Hello ChoudaryR-6454,
Welcome to the Microsoft Q&A platform.
Synapse access has two scopes.
- Synapse Studio level
- Portal level (workspace level).
For your question:
Yes, it is possible to scope the roles more specifically with the least privileged basis.
To scope down the least privileged access to "workspaces/artifacts/read", you need to use Custom role.
How to create a custom role:
The document below has a detailed explanation about how to create a custom role.
https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
Here, you need to create a custom role for workspaces/artifacts/read
All custom roles for synapse are prefixed with "Microsoft.Synapse/
Microsoft.Synapse/workspaces/artifacts/read provides read access to the synapse artifacts.
Please see the document below explaining how to manage Synapse RBAC role assignments in Synapse Studio.
Please note: When creating a workspace, the workspace owner automatically gets the Synapse administrator roles in the Synapse Studio.
Also, for a user to be able to run the commands to add Synapse RBAC roles using CLI, the user themselves should have a Synapse Administrator role at the Synapse Studio level.
If you deploy a synapse workspace using the portal, by default, your ID is added as Synapse administrator.
Who can assign Synapse RBAC roles:
Portal level access control:
Studio-level access control:
I hope this helps. If you have any further questions, please let me know.
If this answers your question, please consider accepting the answer by hitting the Accept answer and up-vote as it helps the community look for answers to similar questions.