Merge pull request #87341 from joannapea/powershell-topics

Updates to Roles and Permissions

Author: ktoliver

articles/data-share/concepts-roles-permissions.md

@@ -15,26 +15,64 @@ This article describes the roles required to share data using Azure Data Share P
 
 ## Roles and requirements
 
-To share or receive data using Azure Data Share, the user account that you use to sign in to Azure must be able to grant Data Share permissions to the Storage account that you are sharing data from or receiving data in to. Typically this is a permission that exists in the **owner** role, or a custom role with Microsoft.Authorization/role assignments/write permission assigned. 
+Azure Data Share uses Managed Identities for Azure Services (previously known as MSIs) to authenticate to underlying storage accounts in order to be able to read data to be shared by a data provider, as well as receive data shared as a data consumer. As a result, there is no exchange of credentials between the data provider and the data consumer. 
 
-To share or receive data from or to an Azure Storage account, you must be an owner of the storage account. Even if you have created the Storage account, this does not automatically grant you ownership of the Storage account. To add yourself in to the owner role of your Azure Storage account, follow these steps.
+The Managed Service Identity needs to be granted access to the underlying storage accounts. The Azure Data Share service uses the Azure Data Share resource's Managed Service Identity to read and write data. The user of Azure Data Share needs the ability to create a role assignment for the Managed Service Identity to the storage account that they are sharing data from/to. Permission to create role assignments exists in the **owner** role, User Access Administrator role, or a custom role with Microsoft.Authorization/role assignments/write permission assigned. 
 
-1. Navigate to Storage account in Azure portal
-1. Select **Access control (IAM)**
-1. Click **Add**
-1. Add yourself in as owner
+If you are not an owner of the storage account in question, and you are unable to create a role assignment for the Azure Data Share resource's Managed Identity yourself, you can request an Azure Administrator to create a role assignment on your behalf. 
 
-To view the permissions that you have in the subscription, in the Azure portal, select your username in the upper-right corner, and then select **Permissions**. If you have access to multiple subscriptions, select the appropriate subscription. 
+Below is a summary of the roles assigned to Data Share resource-Managed Identity:
+
+| |  |  |
+|---|---|---|
+|**Storage Type**|**Data Provider Source Storage Account**|**Data Consumer Target Storage Account**|
+|Azure Blob Storage| Storage Blob Data Reader | Storage Blob Data Contributor
+|Azure Data Lake Gen1 | Owner | Not Supported
+|Azure Data Lake Gen2 | Storage Blob Data Reader | Storage Blob Data Contributor
+|
+### Data Providers 
+To add a dataset to an Azure Data Share, the data providers data share resource-managed identity needs to be added to the Storage Blob Data Reader role. This is done automatically by the Azure Data Share service if the user is adding datasets via Azure and is an owner of the storage account, or is a member of a custom role that has the Microsoft.Authorization/role assignments/write permission assigned. 
+
+Alternatively, the user can have an Azure Administrator add the data share resource-managed identity to the Storage Blob Data Reader role manually. Creating this role assignment manually by the Administrator will void having to be an owner of the Storage account or have a custom role assignment. This applies to data being shared from Azure Storage or Azure Data Lake Gen2. 
+
+If sharing data from Azure Data Lake Gen1, the role assignment must be made to the Owner role. 
+
+To create a role assignment for the Data Share resource's Managed Identity, follow the below steps:
+
+1. Navigate to the Storage account.
+1. Select **Access Control (IAM)**.
+1. Select **Add a role assignment**.
+1. Under *Role*, select *Storage Blob Data Reader*.
+1. Under *Select*, type in the name of your Azure Data Share account.
+1. Click *Save*.
+
+### Data Consumers
+To receive data, the data consumers data share resource-managed identity needs to be added to the Storage Blob Data Contributor role. This role is required to enable the Azure Data Share service to be able to write to the storage account. This is done automatically by the Azure Data Share service if the user is adding datasets via Azure and is an owner of the storage account, or is a member of a custom role which has the Microsoft.Authorization/role assignments/write permission assigned. 
+
+Alternatively, the user can have an Azure Administrator add the data share resource-managed identity to the Storage Blob Data Contributor role manually. Creating this role assignment manually by the Administrator will void having to be an owner of the Storage account or have a custom role assignment. Note that this applies to data being shared to Azure Storage or Azure Data Lake Gen2. Receiving data to Azure Data Lake Gen1 is not supported. 
+
+To create a role assignment for the Data Share resource's Managed Identity manually, follow the below steps:
+
+1. Navigate to the Storage account.
+1. Select **Access Control (IAM)**.
+1. Select **Add a role assignment**.
+1. Under *Role*, select *Storage Blob Data Contributor*. 
+1. Under *Select*, type in the name of your Azure Data Share account.
+1. Click *Save*.
+
+If you are sharing data using our REST APIs, you will need to create these role assignments manually by adding the data share account in to the appropriate roles. 
+
+To learn more about how to add a role assignment, refer to [this documentation,](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal#add-a-role-assignment) which outlines how to add a role assignment to an Azure resource. 
 
