Access roles and Permission

Sourav 100 Reputation points
2024-09-19T21:50:19.28+00:00

Hi Team,

We need to access synapse views from power bi and create dashboard reports.

We have created AD group and provided SQL grant access to the AD groups.

What else do we require so the power bi users can have least privileged access.

Is it Synapse SQL reader sufficient? will it be considered least privilege?

Does this permission will give access to other workspaces and other areas as we have shared Synapse resource?Kindly provide clear answer to all the questions.

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,916 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. PRADEEPCHEEKATLA-MSFT 89,466 Reputation points Microsoft Employee
    2024-09-20T04:20:13.2466667+00:00

    @Sourav - Thanks for the question and using MS Q&A platform.

    To ensure Power BI users have least-privileged access to Azure Synapse Analytics while accessing views and creating dashboards, here are the details:

    Is it Synapse SQL reader sufficient?

    • Yes, the Synapse SQL Reader role is designed to provide read-only access to SQL pools (dedicated or serverless) within Azure Synapse. This means users can query views and tables but cannot modify them.
    • For Power BI integration, this role is typically enough as long as users only need to consume and visualize data, not modify the Synapse environment.

    Will it be considered least privilege?

    • Yes, this is a least-privilege role since it only grants read permissions to the SQL data (e.g., views, tables). Users cannot make changes to the data structure or access management. It restricts their access to just querying data, which is essential for Power BI reporting purposes.

    Does this permission will give access to other workspaces and other areas as we have shared Synapse resource?

    • No, the Synapse SQL Reader role is scoped to specific SQL pools within Azure Synapse Analytics. If your Synapse resource is shared, users will not automatically have access to other workspaces or areas unless explicitly granted.
    • Access control in Synapse is highly granular. If the role is only applied to a specific SQL pool or workspace, it won’t propagate to other workspaces or resources unless the permissions are extended. For more details, refer to Built-in Synapse RBAC roles and scopes User's image

    Additional Considerations:

    • Ensure Correct Role Assignment: Make sure the AD group that users belong to is only granted the Synapse SQL Reader role in the SQL pools they should access.
    • Role Inheritance: Azure AD groups may inherit roles, so double-check if users are part of other groups with more permissions that might grant broader access.

    In summary, the Synapse SQL Reader role grants users read-only access to the necessary views for Power BI, and it fits the least-privilege model. It does not provide access to other workspaces or areas within Synapse unless explicitly assigned.

    For more details, refer to the below links:

    Visualize data with Power BI

    Exercise 7 - Power BI integration

    The Power BI Professional’s Guide to Azure Synapse Analytics

    Hope this helps. Do let us know if you any further queries.


    If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.