Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,562 questions
What permissions are required to make ACL changes to a directory in an Azure storage container?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(41.6, 27%, 14%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EN%3C/text%3E%3C/svg%3E)
NPizzuti
56
Reputation points
If I have a storage account in the Azure cloud and I have a container for which I would like to modify the ACLs in either the root directory or some subdirectory, what specific permission(s) would I require? If there is more than one permission responsible for this, please list out possible avenues of approach.
I am not sure if this is necessary for an answer to be provided, but this is a general purpose V2 storage account with hierarchical namespace enabled.
Note, I am not asking about what potential RBACs could be assigned, I am looking for the exact permissions such as those related to, for example, Microsoft.Resources or Microsoft.Storage. I have been poring over countless Microsoft documentation pages but I cannot find an answer.
Azure Data Lake Storage
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(288, 75%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EVN%3C/text%3E%3C/svg%3E)
Vidya Narasimhan 2,126 Reputation points Microsoft Employee2022-05-24T18:02:42.247+00:00 Hi @NPizzuti
The permissions are well descibed in this link https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-acl-azure-portal
You must have one of the following security permissions:
- Your user identity has been assigned the Storage Blob Data Owner role in the scope of the either the target container, storage account, parent resource group or subscription.
- You are the owning user of the target container, directory, or blob to which you plan to apply ACL settings.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 9%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKM%3C/text%3E%3C/svg%3E)
KranthiPakala-MSFT 46,642 Reputation points Microsoft Employee Moderator2022-05-25T23:26:32.34+00:00 Hello @NPizzuti ,
Just checking in to see if the above answer from @Vidya Narasimhan was helpful. If this answers your query, do click
Accept AnswerandUp-Votefor the same. And, if you have any further query do let us know. -
NPizzuti 56 Reputation points
2022-06-06T17:33:44.363+00:00 Thank you for your response, @Vidya Narasimhan . I am familiar with what RBACs can be granted for this purpose, but I am asking about the underlying permission structure. Please see in my original post, "Note, I am not asking about what potential RBACs could be assigned, I am looking for the exact permissions such as those related to, for example, Microsoft.Resources or Microsoft.Storage."
-
Vidya Narasimhan 2,126 Reputation points Microsoft Employee
2022-06-06T19:15:22.283+00:00 Hi @NPizzuti
If you just want to authorize the user to grant access to storage/container for other users, then this role allows you to do so https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#user-access-administrator when granted at the Storage level.
Details of which permissions are required are in the above link.
"permissions": [
{
"actions": [
"/read",
"Microsoft.Authorization/",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
In fact, that link describes granular permissions for all roles. -
KranthiPakala-MSFT 46,642 Reputation points Microsoft Employee Moderator
2022-06-07T19:20:59.627+00:00 Hello @NPizzuti ,
In addition to above info from @Vidya Narasimhan , you may also refer to this section of the doc which has detailed info about the permissions that gets assinged for a Storage Blob data owner role. Please note giving full control will also give other permissions but if your ask is only limited to granting/altering permissions then I agree with @Vidya Narasimhan response that you need
User Access Administratorrole at your Storage service level (You will have to point the correct scope to which you want to grant this permission) which has the permission actions -"actions": ["*/read", "Microsoft.Authorization/*", "Microsoft.Support/*" ]
For complete list of resource provider operations related to storage service, you can refer to this doc: Microsoft.Storage
Hope this info helps. Do let us know if you have further query.
Sign in to comment
Sign in to answer