You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/synapse-analytics/security/synapse-workspace-access-control-overview.md
+18-12Lines changed: 18 additions & 12 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -6,9 +6,9 @@ author: meenalsri
6
6
ms.service: synapse-analytics
7
7
ms.topic: overview
8
8
ms.subservice: security
9
-
ms.date: 12/03/2020
9
+
ms.date: 11/02/2021
10
10
ms.author: mesrivas
11
-
ms.reviewer: jrasnick
11
+
ms.reviewer: wiassaf
12
12
---
13
13
# Azure Synapse access control
14
14
@@ -28,16 +28,17 @@ Access control can be simplified by using security groups that are aligned with
28
28
29
29
## Access control elements
30
30
31
-
### Creating and managing Synapse compute resources
31
+
### Create and manage Azure Synapse compute resources
32
32
33
33
Azure roles are used to control management of:
34
-
- Dedicated SQL pools,
35
-
- Apache Spark pools, and
36
-
- Integration runtimes.
34
+
- Dedicated SQL pools
35
+
- Data Explorer pools
36
+
- Apache Spark pools
37
+
- Integration runtimes
37
38
38
39
To *create* these resources, you need to be an Azure Owner or Contributor on the resource group. To *manage* them once created, you need to be an Azure Owner or Contributor on either the resource group or the individual resources.
39
40
40
-
### Developing and executing code in Synapse
41
+
### Develop and execute code in Azure Synapse
41
42
42
43
Synapse supports two development models.
43
44
@@ -46,24 +47,24 @@ Synapse supports two development models.
46
47
47
48
In both development models, any user with access to Synapse Studio can create code artifacts. However, you need additional permissions to publish artifacts to the service, read published artifacts, to commit changes to Git, to execute code, and to access linked data protected by credentials.
48
49
49
-
### Synapse roles
50
+
### Azure Synapse roles
50
51
51
-
Synapse roles are used to control access to the Synapse service that permit you to:
52
+
Azure Synapse roles are used to control access to the Synapse service that permit you to:
52
53
- List published code artifacts,
53
54
- Publish code artifacts, linked services, and credential definitions,
54
55
- Execute code or pipelines that use Synapse compute resources,
55
56
- Execute code or pipelines that access linked data protected by credentials,
56
57
- View outputs associated with published code artifacts,
57
58
- Monitor compute resource status, and view runtime logs.
58
59
59
-
Synapse roles can be assigned at the workspace scope or at finer-grained scopes to limit the permissions granted to specific Synapse resources.
60
+
Azure Synapse roles can be assigned at the workspace scope or at finer-grained scopes to limit the permissions granted to specific Azure Synapse resources.
60
61
61
62
### Git permissions
62
63
63
-
When using Git-enabled development in Git mode, you need Git permissions in addition to the Synapse User (Synapse RBAC) role to read code artifacts, including linked service and credential definitions. To commit changes to code artifacts in Git mode, you need Git permissions, Azure Contributor (Azure RBAC) role on the workspace, and the Synapse Artifact Publisher (Synapse RBAC) role.
64
+
When using Git-enabled development in Git mode, you need Git permissions in addition to the Synapse User or Synapse RBAC (role-based access control) roles to read code artifacts, including linked service and credential definitions. To commit changes to code artifacts in Git mode, you need Git permissions, Azure Contributor (Azure RBAC) role on the workspace, and the Synapse Artifact Publisher (Synapse RBAC) role.
64
65
65
66
66
-
### Accessing data in SQL
67
+
### Access data in SQL
67
68
68
69
When working with dedicated and serverless SQL pools, data plane access is controlled using SQL permissions.
69
70
@@ -75,6 +76,11 @@ The creator of a workspace is assigned as the Active Directory Admin on the work
75
76
76
77
See [How to set up Synapse Access Control](./how-to-set-up-access-control.md) for examples of SQL scripts for granting SQL permissions in SQL pools.
77
78
79
+
### Accessing data in Data Explorer pools
80
+
81
+
When working with Data Explorer pools, data plane access is controlled through Data Explorer permissions. Synapse Administrators are granted `All Database admin` permissions on Data Explorer pools. To grant other users or groups access to Data Explorer pools, Synapse administrators should refer to [Security roles management](/azure/data-explorer/kusto/management/security-roles?context=/azure/synapse-analytics/context/context). For more information on data plane access, see [Data Explorer access control overview](/azure/data-explorer/kusto/management/access-control/index?context=/azure/synapse-analytics/context/context).
82
+
83
+
78
84
### Accessing system-managed data in storage
79
85
80
86
Serverless SQL pools and Apache Spark tables store their data in an ADLS Gen2 container associated with the workspace. User-installed Apache Spark libraries are also managed in the same storage account. To enable these use cases, users and the workspace MSI must be granted **Storage Blob Data Contributor** access to this workspace ADLS Gen2 storage container.
