpful, this will be helpful to other community members.