Merge pull request #109369 from Kat-Campise/meta_security_articles

meta and security articles

Author: itechedit

articles/synapse-analytics/metadata/database.md

@@ -19,9 +19,9 @@ Azure Synapse Analytics allows the different computational workspace engines to
 
 A database created with a Spark job will become visible with that same name to all current and future Spark pools (preview) in the workspace as well as the SQL on-demand engine.
 
-If there are SQL pools in the workspace that have metadata synchronization enabled or if a new SQL pool is created with the metadata synchronization enabled, these Spark created databases are automatically mapped into special schemas in the SQL pool database. 
+If there are SQL pools in the workspace that have metadata synchronization enabled, or if you create a new SQL pool with the metadata synchronization enabled, these Spark created databases are automatically mapped into special schemas in the SQL pool database. 
 
-Each such schema is named after the Spark database name with an additional `$` prefix. Both the external and managed tables in the Spark-generated database are exposed as external tables in the corresponding special schema.
+Each schema is named after the Spark database name with an additional `$` prefix. Both the external and managed tables in the Spark-generated database are exposed as external tables in the corresponding special schema.
 
 The Spark default database, called `default`, will also be visible in the SQL on-demand context as a database called `default`, and in any of the SQL pool databases with metadata synchronization turned on as the schema `$default`.
 
@@ -74,7 +74,7 @@ First create a new Spark database named `mytestdb` using a Spark cluster you hav
 spark.Sql("CREATE DATABASE mytestdb")
 ```
 
-This creates the Spark database. After a short delay, you can see the database from SQL on-demand. For example, run the following statement from SQL on-demand.
+After a short delay, you can see the database from SQL on-demand. For example, run the following statement from SQL on-demand.
 
 ```sql
 SELECT * FROM sys.databases;

articles/synapse-analytics/metadata/overview.md

@@ -1,6 +1,6 @@
 ---
 title: Azure Synapse Analytics shared metadata model 
-description: Azure Synapse Analytics provides a shared metadata model where creating a database or table in Apache Spark will make it accessible from its SQL on-demand (preview) and SQL pool engines without duplicating the data or requiring user action. 
+description: Azure Synapse Analytics allows the different workspace computational engines to share databases and tables between its Spark pools (preview), SQL on-demand engine (preview), and SQL pools. 
 services: synapse-analytics
 author: MikeRys 
 ms.service: synapse-analytics
@@ -13,11 +13,11 @@ ms.reviewer: jrasnick
 
 # Azure Synapse Analytics shared metadata
 
-Azure Synapse Analytics allows the different computational engines of a workspace to share databases and tables between its Spark pools (preview), SQL on-demand engine (preview), and SQL pools.
+Azure Synapse Analytics allows the different workspace computational engines to share databases and tables between its Spark pools (preview), SQL on-demand engine (preview), and SQL pools.
 
 [!INCLUDE [synapse-analytics-preview-terms](../../../includes/synapse-analytics-preview-terms.md)]
 
-The sharing supports the so-called modern data warehouse pattern and gives the workspace SQL engines access to databases and tables created with Spark. It also allows the SQL engines to create their own objects that are not being shared with the other engines.
+The sharing supports the so-called modern data warehouse pattern and gives the workspace SQL engines access to databases and tables created with Spark. It also allows the SQL engines to create their own objects that aren't being shared with the other engines.
 
 ## Support the modern data warehouse
 
@@ -35,19 +35,19 @@ The shared metadata model supports the modern data warehouse pattern in the foll
 
 <!--__Figure 1 -__ Supporting the Modern Data Warehouse Pattern with shared metadata-->
 
-The object synchronization occurs asynchronously. Objects will therefore have a slight delay of a few seconds until they appear in the SQL context. Once they appear, they can be queried, but not updated nor changed by the SQL engines that have access to them.
+Object synchronization occurs asynchronously. Objects will have a slight delay of a few seconds until they appear in the SQL context. Once they appear, they can be queried, but not updated nor changed by the SQL engines that have access to them.
 