 ## Resource Provider registration 
 
 When accepting an Azure Data Share invitation, you will need to manually register the Microsoft.DataShare resource provider in to your subscription. Follow these steps to register the Microsoft.DataShare resource provider into your Azure Subscription. 
 
-1. In the Azure portal, navigate to **Subscriptions**
-1. Select the subscription that you're using for Azure Data Share
-1. Click on **Resource Providers**
-1. Search for Microsoft.DataShare
-1. Click **Register**
+1. In the Azure portal, navigate to **Subscriptions**.
+1. Select the subscription that you're using for Azure Data Share.
+1. Click on **Resource Providers**.
+1. Search for Microsoft.DataShare.
+1. Click **Register**.
 
 ## Next steps
 

articles/data-share/scripts/powershell/accept-share-invitations-powershell.md

@@ -39,8 +39,8 @@ This script uses the following commands:
 
 | Command | Notes |
 |---|---|
-| [Get-AzDataShareInvitation](/powershell/module/az.resources/get-azdatashareinvitation) | Get and list sent data share invitations. |
-| [New-AzDataShareSubscription](/powershell/module/az.resources/get-azdatashareinvitation) | Create a data share subscription. |
+| [Get-AzDataShareInvitation](/powershell/module/az.datashare/get-azdatashareinvitation?view=azps-2.6.0) | Get and list sent data share invitations. |
+| [New-AzDataShareSubscription](/powershell/module/az.datashare/get-azdatasharesubscription?view=azps-2.6.0) | Create a data share subscription. |
 |||
 
 ## Next steps

articles/data-share/scripts/powershell/add-datasets-powershell.md

@@ -41,7 +41,7 @@ This script uses the following commands:
 
 | Command | Notes |
 |---|---|
-| [New-AzDataShareDataSet](/powershell/module/az.resources/new-azdatasharedataset) | Adds a dataset to a data share. |
+| [New-AzDataShareDataSet](/powershell/module/az.datashare/new-azdatasharedataset?view=azps-2.6.0) | Adds a dataset to a data share. |
 |||
 
 ## Next steps

articles/data-share/scripts/powershell/create-new-share-account-powershell.md

@@ -33,7 +33,7 @@ This script uses the following commands:
 
 | Command | Notes |
 |---|---|
-| [New-AzDataShareAccount](/powershell/module/az.resources/new-azdatashareaccount) | Creates a data share account. |
+| [New-AzDataShareAccount](/powershell/module/az.datashare/new-azdatashareaccount?view=azps-2.6.0) | Creates a data share account. |
 |||
 
 ## Next steps

articles/data-share/scripts/powershell/create-new-share-powershell.md

@@ -38,7 +38,7 @@ This script uses the following commands:
 
 | Command | Notes |
 |---|---|
-| [New-AzDataShare](/powershell/module/az.resources/new-azdatashare) | Creates a data share. |
+| [New-AzDataShare](/powershell/module/az.datashare/new-azdatashare?view=azps-2.6.0) | Creates a data share. |
 |||
 
