Azure SYNANPSE - RBAC Scoping

Question

Hi all,

Im new to to Azure Synapse, and have been tasked with building out the security, specifically RBAC permissions.

I am reviewing the Synapse MS recommended RBAC permissions here:

https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac-roles

Im questioning, in general deployments, are all the above role permissions required - for example Synapse Admin / Contributor - or is it possible to potentially scope down these roles, to be more inline with least privilige basis?

Also, is AZ Contributor role required on Resource Group, as mentioned in above KB:

"Azure Owner or Azure Contributor roles on the resource group are required for these actions."

Any other related Synapse inight is very welcome :)

Thanks.

Answer 1

Hello YogiBear,

Welcome to the Microsoft Q&A platform.

Synapse access has two scopes.

1. Synapse Studio level
2. Portal level (workspace level).

For your first question:

Yes, it is possible to scope the roles more specifically with the least privileged basis.

The Synapse Admin role has full control over the Synapse workspace and all its resources, while the Synapse Contributor role has permission to create and manage resources within the workspace.

The Synapse SQL Admin role has full control over the SQL pool, while the Synapse SQL Contributor role has permission to create and manage SQL objects within the pool.

The Synapse Workspace Reader role has read-only access to the workspace.

Coming to your question:

To customize these roles to meet specific requirements, you can create a custom role with permissions to perform specific actions on a resource.

https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac-roles#synapse-rbac-roles-and-the-actions-they-permit

All custom roles are prefixed with "Microsoft.Synapse/

for ex: Microsoft.Synapse/workspaces/artifacts/read provides read access to the synapse artifacts.

Please see the document below explaining how to manage Synapse RBAC role assignments in Synapse Studio.

https://learn.microsoft.com/en-us/azure/synapse-analytics/security/how-to-manage-synapse-rbac-role-assignments?source=recommendations

For your other question, "Azure Owner or Azure Contributor roles on the resource group are required for these actions.",

create or manage SQL pools, Apache Spark pools, and Integration runtimes at Azure Synapse workspace level.

So you need to have Azure Owner or Azure Contributor roles on the resource group to create or managed SQL pools, Apache spark pools, and Integration runtimes.

Please note: When creating a workspace, the workspace owner automatically gets the Synapse administrator roles in the Synapse Studio.

Also, for a user to be able to run the commands to add Synapse RBAC roles using CLI, the user themselves should have a Synapse Administrator role at the Synapse Studio level.

If you deploy a synapse workspace using the portal, by default, your ID is added as Synapse administrator.

Who can assign Synapse RBAC roles:

https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac#who-can-assign-synapse-rbac-roles

Portal level access control:

Studio-level access control:

I hope this helps. If you have any further questions, please let me know.

If this answers your question, please consider accepting the answer by hitting the Accept answer and up-vote as it helps the community look for answers to similar questions.