 ## Which metadata objects are shared
 
 [!INCLUDE [synapse-analytics-preview-features](../../../includes/synapse-analytics-preview-features.md)]
 
-Spark allows you to create databases, external and managed tables as well as views. Since Spark views require a Spark engine to process the defining Spark SQL statement, and cannot be processed by a SQL engine, only databases and their contained external and managed tables that use the Parquet storage format are shared with the workspace SQL engines. Spark views are only shared among the Spark pool instances.
+Spark allows you to create databases, external tables, managed tables, and views. Since Spark views require a Spark engine to process the defining Spark SQL statement, and cannot be processed by a SQL engine, only databases and their contained external and managed tables that use the Parquet storage format are shared with the workspace SQL engines. Spark views are only shared among the Spark pool instances.
 
 ## Security model at a glance
 
 [!INCLUDE [synapse-analytics-preview-features](../../../includes/synapse-analytics-preview-features.md)]
 
-The Spark databases and tables, as well as their synchronized representations in the SQL engines are secured at the underlying storage level. When the table is queried by any of the engines that the query submitter has the right to use, the query submitter's security principal is being passed through, down to the underlying files, and permissions are checked at the file system level.
+The Spark databases and tables, along with their synchronized representations in the SQL engines, are secured at the underlying storage level. When the table is queried by any of the engines that the query submitter has the right to use, the query submitter's security principal is being passed through to the underlying files. Permissions are checked at the file system level.
 
 For more information, see [Azure Synapse Analytics shared database](database.md).
 

articles/synapse-analytics/metadata/table.md

@@ -82,7 +82,6 @@ Spark tables provide different data types than the Synapse SQL engines. The foll
 | `array`     |    `varchar(max)`   | Serializes into JSON with collation `Latin1_General_CP1_CI_AS_UTF8` |
 | `map`       |    `varchar(max)`   | Serializes into JSON with collation `Latin1_General_CP1_CI_AS_UTF8` |
 | `struct`    |    `varchar(max)`   | Serializes into JSON with collation `Latin1_General_CP1_CI_AS_UTF8` |
-|---|---|---|
 
 <!-- TODO: Add precision and scale to the types mentioned above -->
 

articles/synapse-analytics/security/how-to-connect-to-workspace-with-private-links.md

@@ -1,5 +1,5 @@
 ---
-title: Connect to a Azure Synapse workspace using private links
+title: Connect to an Azure Synapse workspace using private links
 description: This article will teach you how to connect to your Azure Synapse workspace using private links
 author: RonyMSFT 
 ms.service: synapse-analytics 
@@ -17,18 +17,25 @@ Select **Private endpoint connection** under **Security** and then select **+ Pr
 ![Open Azure Synapse workspace in Azure portal](../media/security/private-endpoint-1.png)
 
 ## Step 2: Select your subscription and region details
-Under the **Basics** tab in the **Create a private endpoint** window, choose your **Subscription** and **Resource Group**. Give a **Name** to the private endpoint that you want to create. Select the **Region** where you want the private endpoint created. Private endpoints are created in a subnet. The subscription, resource group and region selected here filters the subnets that you can create the private endpoint in. Select **Next: Resource >** when done.
+Under the **Basics** tab in the **Create a private endpoint** window, choose your **Subscription** and **Resource Group**. Give a **Name** to the private endpoint that you want to create. Select the **Region** where you want the private endpoint created. 
+
+Private endpoints are created in a subnet. The subscription, resource group, and region selected filter the private endpoint subnets. Select **Next: Resource >** when done.
 ![Select subscription and region details](../media/security/private-endpoint-2.png)
 
 
 ## Step 3: Select your Azure Synapse workspace details
-Select **Connect to an Azure resource in my directory** in the **Resource** tab. Select the **Subscription** that contains your Azure Synapse workspace. The **Resource type** for creating private endpoints to an Azure Synapse workspace is *Microsoft.Synapse/workspaces*. Select your Azure Synapse workspace as the **Resource**. Every Azure Synapse workspace has three **Target sub-resource** that you can create a private endpoint to: Sql, SqlOnDemand, and Dev.
+Select **Connect to an Azure resource in my directory** in the **Resource** tab. Select the **Subscription** that contains your Azure Synapse workspace. The **Resource type** for creating private endpoints to an Azure Synapse workspace is *Microsoft.Synapse/workspaces*. 
+
+Select your Azure Synapse workspace as the **Resource**. Every Azure Synapse workspace has three **Target sub-resource** that you can create a private endpoint to: Sql, SqlOnDemand, and Dev.
 
