@Sourav - Thanks for the question and using MS Q&A platform.
To ensure Power BI users have least-privileged access to Azure Synapse Analytics while accessing views and creating dashboards, here are the details:
Is it Synapse SQL reader sufficient?
- Yes, the Synapse SQL Reader role is designed to provide read-only access to SQL pools (dedicated or serverless) within Azure Synapse. This means users can query views and tables but cannot modify them.
- For Power BI integration, this role is typically enough as long as users only need to consume and visualize data, not modify the Synapse environment.
Will it be considered least privilege?
- Yes, this is a least-privilege role since it only grants read permissions to the SQL data (e.g., views, tables). Users cannot make changes to the data structure or access management. It restricts their access to just querying data, which is essential for Power BI reporting purposes.
Does this permission will give access to other workspaces and other areas as we have shared Synapse resource?
- No, the Synapse SQL Reader role is scoped to specific SQL pools within Azure Synapse Analytics. If your Synapse resource is shared, users will not automatically have access to other workspaces or areas unless explicitly granted.
- Access control in Synapse is highly granular. If the role is only applied to a specific SQL pool or workspace, it won’t propagate to other workspaces or resources unless the permissions are extended. For more details, refer to Built-in Synapse RBAC roles and scopes
Additional Considerations:
- Ensure Correct Role Assignment: Make sure the AD group that users belong to is only granted the Synapse SQL Reader role in the SQL pools they should access.
- Role Inheritance: Azure AD groups may inherit roles, so double-check if users are part of other groups with more permissions that might grant broader access.
In summary, the Synapse SQL Reader role grants users read-only access to the necessary views for Power BI, and it fits the least-privilege model. It does not provide access to other workspaces or areas within Synapse unless explicitly assigned.
For more details, refer to the below links:
Exercise 7 - Power BI integration
The Power BI Professional’s Guide to Azure Synapse Analytics
Hope this helps. Do let us know if you any further queries.
If this answers your query, do click Accept Answer
and Yes
for was this answer helpful. And, if you have any further query do let us know.