Merge pull request #176960 from meenalsri/RbacUpdates

jborsecnik · web-flow · commit 9a794bea8c2f · 2021-10-25T15:52:17.000-07:00
Changes to remove allow pipeline control from UI
diff --git a/articles/synapse-analytics/security/how-to-grant-workspace-managed-identity-permissions.md b/articles/synapse-analytics/security/how-to-grant-workspace-managed-identity-permissions.md
@@ -19,14 +19,6 @@ This article teaches you how to grant permissions to the managed identity in Azu
 >[!NOTE]
 >This workspace managed identity will be referred to as managed identity through the rest of this document.
 
-## Grant managed identity permissions to the dedicated SQL pool
-
-The managed identity grants permissions to the dedicated SQL pools in the workspace. With permissions granted, you can orchestrate pipelines that perform dedicated SQL pool-related activities. When you create an Azure Synapse workspace using Azure portal, you can grant the managed identity CONTROL permissions on dedicated SQL pools.
-
-Select **Security** when you're creating your Azure Synapse workspace. Then select **Allow pipelines (running as workspace's system assigned identity) to access SQL pools.**.
-
-![CONTROL permission on dedicated SQL pools](./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-16.png)
-
 ## Grant the managed identity permissions to ADLS Gen2 storage account
 
 An ADLS Gen2 storage account is required to create an Azure Synapse workspace. To successfully launch Spark pools in Azure Synapse workspace, the Azure Synapse managed identity needs the *Storage Blob Data Contributor* role on this storage account . Pipeline orchestration in Azure Synapse also benefits from this role.
diff --git a/articles/synapse-analytics/security/how-to-set-up-access-control.md b/articles/synapse-analytics/security/how-to-set-up-access-control.md
@@ -176,16 +176,15 @@ The workspace creator is automatically set up as the SQL Active Directory Admin
 
 ## STEP 7: Grant access to SQL pools
 
-By default, all users assigned the Synapse Administrator role are also assigned the SQL `db_owner` role on the dedicated and serverless SQL pools in the workspace.
+By default, all users assigned the Synapse Administrator role are also assigned the SQL `db_owner` role on the serverless SQL pools in the workspace.
 
-Access to SQL pools for other users and for the workspace MSI is controlled using SQL permissions.  Assigning SQL permissions requires that SQL scripts are run on each SQL database after creation.  There are three cases that require you run these scripts:
+Access to SQL pools for other users is controlled using SQL permissions.  Assigning SQL permissions requires that SQL scripts are run on each SQL database after creation.  There are three cases that require you run these scripts:
 1. Granting other users access to the serverless SQL pool, 'Built-in', and its databases
 2. Granting any user access to dedicated SQL pool databases
-3. Granting the workspace MSI access to a SQL pool database to enable pipelines that require SQL pool access to run successfully.
 
 Example SQL scripts are included below.
 
-To grant access to a dedicated SQL pool database, the scripts can be run by the workspace creator or any member of the `workspace1_SQLAdmins` group or the `workspace1_SynapseAdministrators` group.  
+To grant access to a dedicated SQL pool database, the scripts can be run by the workspace creator or any member of the `workspace1_SynapseAdministrators` group.  
 
 To grant access to the serverless SQL pool, 'Built-in', the scripts can be run by any member of the `workspace1_SQLAdmins` group or the  `workspace1_SynapseAdministrators` group. 
 
@@ -263,36 +262,6 @@ To grant access to a **single** dedicated SQL pool database, follow these steps
 
 After creating the users, run queries to validate that the serverless SQL pool can query the storage account.
 
-### STEP 7.3: SQL access control for Azure Synapse pipeline runs
-
-### Workspace managed identity
-
-> [!IMPORTANT]
-> To run pipelines successfully that include datasets or activities that reference a SQL pool, the workspace identity needs to be granted access to the SQL pool.
-
-For more information on the workspace managed identity, see [Azure Synapse workspace managed identity](synapse-workspace-managed-identity.md). Run the following commands on each SQL pool to allow the workspace managed system identity to run pipelines on the SQL pool database(s):  
-
->[!note]
->In the scripts below, for a dedicated SQL pool database, `<databasename>` is the same as the pool name.  For a database in the serverless SQL pool 'Built-in', `<databasename>` is the name of the database.
-
-```sql
---Create a SQL user for the workspace MSI in database
-CREATE USER [<workspacename>] FROM EXTERNAL PROVIDER;
-
---Granting permission to the identity
-GRANT CONTROL ON DATABASE::<databasename> TO <workspacename>;
-```
-
-This permission can be removed by running the following script on the same SQL pool:
-
-```sql
---Revoke permission granted to the workspace MSI
-REVOKE CONTROL ON DATABASE::<databasename> TO <workspacename>;
-
---Delete the workspace MSI user in the database
-DROP USER [<workspacename>];
-```
-
 ## STEP 8: Add users to security groups
 
 The initial configuration for your access control system is complete.
@@ -315,7 +284,7 @@ Your workspace is now fully configured and secured.
 
