In your case the actions you've identified, "workspaces/notebooks/write" and "delete," would be part of the dataActions
in the role definition. It's important to note that "edit" and "create" actions can be covered by the "write" permission, and "delete" is explicitly mentioned.
{
"Name": "Custom Synapse Notebooks Contributor",
"IsCustom": true,
"Description": "Can create, edit, and delete notebooks in Synapse workspace.",
"Actions": [],
"NotActions": [],
"DataActions": [
"Microsoft.Synapse/workspaces/notebooks/write",
"Microsoft.Synapse/workspaces/notebooks/delete"
],
"NotDataActions": [],
"AssignableScopes": ["/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Synapse/workspaces/{workspace-name}"]
}
Focus on these properties
- IsCustom: to indicate that this is a custom role
- DataActions: This is where you define permissions for notebook operations
- AssignableScopes: Here you specify where this role can be assigned. You should replace the placeholders with your subscription ID, resource group, and workspace name.
Then, save the JSON definition to a file and use the Azure CLI to create the role definition:
az role definition create --role-definition @customRoleDefinition.json