Selective access to a Blob storage container in one resource group from a Synapse Workspace in a different Resource Group

Question

Selective access to a Blob storage container in one resource group from a Synapse Workspace in a different Resource Group

Nimesh Raj Manandhar 41

I have two Resource Groups (RG1 & RG2) created under one subscription. In RG1, I have a medallion based (Bronze, Silver & Gold) architecture setup in the Azure Blob Storage container. I use ADF to move data from source to various Bronze, Silver and Gold containers. In the second RG2, I have a Synapse Workspace created for a certain group of people who will be working with some sensitive data plus some data I have collected in the RG1.Silver.FolderX container.

Question: How can I configure the Synapse Workspace users from RG2 to only be able to see the data in the Folder X under RG1. Silver? I do not want them to access any other folders under SILVER, Bronze and Gold.

Problem: I have been able to grant access to the desired folder in RG1.Silver but they are also seeing folders and contents of other container as well.

Current Permission Setup:

RG1:

Bronze ==> No permission granted
- FolderW ==> No permission granted
  - FolderX ==> No permission granted
Silver ==> Only Execute permission
- FolderW ==> No permission granted
  - FolderX ==>READ and EXECUTE permission

Any help is appreciated.

Nimesh.

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-09-14T23:01:43.4066667+00:00

@Nimesh Raj Manandhar

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

1 answer

Your answer

JamesTran-MSFT 36,906 Reputation points Microsoft Employee Moderator

2023-09-14T23:01:43.4066667+00:00

@Nimesh Raj Manandhar

I wanted to check in and see if you had any other questions or if you were able to resolve this issue?

If you have any other questions, please let me know. Thank you for your time and patience throughout this issue.

If the information helped address your question, please Accept the answer. This will help us and also improve searchability for others in the community who might be researching similar information.

Answer 1

Amira Bedhiafi 33,071 Volunteer Moderator

Azure Blob Storage does support Azure AD-based authentication and RBAC (Role-Based Access Control), which means you can assign Azure roles to a security principal (user, group, service principal, or managed identity) at a specific scope.

Ensure that Azure AD-based authentication is in use. You need to onboard your storage account to use Azure AD.

Then, assign RBAC Roles:

Storage Blob Data Reader: This role allows for read access to the blob data.
Storage Blob Data Contributor: This role allows for read, write, and delete access on blob data. But be careful with this one as you might not want to grant delete permissions.

And for the setup :

At the Storage Account level (RG1): Do not grant any specific data-related permissions here to the Synapse Workspace users. If they have inherited permissions from the subscription or resource group, consider revoking or adjusting those.
At the Container level (Silver): Revoke any specific permissions granted here, if any. It sounds like they have at least execute permissions on Silver, which might be cascading down.
At the Directory/Blob level (FolderX): Grant the Storage Blob Data Reader role to the specific Azure AD group/users from the Synapse Workspace.

Nimesh Raj Manandhar 41 Reputation points

2023-09-15T21:10:13.93+00:00

Hi , @Amira Bedhiafi ..thank you for responding. When you give the AD group just the RBAC role of Storage Blob Data Reader, the users get a RED X on the linked service as shown below. So, I ended up having to add them to the Storage Blob Data Contributor.

Also, in the SILVER container, you have to have the EXECUTE permission as a bare minimum on the parent container per MS.

And I just realized that when you look at each container under the storage account, they all seem to inherit the Storage Blob Data Contributor role. And I wonder if that is how the users are able to see and access those folder.
Amira Bedhiafi 33,071 Reputation points Volunteer Moderator

2023-09-16T13:35:34.2733333+00:00

When roles are assigned at the storage account level in Azure Blob Storage, those roles will typically inherit down to the containers and blobs within that storage account, unless there are explicit overrides at lower levels. This behavior is consistent with most RBAC implementations, where permissions propagate down a hierarchy unless specifically overridden.

If you assigned the "Storage Blob Data Contributor" role to a group at the storage account level, then all members of that group would indeed have the permissions associated with that role for all containers and blobs within that storage account. This includes the ability to read, write, and delete blob data. Consequently, this would be why users in that group can see and access folders (containers) and files (blobs) within the storage account.

If you want to restrict access to specific containers or blobs, you need to adjust the permissions at those levels. Ensure you're providing permissions based on the principle of least privilege, granting only what is necessary for users to accomplish their tasks. So, if the users are inheriting the "Storage Blob Data Contributor" role from the storage account level, that is likely how they can see and access those containers and blobs.

Share via

Selective access to a Blob storage container in one resource group from a Synapse Workspace in a different Resource Group

1 answer

Your answer