 ## Next steps

articles/data-share/scripts/powershell/create-share-invitation-powershell.md

@@ -37,7 +37,7 @@ This script uses the following commands:
 
 | Command | Notes |
 |---|---|
-| [New-AzDataShareInvitation](/powershell/module/az.resources/get-azdatasharesynchronizationdetails) | Create a data share invitation. |
+| [New-AzDataShareInvitation](/powershell/module/az.datashare/new-azdatashareinvitation?view=azps-2.6.0) | Create a data share invitation. |
 |||
 
 ## Next steps

articles/data-share/scripts/powershell/create-view-trigger-powershell.md

@@ -42,8 +42,8 @@ This script uses the following commands:
 
 | Command | Notes |
 |---|---|
-| [New-AzDataShareTrigger](/powershell/module/az.resources/new-azdatasharetrigger) | Create a share snapshot trigger. |
-| [Get-AzDataShareTrigger](/powershell/module/az.resources/get-azdatasharetrigger) | Gets synchronization settings of a share synchronization. |
+| [New-AzDataShareTrigger](/powershell/module/az.datashare/new-azdatasharetrigger?view=azps-2.6.0) | Create a share snapshot trigger. |
+| [Get-AzDataShareTrigger](/powershell/module/az.datashare/get-azdatasharesynchronizationsetting?view=azps-2.6.0) | Gets synchronization settings of a share synchronization. |
 |||
 
 ## Next steps

articles/data-share/scripts/powershell/monitor-usage-powershell.md

@@ -39,8 +39,8 @@ This script uses the following commands:
 
 | Command | Notes |
 |---|---|
-| [Get-AzDataShareSynchronization](/powershell/module/az.resources/get-azdatasharesynchronizationdetails) | List synchronizations on a share. |
-| [Get-AzDataShareSynchronizationDetails](/powershell/module/az.resources/get-azdatasharesynchronizationdetails) | Gets synchronization details of a share synchronization. |
+| [Get-AzDataShareSynchronization](/powershell/module/az.datashare/get-azdatasharesynchronization?view=azps-2.6.0) | List synchronizations on a share. |
+| [Get-AzDataShareSynchronizationDetails](/powershell/module/az.datashare/get-azdatasharesynchronizationdetail?view=azps-2.6.0) | Gets synchronization details of a share synchronization. |
 |||
 
 ## Next steps

articles/data-share/scripts/powershell/set-view-synchronizations-powershell.md

@@ -43,8 +43,8 @@ This script uses the following commands:
 
 | Command | Notes |
 |---|---|
-| [New-AzDataShareSynchronizationSetting](/powershell/module/az.resources/new-azdatasharesynchronizationsettings) | Create a share synchronization. |
-| [Get-AzDataShareSynchronizationSetting](/powershell/module/az.resources/get-azdatasharesynchronizationsetting) | Gets synchronization settings of a share synchronization. |
+| [New-AzDataShareSynchronizationSetting](/powershell/module/az.datashare/new-azdatasharesynchronizationsetting?view=azps-2.6.0) | Create a share synchronization. |
+| [Get-AzDataShareSynchronizationSetting](/powershell/module/az.datashare/get-azdatasharesynchronizationsetting?view=azps-2.6.0) | Gets synchronization settings of a share synchronization. |
 |||
 
 ## Next steps

articles/data-share/scripts/powershell/view-sent-invitations-powershell.md

@@ -37,7 +37,7 @@ This script uses the following commands:
 
 | Command | Notes |
 |---|---|
-| [Get-AzDataShareInvitation](/powershell/module/az.resources/get-azdatashareinvitation) | Get and list sent data share invitations. |
+| [Get-AzDataShareInvitation](/powershell/module/az.datashare/get-azdatashareinvitation?view=azps-2.6.0) | Get and list sent data share invitations. |
 |||
 
 ## Next steps