 This guide has focused on setting up a basic access control system. You can support more advanced scenarios by creating additional security groups and assigning these groups more granular roles at more specific scopes. Consider the following cases:
 
-**Enable Git-support** for the workspace for more advanced development scenarios including CI/CD.  While in Git mode, Git permissions will determine whether a user can commit changes to their working branch.  Publishing to the service only takes place from the collaboration branch.  Consider creating a security group for developers who need to develop and debug updates in a working branch but don't need  to publish changes to the live service.
+**Enable Git-support** for the workspace for more advanced development scenarios including CI/CD.  While in Git mode, Git permissions and Synapse RBAC will determine whether a user can commit changes to their working branch.  Publishing to the service only takes place from the collaboration branch.  Consider creating a security group for developers who need to develop and debug updates in a working branch but don't need  to publish changes to the live service.
 
 **Restrict developer access** to specific resources.  Create additional finer-grained security groups for developers who need access only to specific resources.  Assign these groups appropriate Azure Synapse roles that are scoped to specific Spark pools, Integration runtimes, or credentials.
 
diff --git a/articles/synapse-analytics/security/media/workspaces-encryption/workspaces-encryption-uami.png b/articles/synapse-analytics/security/media/workspaces-encryption/workspaces-encryption-uami.png
diff --git a/articles/synapse-analytics/security/media/workspaces-encryption/workspaces-encryption.png b/articles/synapse-analytics/security/media/workspaces-encryption/workspaces-encryption.png
diff --git a/articles/synapse-analytics/security/synapse-workspace-access-control-overview.md b/articles/synapse-analytics/security/synapse-workspace-access-control-overview.md
@@ -71,7 +71,7 @@ The creator of a workspace is assigned as the Active Directory Admin on the work
 
 **Serverless SQL pools**: Synapse Administrators are granted `db_owner` (`DBO`) permissions on the serverless SQL pool, 'Built-in'. To grant other users access to serverless SQL pools, Synapse administrators need to run SQL scripts on each serverless pool.  
 
-**Dedicated SQL pools**: Synapse Administrators are granted `db_owner` (`DBO`) permissions on the dedicated SQL pools. Active Directory Admin permission is granted to the creator of the workspace and the workspace MSI.  Permission to access dedicated SQL pools isn't otherwise granted automatically. To grant other users or groups access to dedicated SQL pools, the Active Directory Admin must run SQL scripts against each dedicated SQL pool.
+**Dedicated SQL pools**: Synapse Administrators have full access to data in dedicated SQL pools, and the ability to grant access to other users. Synapse Administrators can also perform configuration and maintenance activities on dedicated pools, except for dropping databases. Active Directory Admin permission is granted to the creator of the workspace and the workspace MSI.  Permission to access dedicated SQL pools isn't otherwise granted automatically. To grant other users or groups access to dedicated SQL pools, the Active Directory Admin or Synapse Administrator must run SQL scripts against each dedicated SQL pool.
 
 See [How to set up Synapse Access Control](./how-to-set-up-access-control.md) for examples of SQL scripts for granting SQL permissions in SQL pools.  
 
diff --git a/articles/synapse-analytics/sql/how-to-pause-resume-pipelines.md b/articles/synapse-analytics/sql/how-to-pause-resume-pipelines.md
@@ -222,6 +222,3 @@ Further details on Managed Identity for Azure Synapse, and how Managed Identity
 [Azure Synapse workspace managed identity](../security/synapse-workspace-managed-identity.md)
 
 [Grant permissions to workspace managed identity](../security/how-to-grant-workspace-managed-identity-permissions.md)
-
-[SQL access control for Synapse pipeline runs](../security/how-to-set-up-access-control.md#step-73-sql-access-control-for-azure-synapse-pipeline-runs)
-
