The Synapse workspace items permissions can't restrict user to a credential and data isolation issues

Question

The Synapse workspace items permissions can't restrict user to a credential and data isolation issues

Satya Sandeep Karinki 1

@PRADEEPCHEEKATLA-MSFT @Synapse

We have a synapse workspace
We have created 2 credentials using managed identity (MI1 & MI2)
We have created a linked service-
Cred1_Stor001 (ADLS Gen2) on MI1
MI1 has Storage Contributor access and is working fine.

User's image

Now we add a user user2grp1 who is assigned the following permissions:

Synapse credential User at workspace item on
Cred1_Stor001 & MI1
now when user2grp1 logs in he can't test linked service. he gets the following error:

Insufficient permissions to call this API. 852ace4c-66fb-4e10-b72f-381d563327ad does not have Microsoft.Synapse/workspaces/credentials/useSecret/action on scope workspaces/syn001-karinki/credentials/WorkspaceSystemIdentity

User's image

Now if I assign synapse cred user on workspace, he can access all LS created on other credentials.

How can we isolate the users from accessing resources they aren't supposed to and have the above user access LS(Cred1_Stor001)

1 answer

Your answer

Answer 1

VasimTamboli 5,540 MVP

Create a custom role: Azure Synapse Analytics allows you to create custom roles with specific permissions tailored to your requirements. You can define a custom role that grants the necessary permissions to access the desired linked service (Cred1_Stor001) without providing access to other resources.

Assign the custom role to the user: Once you have created the custom role, assign it to the user (user2grp1) instead of assigning the default "Synapse credential User" role. This ensures that the user has access only to the specific resources associated with the custom role.

Review and adjust workspace item permissions: Double-check the permissions assigned to the user at the workspace item level. Make sure that the user has the appropriate permissions to access and use the linked service (Cred1_Stor001) without granting excessive permissions that could lead to accessing other resources.

By following these steps, you can help isolate users and control their access to specific resources within Azure Synapse Analytics while ensuring they can access the required linked service.

Satya Sandeep Karinki 1 Reputation point

2023-06-05T09:41:14.8733333+00:00

Thanks @VasimTamboli , does this mean we need to create custom RBAC and can't use the workspace level assignments?
VasimTamboli 5,540 Reputation points MVP

2023-06-05T09:50:00.1833333+00:00

@Satya Sandeep Karinki Yes, creating a custom RBAC (Role-Based Access Control) role is the recommended approach to achieve more granular control over user access in Azure Synapse Analytics. While workspace level assignments can provide some level of access control, they may not offer the fine-grained permissions required to isolate users and restrict access to specific resources.

By creating a custom RBAC role, you have the flexibility to define the exact set of permissions that are needed for users to access the desired linked service (Cred1_Stor001) without granting unnecessary permissions to other resources.

To create a custom RBAC role in Azure Synapse Analytics, you can use Azure PowerShell, Azure CLI, or Azure portal. Once the role is defined, you can assign it to the user (user2grp1) to ensure they have access to the required linked service while maintaining the desired level of isolation.

Keep in mind that custom RBAC roles can provide more precise access control, but they also require careful planning and consideration of your specific security requirements. It's important to regularly review and adjust the permissions assigned at the workspace item level to ensure users have the necessary access while minimizing the risk of unauthorized access to other resources.

If you have any further questions or need assistance with any other topic, feel free to ask.

Share via

The Synapse workspace items permissions can't restrict user to a credential and data isolation issues

1 answer

Your answer