The Synapse workspace items permissions can't restrict user to a credential and data isolation issues

Satya Sandeep Karinki 1 Reputation point
2023-06-01T18:08:40.87+00:00

@PRADEEPCHEEKATLA-MSFT @Synapse

  1. We have a synapse workspace
  2. We have created 2 credentials using managed identity (MI1 & MI2)
  3. We have created a linked service-
    Cred1_Stor001 (ADLS Gen2) on MI1
  4. MI1 has Storage Contributor access and is working fine.

User's image

User's image

Now we add a user user2grp1 who is assigned the following permissions:

  • Synapse credential User at workspace item on
    Cred1_Stor001 & MI1 User's image
  • now when user2grp1 logs in he can't test linked service. he gets the following error:

Insufficient permissions to call this API. 852ace4c-66fb-4e10-b72f-381d563327ad does not have Microsoft.Synapse/workspaces/credentials/useSecret/action on scope workspaces/syn001-karinki/credentials/WorkspaceSystemIdentity

User's image

Now if I assign synapse cred user on workspace, he can access all LS created on other credentials.

How can we isolate the users from accessing resources they aren't supposed to and have the above user access LS(Cred1_Stor001)

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,692 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. VasimTamboli 4,785 Reputation points
    2023-06-04T13:48:22.05+00:00

    Create a custom role: Azure Synapse Analytics allows you to create custom roles with specific permissions tailored to your requirements. You can define a custom role that grants the necessary permissions to access the desired linked service (Cred1_Stor001) without providing access to other resources.

    Assign the custom role to the user: Once you have created the custom role, assign it to the user (user2grp1) instead of assigning the default "Synapse credential User" role. This ensures that the user has access only to the specific resources associated with the custom role.

    Review and adjust workspace item permissions: Double-check the permissions assigned to the user at the workspace item level. Make sure that the user has the appropriate permissions to access and use the linked service (Cred1_Stor001) without granting excessive permissions that could lead to accessing other resources.

    By following these steps, you can help isolate users and control their access to specific resources within Azure Synapse Analytics while ensuring they can access the required linked service.