Permission to run Synapse Spark pool

Johnny Humphrey 186 Reputation points
2021-03-04T20:16:18.02+00:00

I have a role as Contributor in a Synapse Analytics workspace. I add a new Notebook (only 1 cell), but when I try to run it I get the error:

Failed to start session: {"error":{"code":"Unauthorized","message":"The principal '<my-principle-id-here>' does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/bigDataPools/useCompute/action, Scope: workspaces/<our-workspace>/bigDataPools/<our-spark-pool> ."}}

According to the Synapse documentation on RBAC (https://learn.microsoft.com/en-us/azure/synapse-analytics/security/synapse-workspace-synapse-rbac-roles), Synapse Contributor is supposed to have workspaces/bigDataPools/useCompute/action. There is no Deny assignment in the workspace either. Why am I getting this error?

Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
4,668 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
716 questions
{count} votes

Accepted answer
  1. KranthiPakala-MSFT 46,442 Reputation points Microsoft Employee
    2021-03-05T22:17:49.233+00:00

    Hi @Johnny Humphrey ,

    Thanks for your response and additional details. I believe the confusion here is the difference between Azure RBAC (RBAC at Azure Synapse resource in Azure Portal - refer to image 1 below) and Synapse RBAC in Synapse Studio (Refer to image 2 below).

    Image 1: Azure RBAC on Azure Synapse resource in Azure Portal

    74876-synapserbacresourcelevel.png

    An Azure RBAC is used to manage who can create, update, or delete the Synapse workspace and its SQL pools, Apache Spark pools, and Integration runtimes.

    Image2 : Synapse RBAC in Synapse Studio

    74896-image.png

    A Synapse RBAC is used to manage who can:

    • Publish code artifacts and list or access published code artifacts,
    • Execute code on Apaches Spark pools and Integration runtimes,
    • Access linked (data) services protected by credentials
    • Monitor or cancel job execution, review job output, and execution logs.

    Synapse RBAC is managed from within Synapse Studio using the Access control tools in the Manage hub.

    Based on the above details you have shared, I have noticed that the your user has been granted Azure RBAC in Azure Portal but not the Synapse RBAC in Synapse Studio. Which is why authorization error is thrown. A user with Synapse Administrator has to grant your user either of these roles - Synapse Administrator or Synapse Contributor or Synapse Compute Operator within the Synapse Studio -> Manage Hub -> Access control (i.e within Workspace) in order to perform workspaces/bigDataPools/useCompute/action actions.

    > 2 other things to note: > > I have another subscription in a different directory, and I'm the one who created the Synapse workspace, resource group, storage account, and Spark pool, so I am of course the Owner there, and I have no problems running things.

    Since you are the user who had created Azure Synapse resource, by default you will have Synapse Administrator role (Synapse RBAC permission) on Synapse Studio. Hence you haven't noticed any permission issue as you have full privilege on the Synapse studio.

    > In the workspace above, where I get the error, I am a Guest on that subscription. I would think that wouldn't make a difference, since it is called Role-Based Access Control, and not Role-and-User-Type-Based Access Control, but could the fact that I am a guest in the subscription be affecting things?

    Since you are a guest user on that resource, a user with 'Synapse Administrator' role have to grant your user either of these permission - Synapse Administrator or Synapse Contributor or Synapse Compute Operator within the Synapse Studio -> Manage Hub -> Access control (i.e within Workspace) in order to perform workspaces/bigDataPools/useCompute/action actions.

    Here are couple of helpful docs about Synapse RBAC:

    Hope this info clarifies. Do let us know if you have further query.


    Thank you Please do consider to click on "Accept Answer" and "Upvote" on the post that helps you, as it can be beneficial to other community members.

    2 people found this answer helpful.

2 additional answers

Sort by: Most helpful
  1. Johnny Humphrey 186 Reputation points
    2021-03-05T15:18:52.963+00:00

    1) Workspace Info
    Workspace: test-dataproject-synapse-workspace
    Resource Group: dev-usncentral-improving-dataproject
    Storage Account: devdataproject
    Primary File Storage: avalondata
    Apache Spark Pool: devdataspark
    76408-image.png

    2) Resource Group Info
    It includes the workspace and Spark pool above
    76380-image.png

    3) Workspace Role Assignment
    My role assignment in the workspace is Contributor, inherited from the resource group
    76451-image.png

    4) User ID
    This will be in the error message.
    76409-image.png

    5) Data
    This actually doesn't matter because the Spark pool never starts, but the data that I refer to in the Notebook does exist.
    74858-05-source.png

    6) Error Message
    The Spark pool is shown. The error message is:
    Failed to start session: {"error":{"code":"Unauthorized","message":"The principal 'b57975cd-2e46-4164-a972-9a4c0969cc5a' does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/bigDataPools/useCompute/action, Scope: workspaces/test-dataproject-synapse-workspace/bigDataPools/devdataspark ."}}
    74834-06-error.png

    Let me know if there is anything else that you need.

    Thanks,
    Johnny

    0 comments No comments

  2. Johnny Humphrey 186 Reputation points
    2021-03-05T16:35:16.253+00:00

    New and additional info, the User Access Administrator added the Owner role to my role assignments (screenshot below). I logged off of Azure and closed edge, opened a new browser window and logged in again, verified the new role privilege, then went to run a Notebook and got the same error (screenshot also below). The error message:

    Failed to start session: {"error":{"code":"Unauthorized","message":"The principal 'b57975cd-2e46-4164-a972-9a4c0969cc5a' does not have the required Synapse RBAC permission to perform this action. Required permission: Action: Microsoft.Synapse/workspaces/bigDataPools/useCompute/action, Scope: workspaces/test-dataproject-synapse-workspace/bigDataPools/devdataspark ."}}

    2 other things to note:

    1. I have another subscription in a different directory, and I'm the one who created the Synapse workspace, resource group, storage account, and Spark pool, so I am of course the Owner there, and I have no problems running things.
    2. In the workspace above, where I get the error, I am a Guest on that subscription. I would think that wouldn't make a difference, since it is called Role-Based Access Control, and not Role-and-User-Type-Based Access Control, but could the fact that I am a guest in the subscription be affecting things?

    Thanks,
    Johnny

    New role added:
    76407-image.png

    Same error message:
    74830-08-error.png

    0 comments No comments