Copy file name to clipboardExpand all lines: articles/synapse-analytics/security/synapse-workspace-synapse-rbac-roles.md
+12-11Lines changed: 12 additions & 11 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,14 +5,14 @@ author: meenalsri
5
5
ms.service: synapse-analytics
6
6
ms.topic: conceptual
7
7
ms.subservice: security
8
-
ms.date: 12/1/2020
8
+
ms.date: 11/02/2021
9
9
ms.author: mesrivas
10
-
ms.reviewer: jrasnick
10
+
ms.reviewer: wiassaf
11
11
---
12
12
13
13
# Synapse RBAC Roles
14
14
15
-
The article describes the built-in Synapse RBAC roles, the permissions they grant, and the scopes at which they can be used.
15
+
The article describes the built-in Synapse RBAC (role-based access control) roles, the permissions they grant, and the scopes at which they can be used.
16
16
17
17
## What's changed since the preview?
18
18
For users familiar with the Synapse RBAC roles provided during the preview, the following changes apply:
@@ -34,7 +34,7 @@ The following table describes the built-in roles and the scopes at which they ca
34
34
35
35
|Role |Permissions|Scopes|
36
36
|---|---|-----|
37
-
|Synapse Administrator |Full Synapse access to SQL pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources. </br></br>_Can read and write artifacts</br> Can do all actions on Spark activities.</br> Can view Spark pool logs</br> Can view saved notebook and pipeline output </br> Can use the secrets stored by linked services or credentials</br>Can assign and revoke Synapse RBAC roles at current scope_|Workspace </br> Spark pool<br/>Integration runtime </br>Linked service</br>Credential |
37
+
|Synapse Administrator |Full Synapse access to SQL pools, Data Explorer pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources. </br></br>_Can read and write artifacts</br> Can do all actions on Spark activities.</br> Can view Spark pool logs</br> Can view saved notebook and pipeline output </br> Can use the secrets stored by linked services or credentials</br>Can assign and revoke Synapse RBAC roles at current scope_|Workspace </br> Spark pool<br/>Integration runtime </br>Linked service</br>Credential |
38
38
|Synapse Apache Spark Administrator</br>|Full Synapse access to Apache Spark Pools. Create, read, update, and delete access to published Spark job definitions, notebooks and their outputs, and to libraries, linked services, and credentials. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. </br></br>_Can do all actions on Spark artifacts</br>Can do all actions on Spark activities_|Workspace</br>Spark pool|
39
39
|Synapse SQL Administrator|Full Synapse access to serverless SQL pools. Create, read, update, and delete access to published SQL scripts, credentials, and linked services. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. </br></br>*Can do all actions on SQL scripts<br/>Can connect to SQL serverless endpoints with SQL `db_datareader`, `db_datawriter`, `connect`, and `grant` permissions*|Workspace|
40
40
|Synapse Contributor|Full Synapse access to Apache Spark pools and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts and their outputs, including credentials and linked services. Includes compute operator permissions. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. </br></br>_Can read and write artifacts</br>Can view saved notebook and pipeline output</br>Can do all actions on Spark activities</br>Can view Spark pool logs_|Workspace </br> Spark pool<br/> Integration runtime|
@@ -43,23 +43,23 @@ The following table describes the built-in roles and the scopes at which they ca
43
43
|Synapse Compute Operator |Submit Spark jobs and notebooks and view logs. Includes canceling Spark jobs submitted by any user. Requires additional use credential permissions on the workspace system identity to run pipelines, view pipeline runs and outputs. </br></br>_Can submit and cancel jobs, including jobs submitted by others</br>Can view Spark pool logs_|Workspace</br>Spark pool</br>Integration runtime|
44
44
|Synapse Credential User|Runtime and configuration-time use of secrets within credentials and linked services in activities like pipeline runs. To run pipelines, this role is required, scoped to the workspace system identity. </br></br>_Scoped to a credential, permits access to data via a linked service that is protected by the credential (also requires compute use permission) </br>Allows execution of pipelines protected by the workspace system identity credential(with additional compute use permission)_|Workspace </br>Linked Service</br>Credential
45
45
|Synapse Linked Data Manager|Creation and management of managed private endpoints, linked services, and credentials. Can create managed private endpoints that use linked services protected by credentials|Workspace|
46
-
|Synapse User|List and view details of SQL pools, Apache Spark pools, Integration runtimes, and published linked services and credentials. Doesn't include other published code artifacts. Can create new artifacts but can't run or publish without additional permissions.</br></br>_Can list and read Spark pools, Integration runtimes._|Workspace, Spark pool</br>Linked service </br>Credential|
46
+
|Synapse User|List and view details of SQL pools, Apache Spark pools, Integration runtimes, and published linked services and credentials. Doesn't include other published code artifacts. Can create new artifacts but can't run or publish without additional permissions.</br></br>_Can list and read Spark pools, Integration runtimes._|Workspace, Spark pool</br>Linked service </br>Credential|
47
47
48
48
## Synapse RBAC roles and the actions they permit
49
49
50
50
>[!Note]
51
51
>- All actions listed in the tables below are prefixed, "Microsoft.Synapse/..."</br>
52
52
>- All artifact read, write, and delete actions are with respect to published artifacts in the live service. These permissions do not affect access to artifacts in a connected Git repo.
53
53
54
-
The following table lists the built-in roles and the actions/permissions that each supports.
54
+
The following table lists the built-in roles and the actions/permissions that each support.
0 commit comments