You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/synapse-analytics/security/how-to-manage-synapse-rbac-role-assignments.md
+15-15Lines changed: 15 additions & 15 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,7 +5,7 @@ author: meenalsri
5
5
ms.service: azure-synapse-analytics
6
6
ms.topic: how-to
7
7
ms.subservice: security
8
-
ms.date: 3/7/2022
8
+
ms.date: 02/18/2025
9
9
ms.author: mesrivas
10
10
ms.reviewer: whhender, wiassaf
11
11
---
@@ -20,23 +20,23 @@ This article shows how to add and delete Synapse RBAC role assignments.
20
20
>- To manage Synapse RBAC role assignments you need to have the Synapse Administrator role on the workspace or at a lower-level scope that includes the objects you want to manage. If you are a Synapse Administrator on the workspace you can grant access to all objects in the workspace.
21
21
>-**Guest users** from a different AD tenant can also see and manage role assignments after being assigned the Synapse Administrator role.
22
22
>- To help you regain access to a workspace in the event that no Synapse Administrators are assigned or available to you, users with permissions to manage **Azure RBAC** role assignments on the workspace can also manage **Synapse RBAC** role assignments, allowing the addition of Synapse Administrator or other Synapse role assignments.
23
-
>- Access to SQL pools is managed using SQL permissions. With the exception of the Synapse Administrator and Synapse SQL Administrator roles, Synapse RBAC roles do not grant access to SQL pools.
23
+
>- Access to SQL pools is managed using SQL permissions. With the exception of the Synapse Administrator and Synapse SQL Administrator roles, Synapse RBAC roles do not grant access to SQL pools.
24
24
25
25
>[!important]
26
26
>- Changes made to Synapse RBAC role assignments may take 2-5 minutes to take effect.
27
-
>- If you are managing Synapse RBAC permissions by modifying membership of security groups, then changes to membership are managed using Microsoft Entra ID. Changes to group memberships may take 10-15 minutes or longer to take effect.
27
+
>- If you are managing Synapse RBAC permissions by modifying membership of security groups, then changes to membership are managed using Microsoft Entra ID. Changes to group memberships may take 10-15 minutes or longer to take effect.
28
28
29
29
## Open Synapse Studio
30
30
31
31
To assign a role to a user, group, service principal, or managed identity, first [open the Synapse Studio](https://web.azuresynapse.net/) and log into your workspace.
32
32
33
-
34
-
35
-
Once you've opened your workspace, expand the **Security** section on the left and select **Access control**.
33
+
34
+
35
+
In your workspace, expand the **Security** section on the left and select **Access control**.
36
36
37
37
38
38
39
-
The Access control screen lists current role assignments. You can filter the list by principal name or email, and selectively filter the object types, roles, or scopes included. From this screen, you can add or remove role assignments.
39
+
The Access control screen lists current role assignments. You can filter the list by principal name or email, and selectively filter the object types, roles, or scopes included. From this screen, you can add or remove role assignments.
40
40
41
41
## Add a Synapse role assignment
42
42
@@ -48,32 +48,32 @@ On the Add role assignment tab, you can create role assignments at workspace sco
48
48
49
49
## Add workspace-scoped role assignment
50
50
51
-
First, select **Workspace** as the scope, then select the **Synapse RBAC role**. Select the **principal(s)** to be assigned the role, then create the role assignment(s).
51
+
First, select **Workspace** as the scope, then select the **Synapse RBAC role**. Select the **principal(s)** to be assigned the role, then create the role assignment(s).
52
52
53
53
54
54
55
55
The assigned role will apply for all applicable objects in the workspace.
56
56
57
57
## Add workspace item-scoped role assignment
58
58
59
-
To assign a role at a finer-grained scope, select **Workspace item** as the scope, then select the scoping **Item type**.
59
+
To assign a role at a finer-grained scope, select **Workspace item** as the scope, then select the scoping **Item type**.
60
60
61
61
62
62
63
-
Select the specific **item** to be used as the scope, then select the **role** to be assigned from the drop-down. The drop-down lists only those roles that are valid for the selected item type. [Learn more](./synapse-workspace-synapse-rbac.md).
63
+
Select the specific **item** to be used as the scope, then select the **role** to be assigned from the drop-down. The drop-down lists only those roles that are valid for the selected item type. [Learn more](./synapse-workspace-synapse-rbac.md).