 Select **Next: Configuration>** to advance to the next part of the setup.
 ![Select subscription and region details](../media/security/private-endpoint-3.png)
 
 
-In the **Configuration** tab, select the **Virtual network** and the **Subnet** in which the private endpoint should be created. You also need to create a DNS record that maps to the private endpoint. Select **Yes** for **Integrate with private DNS zone** to integrate your private endpoint with a private DNS zone. If you don't have a private DNS zone associated with your VNet, then a new private DNS zone is created. Select **Review + create** when done. 
+In the **Configuration** tab, select the **Virtual network** and the **Subnet** in which the private endpoint should be created. You also need to create a DNS record that maps to the private endpoint. 
+
+
+Select **Yes** for **Integrate with private DNS zone** to integrate your private endpoint with a private DNS zone. If you don't have a private DNS zone associated with your VNet, then a new private DNS zone is created. Select **Review + create** when done. 
 
 ![Select subscription and region details](../media/security/private-endpoint-4.png)
 

articles/synapse-analytics/security/how-to-create-managed-private-endpoints.md

@@ -27,11 +27,13 @@ Select the data source type. In this case, the target data source is an ADLS gen
 ![Select a target data source type](../media/security/managed-private-endpoint-3.png)
 
 ## Step 4: Enter information about the data source
-In the next window, enter information about the data source. In this example, we are creating a Managed private endpoint to an ADLS gen2 account. Enter a **Name** for the Managed private endpoint. Provide an **Azure subscription** and a **Storage account name**. Select **Create**.
+In the next window, enter information about the data source. In this example, we're creating a Managed private endpoint to an ADLS gen2 account. Enter a **Name** for the Managed private endpoint. Provide an **Azure subscription** and a **Storage account name**. Select **Create**.
 ![Enter target data source details](../media/security/managed-private-endpoint-4.png)
 
 ## Step 5: Verify that your Managed private endpoint was successfully created
-After your request is submitted, you will see the status of your request. Verify that your Managed private endpoint was created successfully by checking its *Provisioning State*. You may need to wait 1 minute and select **Refresh** to update the provisioning state. You can see that the Managed private endpoint to the ADLS gen2 account was successfully created. You can also see that the *Approval State* is *Pending*. The owner of the target resource can approve or deny the private endpoint connection request. If the owner approves the private endpoint connection request then a private link is established. If denied, then a private link is not established.
+After submitting the request, you'll see its status. To verify the successful creation of your Managed private endpoint was created, check its *Provisioning State*. You may need to wait 1 minute and select **Refresh** to update the provisioning state. You can see that the Managed private endpoint to the ADLS gen2 account was successfully created. 
+
+You can also see that the *Approval State* is *Pending*. The owner of the target resource can approve or deny the private endpoint connection request. If the owner approves the private endpoint connection request, then a private link is established. If denied, then a private link isn't established.
 ![Managed private endpoint creation request status](../media/security/managed-private-endpoint-5.png)
 
 

articles/synapse-analytics/security/how-to-grant-worspace-managed-identity-permissions.md

@@ -12,45 +12,45 @@ ms.reviewer: jrasnick
 
 # Grant permissions to workspace managed identity (preview)
 
-This article teaches you how to grant permissions to the managed identity in Azure synapse workspace to access SQL Pools in the workspace and ADLS gen2 storage account using Azure portal.
+This article teaches you how to grant permissions to the managed identity in Azure synapse workspace. Permissions, in turn, allow access to SQL pools in the workspace and ADLS gen2 storage account through the Azure portal.
 
 >[!NOTE]
 >This workspace managed identity will be referred to as managed identity through the rest of this document. 
 
-## Grant the managed identity  permissions to the SQL pools
-The managed identity can be given permissions to the SQL Pools in the workspace. With the permissions granted, you can orchestrate pipelines that performs SQL Pool related activities. When you create an Azure Synapse workspace using Azure portal, you can grant the managed identity CONTROL permissions on SQL Pools.
+## Grant the managed identity  permissions to the SQL pool
+The managed identity grants permissions to the SQL pools in the workspace. With permissions granted, you can orchestrate pipelines that perform SQL pool-related activities. When you create an Azure Synapse workspace using Azure portal, you can grant the managed identity CONTROL permissions on SQL pools.
 
-Select **Security + networking** when you are creating your Azure Synapse workspace. Then select **Grant CONTROL to the workspace's managed identity on SQL pools**. 
+Select **Security + networking** when you're creating your Azure Synapse workspace. Then select **Grant CONTROL to the workspace's managed identity on SQL pools**. 
 
