Synapse access clarificaiton

ChoudaryR-6454 120 Reputation points
2023-09-11T17:44:47.2533333+00:00

Hello,

Can you let me know how to scope the roles to give the least privileged access in the synapse analytics?

I have gone through the document but it is quite confusing.

Appreciate your help.

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,919 questions
{count} votes

Accepted answer
  1. Bhargava-MSFT 31,016 Reputation points Microsoft Employee
    2023-09-12T21:12:26.8133333+00:00

    Hello ChoudaryR-6454,

    Welcome to the Microsoft Q&A platform.

    Synapse access has two scopes.

    1. Synapse Studio level
    2. Portal level (workspace level).

    For your question:

    Yes, it is possible to scope the roles more specifically with the least privileged basis.

    To scope down the least privileged access to "workspaces/artifacts/read", you need to use Custom role.

    How to create a custom role:

    The document below has a detailed explanation about how to create a custom role.

    https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

    Here, you need to create a custom role for workspaces/artifacts/read

    All custom roles for synapse are prefixed with "Microsoft.Synapse/

    Microsoft.Synapse/workspaces/artifacts/read provides read access to the synapse artifacts.

    Please see the document below explaining how to manage Synapse RBAC role assignments in Synapse Studio.

    https://learn.microsoft.com/en-us/azure/synapse-analytics/security/how-to-manage-synapse-rbac-role-assignments?source=recommendations

    Please note: When creating a workspace, the workspace owner automatically gets the Synapse administrator roles in the Synapse Studio.

    Also, for a user to be able to run the commands to add Synapse RBAC roles using CLI, the user themselves should have a Synapse Administrator role at the Synapse Studio level.

    If you deploy a synapse workspace using the portal, by default, your ID is added as Synapse administrator.

    Who can assign Synapse RBAC roles:

    https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac#who-can-assign-synapse-rbac-roles

    Portal level access control:

    User's image

    Studio-level access control:

    User's image

    I hope this helps. If you have any further questions, please let me know.

    If this answers your question, please consider accepting the answer by hitting the Accept answer and up-vote as it helps the community look for answers to similar questions.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.