How to enable User Level Authorization on Azure Machine Learning Workspace

Vinith Ravindran 0 Reputation points
2024-06-17T06:48:29.7066667+00:00

Hey Everyone,

Is there a way to enforce Directory level restrictions for users in the same workspace of AZ ML Studio.

My objective is, Contributors belonging to the same AZ ML Workspace should not be able to view each other's notebooks and modify them.

Currently creating a custom role with scopes Storage File Data Privileged Reader/Contributor is superseding all the ACL Permissions i tried setting on the Directory/Files in File-Share.

  • I performed a Domain Join to create the storage container as an object in the AAD.
  • Mounted the Storage on a VM to set the ACL on the Directories.

Thought this is working when I try it over SMB, it doesn't work integrated with the AZ ML Workspace where am expecting a RBAC prevents the user in not doing inappropriate action on other user's notebooks and an ACL restricts them from modifying notebooks even though they have contributor or AZ ML Data Scientist Role access.

Is there a better way to handle this or files inside AZ ML Workspace is not meant to be kept private for any reasons.

Any help is appreciated.

Thanks in advance,

Vinith

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
2,720 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Amira Bedhiafi 19,781 Reputation points
    2024-06-17T07:48:31.35+00:00

    Instead of using a single storage container for all users, create separate containers for each user. This helps in isolating the data and notebooks at the storage level.

    Assign Azure RBAC roles to users with the principle of least privilege. For example, assign the "Storage Blob Data Reader" role to users for containers they should have read access to, and "Storage Blob Data Contributor" for write access.

    Use a VM or any Azure resource that can mount the Azure Files and then set ACLs on the directories within the mounted storage to control read/write access at the directory level.

    Create custom roles that combine RBAC and ACL permissions tailored to your needs. This way, you can fine-tune the permissions to ensure users can only perform actions within their directories.