Provide trigger access on a specific pipeline in ADF

Question

Hello Team,
Is there any way or custom role via which I can restrict someones access to trigger a specific pipeline P1 in ADF v2 which contains multiple pipelines (P1,P2,P3 etc).
The user can have read access on other pipelines but he/she should not be able to trigger any other pipeline except P1.

1 option is to create another ADF and provide access on that ADF but it does not make any sense to create a separate ADF just for single pipeline.

Answer 1

Hi @NandanHegde-7720,

Apologizes for the delay in response. Finally I was able to figure out on how to grant a particular user "Create Pipeline run" access to specific pipeline.

Grant the user "Reader" built in role assignment on the data factory resource which will grant a user view (read) and monitor a data factory, but not edit or change it. So that user will be able to read all the pipelines (P1,P2,P3 etc) in that data factory but won't be able to run them.

Then go to the resource group -> "Access Control (IAM)" -> click on "Add (Create Custom Role)" -> Give Custom Role Name, then navigate to "JSON" section and use the below template to create a custom role and update with appropriate resource details accordingly, then click Review+Create which will create a custom role.

{
    "properties": {
        "roleName": "Run Data Factory pipeline",
        "description": "This allows to run this DF pipeline - factories/<YouDataFactoryName>/pipelines/<YourPipelineName>",
        "assignableScopes": [
            "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<YourResourceGroupName>/providers/Microsoft.DataFactory/factories/<YouDataFactoryName>/pipelines/<YourPipelineName>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.DataFactory/factories/pipelines/createrun/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

Note: You won't be able to see this new custom role in Custom roles list as "assignableScopes" (pipeline scope in this use case) is not officially part of it. So, you won't be able to see it when you try to use this from Azure Portal "Access Control (IAM) -> Role assignments" . But you can use/assign this custom role to a user using Powershell.

To view your custom role details/definition that was created using pipeline scope, please use below command:

Get-AzRoleDefinition -Name "Run Data Factory pipeline"

Result:

Name             : Run Data Factory pipeline
Id               : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
IsCustom         : True
Description      : This allows to run this DF pipeline - factories/<YouDataFactoryName>/pipelines/<YourPipelineName>
Actions          : {Microsoft.DataFactory/factories/pipelines/createrun/action}
NotActions       : {}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<YourResourceGroupName>/providers/Microsoft.DataFactory/factories/<YouDataFactoryName>/pipelines/<YourPipelineName>}`

To assign this custom role (only run a particular ADF pipeline) to a user, please use below command:

New-AzRoleAssignment -ObjectId "<ObjectID of the user>" -RoleDefinitionName "<Your Custom Role Name (In this example 'Run Data Factory pipeline')>" -Scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<YourResourceGroupName>/providers/Microsoft.DataFactory/factories/<YouDataFactoryName>/pipelines/<YourPipelineName>"

Two important things to consider:

• Assign "Reader" built in at Resource (ADF) level for the user.