64
64
65
65
66
66
67
-
Then **select the principal(s)** to which the role is to be assigned. You can iteratively select multiple principals. Select **Apply** to create the role assignment(s).
67
+
Then **select the principal(s)** to which the role is to be assigned. You can iteratively select multiple principals. Select **Apply** to create the role assignment(s).
68
68
69
69
## Remove a Synapse RBAC role assignment
70
70
71
-
To revoke Synapse RBAC access, you remove the appropriate role assignments. On the Access control screen, use the filters to locate the role assignment(s) to be removed. Check the role assignments and then select **Remove access**.
71
+
To revoke Synapse RBAC access, you remove the appropriate role assignments. On the Access control screen, use the filters to locate the role assignment(s) to be removed. Check the role assignments and then select **Remove access**.
72
72
73
73
74
74
75
-
Remember that changes to role assignments will take 2-5 minutes to take effect.
75
+
Remember that changes to role assignments will take 2-5 minutes to take effect.
76
76
77
-
## Next steps
77
+
## Related content
78
78
79
-
[Understand the Synapse RBAC roles required to perform common tasks](./synapse-workspace-understand-what-role-you-need.md)
79
+
[Understand the Synapse RBAC roles required to perform common tasks](./synapse-workspace-understand-what-role-you-need.md).
Copy file name to clipboardExpand all lines: articles/synapse-analytics/security/synapse-workspace-synapse-rbac.md
+13-13Lines changed: 13 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,9 +3,9 @@ title: Azure Synapse role-based access control
3
3
description: An article that explains role-based access control in Azure Synapse Analytics
4
4
author: meenalsri
5
5
ms.service: azure-synapse-analytics
6
-
ms.topic: conceptual
6
+
ms.topic: concept-article
7
7
ms.subservice: security
8
-
ms.date: 3/07/2022
8
+
ms.date: 02/18/2025
9
9
ms.author: mesrivas
10
10
ms.reviewer: whhender, wiassaf
11
11
---
@@ -19,7 +19,7 @@ Synapse RBAC is used to manage who can:
19
19
- Publish code artifacts and list or access published code artifacts,
20
20
- Execute code on Apaches Spark pools and Integration runtimes,
21
21
- Access linked (data) services protected by credentials
22
-
- Monitor or cancel job execution, review job output, and execution logs.
22
+
- Monitor or cancel job execution, review job output, and execution logs.
23
23
24
24
>[!Note]
25
25
>While Synapse RBAC is used to manage access to published SQL scripts, it provides only limited access control to serverless and dedicated SQL pools. Access to SQL pools is primarily controlled using SQL security.
@@ -30,10 +30,10 @@ Here are some examples of what you can do with Synapse RBAC:
30
30
- Allow a user to publish changes made to Apache Spark notebooks and jobs to the live service.
31
31
- Allow a user to run and cancel notebooks and spark jobs on a specific Apache Spark pool.
32
32
- Allow a user to use specific credentials so they can run pipelines secured by the workspace system identity and access data in linked services secured with credentials.
33
-
- Allow an administrator to manage, monitor, and cancel job execution on specific Spark Pools.
33
+
- Allow an administrator to manage, monitor, and cancel job execution on specific Spark Pools.
34
34
35
35
## How Synapse RBAC works
36
-
Like Azure RBAC, Synapse RBAC works by creating role assignments. A role assignment consists of three elements: a security principal, a role definition, and a scope.
36
+
Like Azure RBAC, Synapse RBAC works by creating role assignments. A role assignment consists of three elements: a security principal, a role definition, and a scope.
37
37
38
38
### Security Principals
39
39
@@ -47,13 +47,13 @@ Synapse provides built-in roles that define collections of actions that match th
47
47
- Administrators can get full access to create and configure a workspace
48
48
- Developers can create, update and debug SQL scripts, notebooks, pipelines, and dataflows, but not be able to publish or execute this code on production compute resources/data
49
49
- Operators can monitor and manage system status, application execution and review logs, without access to code or the outputs from execution.
50
-
- Security staff can manage and configure endpoints without having access to code, compute resources or data.
50
+
- Security staff can manage and configure endpoints without having access to code, compute resources, or data.