-![CONTROL permission on SQL Pools](../media/security/configure-workspace-managed-identity-16.png)
+![CONTROL permission on SQL pools](../media/security/configure-workspace-managed-identity-16.png)
 
 ## Grant the managed identity permissions to ADLS gen2 storage account
-An ADLS gen2 storage account is required to create an Azure Synapse workspace. The Azure Synapse managed identity needs *Storage Blob Data Contributor* role on this storage account to successfully launch Spark pools in Azure Synapse workspace. Pipeline orchestration in Azure Synapse also benefits from this role. 
+An ADLS gen2 storage account is required to create an Azure Synapse workspace. To successfully launch Spark pools in Azure Synapse workspace, the Azure Synapse managed identity needs the *Storage Blob Data Contributor* role on this storage account . Pipeline orchestration in Azure Synapse also benefits from this role. 
 
 ### Grant permissions to managed identity during workspace creation
-Azure Synapse will attempt to grant Storage Blob Data Contributor role to the managed identity when the Azure Synapse workspace is created using Azure portal. You provide the ADLS gen2 storage account details in the **Basics** tab.
+Azure Synapse will attempt to grant the Storage Blob Data Contributor role to the managed identity after you create the Azure Synapse workspace using Azure portal. You provide the ADLS gen2 storage account details in the **Basics** tab.
 
 ![Basics tab in workspace creation flow](../media/security/configure-workspace-managed-identity-1.png)
 
 Choose the ADLS gen2 storage account and filesystem in **Account name** and **File system name**.     
 
 ![Providing an ADLS gen2 storage account details](../media/security/configure-workspace-managed-identity-2.png)
 
-If the workspace creator is also **Owner** of the ADLS gen2 storage account then Azure Synapse will assign the *Storage Blob Data Contributor* role to the managed identity. You will see the following message below the storage account details that you entered.
+If the workspace creator is also **Owner** of the ADLS gen2 storage account, then Azure Synapse will assign the *Storage Blob Data Contributor* role to the managed identity. You'll see the following message below the storage account details that you entered.
 
 ![Successful Storage Blob Data Contributor assignment](../media/security/configure-workspace-managed-identity-3.png)
 
-If the workspace creator is not the owner of the ADLS gen2 storage account, then Azure Synapse does not assign the *Storage Blob Data Contributor* role to the managed identity. The message below the storage account details lets the workspace creator know that they do not have sufficient permissions to grant the *Storage Blob Data Contributor* role to the managed identity.
+If the workspace creator isn't the owner of the ADLS gen2 storage account, then Azure Synapse doesn't assign the *Storage Blob Data Contributor* role to the managed identity. The message appearing below the storage account details notifies the workspace creator that they don't have sufficient permissions to grant the *Storage Blob Data Contributor* role to the managed identity.
 
 ![Unsuccessful Storage Blob Data Contributor assignment](../media/security/configure-workspace-managed-identity-4.png)
 
-As the message above states, you cannot create spark pools unless the *Storage Blob Data Contributor* is assigned to the managed identity.
+As the message states, you can't create Spark pools unless the *Storage Blob Data Contributor* is assigned to the managed identity.
 
 ### Grant permissions to managed identity after workspace creation
-if the *Storage Blob Data contributor* role could not be assigned to the managed identity during workspace creation, then the **Owner** of the ADLS gen2 storage account needs to manually assign that role to the identity. Follow these steps to accomplish that.
+During workspace creation, if you don't assign the *Storage Blob Data contributor* to the managed identity, then the **Owner** of the ADLS gen2 storage account manually assigns that role to the identity. The following steps will help you to accomplish manual assignment.
 
 #### Step 1: Navigate to the ADLS gen2 storage account in Azure portal
-In Azure portal, open the ADLS gen2 storage account and select **Overview** from the left navigation. The *Storage Blob Data Contributor* role only needs to be assigned at the container or filesystem level. Select **Containers**.  
+In Azure portal, open the ADLS gen2 storage account and select **Overview** from the left navigation. You'll only need to assign The *Storage Blob Data Contributor* role at the container or filesystem level. Select **Containers**.  
 ![ADLS gen2 storage account overview](../media/security/configure-workspace-managed-identity-5.png)
 
 #### Step 2: Select the container