Custom Synapse Role - subset of Synapse Contributor

Jimmy Dobbins 41 Reputation points Microsoft Employee
2024-03-29T16:47:23.94+00:00

I am trying to create a custom role for a group of data engineers who only need to create, edit and delete notebooks. There is a Synapse role, Synapse Contributor, but I want to create a custom role for the following actions within a given workspace: "workspaces/notebooks/write, delete." In other words, I don't want to grant all of the other permissions that come with Synapse Contributor. Is this possible, and can you help me with the syntax?

I have tried numerous different formats, scopes, dataActions vs actions, etc. Thanks!

User's image

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,919 questions
0 comments No comments
{count} votes

Accepted answer
  1. Bhargava-MSFT 31,021 Reputation points Microsoft Employee
    2024-03-29T21:31:15.25+00:00

    Thank you Amira Bedhiafi

    Hello Jimmy Dobbins,

    I see that the custom role "workspaces/notebooks/write, delete" (intended to extend the capabilities of Azure RBAC) exists in the document below, but this built-in role does not exist in the Azure portal.

    This must be a bug. As Amira suggested, please log a support request

    https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac-roles

    User's image

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Amira Bedhiafi 24,556 Reputation points
    2024-03-29T17:38:51.44+00:00

    In your case the actions you've identified, "workspaces/notebooks/write" and "delete," would be part of the dataActions in the role definition. It's important to note that "edit" and "create" actions can be covered by the "write" permission, and "delete" is explicitly mentioned.

    
    {
    
      "Name": "Custom Synapse Notebooks Contributor",
    
      "IsCustom": true,
    
      "Description": "Can create, edit, and delete notebooks in Synapse workspace.",
    
      "Actions": [],
    
      "NotActions": [],
    
      "DataActions": [
    
        "Microsoft.Synapse/workspaces/notebooks/write",
    
        "Microsoft.Synapse/workspaces/notebooks/delete"
    
      ],
    
      "NotDataActions": [],
    
      "AssignableScopes": ["/subscriptions/{subscription-id}/resourceGroups/{resource-group}/providers/Microsoft.Synapse/workspaces/{workspace-name}"]
    
    }
    
    

    Focus on these properties

    • IsCustom: to indicate that this is a custom role
    • DataActions: This is where you define permissions for notebook operations
    • AssignableScopes: Here you specify where this role can be assigned. You should replace the placeholders with your subscription ID, resource group, and workspace name.

    Then, save the JSON definition to a file and use the Azure CLI to create the role definition:

    
    az role definition create --role-definition @customRoleDefinition.json
    
    

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.