51
51
52
52
[Learn more](./synapse-workspace-synapse-rbac-roles.md) about the built-in Synapse roles.
53
53
54
54
### Scopes
55
55
56
-
A _scope_ defines the resources or artifacts that the access applies to. Azure Synapse supports hierarchical scopes. Permissions granted at a higher-level scope are inherited by objects at a lower level. In Synapse RBAC, the top-level scope is a workspace. Assigning a role with workspace scope grants permissions to all applicable objects in the workspace.
56
+
A _scope_ defines the resources or artifacts that the access applies to. Azure Synapse supports hierarchical scopes. Permissions granted at a higher-level scope are inherited by objects at a lower level. In Synapse RBAC, the top-level scope is a workspace. Assigning a role with workspace scope grants permissions to all applicable objects in the workspace.
57
57
58
58
Current supported scopes within a workspace are:
59
59
@@ -62,23 +62,23 @@ Current supported scopes within a workspace are:
62
62
- linked service
63
63
- credential
64
64
65
-
Access to code artifacts is granted with workspace scope. Granting access to collections of artifacts within a workspace will be supported in a later release.
65
+
Access to code artifacts is granted with workspace scope. Granting access to collections of artifacts within a workspace will be supported in a later release.
66
66
67
67
## Resolving role assignments to determine permissions
68
68
69
69
A role assignment grants a principal the permissions defined by the role at the specified scope.
70
70
71
-
Synapse RBAC is an additive model like Azure RBAC. Multiple roles may be assigned to a single principal and at different scopes. When computing the permissions of a security principal, the system considers all roles assigned to the principal and to groups that directly or indirectly include the principal. It also considers the scope of each assignment in determining the permissions that apply.
71
+
Synapse RBAC is an additive model like Azure RBAC. Multiple roles may be assigned to a single principal and at different scopes. When computing the permissions of a security principal, the system considers all roles assigned to the principal and to groups that directly or indirectly include the principal. It also considers the scope of each assignment in determining the permissions that apply.
72
72
73
73
## Enforcing assigned permissions
74
74
75
75
In Synapse Studio, specific buttons or options may be grayed out or a permissions error may be returned when attempting an action if you don't have the required permissions.
76
76
77
-
If a button or option is disabled, hovering over the button or option shows a tooltip with the required permission. Contact a Synapse Administrator to assign a role that grants the required permission. You can see the roles that provide specific actions, see [Synapse RBAC Roles](./synapse-workspace-synapse-rbac-roles.md).
77
+
If a button or option is disabled, hovering over the button or option shows a tooltip with the required permission. Contact a Synapse Administrator to assign a role that grants the required permission. You can see the roles that provide specific actions, see [Synapse RBAC Roles](./synapse-workspace-synapse-rbac-roles.md).
78
78
79
79
## Who can assign Synapse RBAC roles?
80
80
81
-
Synapse Administrators can assign Synapse RBAC roles. A Synapse Administrator at the workspace level can grant access at any scope. A Synapse Administrator at a lower-level scope can only grant access at that scope.
81
+
Synapse Administrators can assign Synapse RBAC roles. A Synapse Administrator at the workspace level can grant access at any scope. A Synapse Administrator at a lower-level scope can only grant access at that scope.
82
82
83
83
When a new workspace is created, the creator is automatically given the Synapse Administrator role at workspace scope.
84
84
@@ -88,10 +88,10 @@ To help you regain access to a workspace in the event that no Synapse Administra
88
88
89
89
Synapse RBAC is managed from within Synapse Studio using the access control tools in the **Manage** hub.
90
90
91
-
## Next steps
91
+
## Related content
92
92
93
93
Understand the built-in [Synapse RBAC roles](./synapse-workspace-synapse-rbac-roles.md).
94
94
95
95
Learn [how to review Synapse RBAC role assignments](./how-to-review-synapse-rbac-role-assignments.md) for a workspace.
96
96
97
-
Learn [how to assign Synapse RBAC roles](./how-to-manage-synapse-rbac-role-assignments.md)
97
+
Learn [how to assign Synapse RBAC roles](./how-to-manage-synapse-rbac-role-assignments.md).
