Create a Custom Role in Azure Synapse Analytics

Ricardo Alfredo Posada Ariza 0 Reputation points
2024-01-23T04:27:45.2666667+00:00

Hello,

I am seeking assistance in creating a custom role in Azure Synapse Analytics. I aim to develop a role based on the "Synapse Monitoring Operator" but with additional permissions to execute (but not edit or delete) pipelines.

Could someone provide a detailed step-by-step guide on how to create this custom role? Specifically, I am interested in knowing:

  1. The exact process to initiate the creation of a custom role in the Azure Synapse environment.
  2. The necessary permissions and actions to include, particularly those enabling the execution of pipelines without granting edit or delete capabilities.
  3. Any special considerations or settings that need to be configured for this custom role to function correctly within Azure Synapse Analytics.

Your guidance will be greatly appreciated, as I aim to ensure this role is configured correctly and securely, adhering to the principle of least privilege.

Thank you in advance for your support and expertise.

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
5,184 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
882 questions
{count} votes

1 answer

Sort by: Most helpful
  1. phemanth 13,785 Reputation points Microsoft Vendor
    2024-01-23T09:54:06.46+00:00

    @Ricardo Alfredo Posada Ariza

    Thanks for the question and using MS Q&A platform.

    Open the Azure Synapse Analytics workspace in the Azure portal.
    User's image

    So, here’s what I did, but at the Subscription level:

    • Click on the relevant Subscription.
    • Click on Access Control (IAM)
    • Click Add -> Add Custom Role

    User's image

    • Give the role a name of Synapse Data Engineer
    • Then on the Permissions tab, click Add Permissions
    • Click on Azure Synapse Analytics (workspace)

    User's image

    • Search for interactive and there are the granular permissions.

    User's image

    In-fact, there are a lot of granular permissions for Synapse, so you can go through the list and enable the relevant permissions for your custom role. You can then add in permissions from other services too, E.G. reading/writing to Azure Storage. Essentially you are creating a bespoke permissions role tailored to your security posture, I like that a lot. I could then browse to the relevant Synapse workspace, click on Access Control (IAM) and add the custom Synapse Data Engineer role to the workspace, allowing the Data Engineer to stop/start interactive authoring. User's image

    In the “Actions” section, select the following permissions:

    • pipelines/viewOutputs
    • pipelines/createRun
    • Click on the “Add” button to add the selected permissions.
    • Click on the “Review + create” button to review your custom role settings.
    • Click on the “Create” button to create your custom role.

    please go through https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac-roles

    Hope this helps. Do let us know if you any further queries.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.