You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/synapse-analytics/metadata/database.md
+11-3Lines changed: 11 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -25,7 +25,7 @@ Since the databases are synchronized to serverless SQL pool asynchronously, ther
25
25
26
26
## Manage a Spark created database
27
27
28
-
To manage Spark created databases you need to use Apache Spark pools. For example, create or delete it through a Spark pool job.
28
+
To manage Spark created databases, you need to use Apache Spark pools. For example, create or delete it through a Spark pool job.
29
29
30
30
Objects in synchronized databases cannot be modified from serverless SQL pool.
31
31
@@ -36,14 +36,22 @@ Objects in synchronized databases cannot be modified from serverless SQL pool.
36
36
37
37
The Spark databases and tables, along with their synchronized representations in the SQL engine will be secured at the underlying storage level.
38
38
39
-
The security principal who creates a database is considered the owner of that database, and has all the rights to the database and its objects. Synapse Administrator and Synapse SQL Administrator will also have all the permissions on synchronized objects in serverless SQL pool by default. Creating custom objects (including users) in synchronized SQL databases is not allowed.
39
+
The security principal who creates a database is considered the owner of that database, and has all the rights to the database and its objects. `Synapse Administrator` and `Synapse SQL Administrator` will also have all the permissions on synchronized objects in serverless SQL pool by default. Creating custom objects (including users) in synchronized SQL databases is not allowed.
40
40
41
41
To give a security principal, such as a user, Azure AD app or a security group, access to the underlying data used for external tables, you need to give them `read (R)` permissions on files (such as the table's underlying data files) and `execute (X)` on folder where the files are stored + on every parent folder up to the root. You can read more about these permissions on [Access control lists(ACLs)](../../storage/blobs/data-lake-storage-access-control.md) page.
42
42
43
43
For example, in `https://<storage-name>.dfs.core.windows.net/<fs>/synapse/workspaces/<synapse_ws>/warehouse/mytestdb.db/myparquettable/`, security principals need to have `X` permissions on all the folders starting at the `<fs>` to the `myparquettable` and `R` permissions on `myparquettable` and files inside that folder, to be able to read a table in a database (synchronized or original one).
44
44
45
45
If a security principal requires the ability to create objects or drop objects in a database, additional `W` permissions are required on the folders and files in the `warehouse` folder. Modifying objects in a database is not possible from serverless SQL pool, only from Spark.
46
46
47
+
### SQL security model
48
+
49
+
Synapse workspace provides T-SQL endpoint that enables you to query the shared database using the serverless SQL pool. As a prerequisite, you need to enable a user to access shared databases in serverless SQL pool. There are two ways to allow a user to access the shared databases:
50
+
- You can assign a `Synapse SQL Administrator` workspace role or `sysadmin` server-level role in the serverless SQL pool. This role has a full control on all databases.
51
+
- You can grant `GRANT CONNECT ANY DATABASE` and `GRANT SELECT ALL USER SECURABLES` server-level permissions on serverless SQL pool to a login that will enable the login to access and read any database. This might be a good choice for assigning reader/non-admin access to a user.
52
+
53
+
Learn more about setting [access control on shared databases](../sql/shared-databases-access-control.md).
54
+
47
55
## Examples
48
56
49
57
### Create and connect to Spark database with serverless SQL pool
@@ -65,4 +73,4 @@ Verify that `mytestdb` is included in the results.
65
73
## Next steps
66
74
67
75
-[Learn more about Azure Synapse Analytics' shared metadata](overview.md)
68
-
-[Learn more about Azure Synapse Analytics' shared metadata Tables](table.md)
76
+
-[Learn more about Azure Synapse Analytics' shared metadata Tables](table.md)
0 commit comments