Copy file name to clipboardExpand all lines: articles/synapse-analytics/sql-data-warehouse/sql-data-warehouse-table-constraints.md
+12-12Lines changed: 12 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,10 +4,10 @@ description: Table constraints support using dedicated SQL pool in Azure Synapse
4
4
author: mstehrani
5
5
ms.author: emtehran
6
6
ms.reviewer: nibruno; wiassaf
7
-
ms.date: 09/05/2019
7
+
ms.date: 02/21/2025
8
8
ms.service: azure-synapse-analytics
9
9
ms.subservice: sql-dw
10
-
ms.topic: conceptual
10
+
ms.topic: concept-article
11
11
ms.custom:
12
12
- azure-synapse
13
13
---
@@ -19,23 +19,23 @@ Learn about table constraints in dedicated SQL pool, including primary key, fore
19
19
## Table constraints
20
20
21
21
Dedicated SQL pool supports these table constraints:
22
-
- PRIMARY KEY is only supported when NONCLUSTERED and NOT ENFORCED are both used.
22
+
- PRIMARY KEY is only supported when NONCLUSTERED and NOT ENFORCED are both used.
23
23
- UNIQUE constraint is only supported when NOT ENFORCED is used.
24
24
25
25
For syntax, check [ALTER TABLE](/sql/t-sql/statements/alter-table-transact-sql) and [CREATE TABLE](/sql/t-sql/statements/create-table-azure-sql-data-warehouse).
26
26
27
-
FOREIGN KEY constraint is not supported in dedicated SQL pool.
27
+
FOREIGN KEY constraint isn't supported in dedicated SQL pool.
28
28
29
29
30
30
## Remarks
31
31
32
-
Having primary key and/or unique key allows dedicated SQL pool engine to generate an optimal execution plan for a query. All values in a primary key column or a unique constraint column should be unique.
32
+
Having primary key and/or unique key allows dedicated SQL pool engine to generate an optimal execution plan for a query. All values in a primary key column or a unique constraint column should be unique.
33
33
34
34
> [!IMPORTANT]
35
35
> After creating a table with primary key or unique constraint in dedicated SQL pool, users need to make sure all values in those columns are unique.
36
36
> A violation of that may cause the query to return inaccurate result.
37
37
38
-
This example shows how a query may return inaccurate result if the primary key or unique constraint column includes duplicate values.
38
+
This example shows how a query may return inaccurate result if the primary key or unique constraint column includes duplicate values.
39
39
40
40
```sql
41
41
-- Create table t1
@@ -48,7 +48,7 @@ INSERT INTO t1 VALUES (2, 200)
48
48
INSERT INTO t1 VALUES (3, 300)
49
49
INSERT INTO t1 VALUES (4, 400)
50
50
51
-
-- Run this query. No primary key or unique constraint. 4 rows returned. Correct result.
51
+
-- Run this query. No primary key or unique constraint. 4 rows returned. Correct result.
52
52
SELECT a1, COUNT(*) AS total FROM t1 GROUP BY a1
53
53
54
54
/*
@@ -65,7 +65,7 @@ a1 total
65
65
-- Add unique constraint
66
66
ALTERTABLE t1 ADD CONSTRAINT unique_t1_a1 unique (a1) NOT ENFORCED
67
67
68
-
-- Re-run this query. 5 rows returned. Incorrect result.
68
+
-- Re-run this query. 5 rows returned. Incorrect result.
69
69
SELECT a1, count(*) AS total FROM t1 GROUP BY a1
70
70
71
71
/*
@@ -86,7 +86,7 @@ ALTER TABLE t1 DROP CONSTRAINT unique_t1_a1
-- Re-run this query. 5 rows returned. Correct result.
146
+
-- Re-run this query. 5 rows returned. Correct result.
147
147
SELECT a1, COUNT(*) AS total FROM t1 GROUP BY a1
148
148
149
149
/*
@@ -174,6 +174,6 @@ Create a dedicated SQL pool table with a unique constraint:
174
174
CREATETABLEt6 (c1 INT UNIQUE NOT ENFORCED, c2 INT);
175
175
```
176
176
177
-
## Next steps
177
+
## Related content
178
178
179
179
After creating the tables for your dedicated SQL pool, the next step is to load data into the table. For a loading tutorial, see [Loading data to dedicated SQL pool](load-data-wideworldimportersdw.md).
0 commit comments