You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/synapse-analytics/security/synapse-workspace-synapse-rbac.md
+13-13Lines changed: 13 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -3,9 +3,9 @@ title: Azure Synapse role-based access control
3
3
description: An article that explains role-based access control in Azure Synapse Analytics
4
4
author: meenalsri
5
5
ms.service: azure-synapse-analytics
6
-
ms.topic: conceptual
6
+
ms.topic: concept-article
7
7
ms.subservice: security
8
-
ms.date: 3/07/2022
8
+
ms.date: 02/18/2025
9
9
ms.author: mesrivas
10
10
ms.reviewer: whhender, wiassaf
11
11
---
@@ -19,7 +19,7 @@ Synapse RBAC is used to manage who can:
19
19
- Publish code artifacts and list or access published code artifacts,
20
20
- Execute code on Apaches Spark pools and Integration runtimes,
21
21
- Access linked (data) services protected by credentials
22
-
- Monitor or cancel job execution, review job output, and execution logs.
22
+
- Monitor or cancel job execution, review job output, and execution logs.
23
23
24
24
>[!Note]
25
25
>While Synapse RBAC is used to manage access to published SQL scripts, it provides only limited access control to serverless and dedicated SQL pools. Access to SQL pools is primarily controlled using SQL security.
@@ -30,10 +30,10 @@ Here are some examples of what you can do with Synapse RBAC:
30
30
- Allow a user to publish changes made to Apache Spark notebooks and jobs to the live service.
31
31
- Allow a user to run and cancel notebooks and spark jobs on a specific Apache Spark pool.
32
32
- Allow a user to use specific credentials so they can run pipelines secured by the workspace system identity and access data in linked services secured with credentials.
33
-
- Allow an administrator to manage, monitor, and cancel job execution on specific Spark Pools.
33
+
- Allow an administrator to manage, monitor, and cancel job execution on specific Spark Pools.
34
34
35
35
## How Synapse RBAC works
36
-
Like Azure RBAC, Synapse RBAC works by creating role assignments. A role assignment consists of three elements: a security principal, a role definition, and a scope.
36
+
Like Azure RBAC, Synapse RBAC works by creating role assignments. A role assignment consists of three elements: a security principal, a role definition, and a scope.
37
37
38
38
### Security Principals
39
39
@@ -47,13 +47,13 @@ Synapse provides built-in roles that define collections of actions that match th
47
47
- Administrators can get full access to create and configure a workspace
48
48
- Developers can create, update and debug SQL scripts, notebooks, pipelines, and dataflows, but not be able to publish or execute this code on production compute resources/data
49
49
- Operators can monitor and manage system status, application execution and review logs, without access to code or the outputs from execution.
50
-
- Security staff can manage and configure endpoints without having access to code, compute resources or data.
50
+
- Security staff can manage and configure endpoints without having access to code, compute resources, or data.
51
51
52
52
[Learn more](./synapse-workspace-synapse-rbac-roles.md) about the built-in Synapse roles.
53
53
54
54
### Scopes
55
55
56
-
A _scope_ defines the resources or artifacts that the access applies to. Azure Synapse supports hierarchical scopes. Permissions granted at a higher-level scope are inherited by objects at a lower level. In Synapse RBAC, the top-level scope is a workspace. Assigning a role with workspace scope grants permissions to all applicable objects in the workspace.
56
+
A _scope_ defines the resources or artifacts that the access applies to. Azure Synapse supports hierarchical scopes. Permissions granted at a higher-level scope are inherited by objects at a lower level. In Synapse RBAC, the top-level scope is a workspace. Assigning a role with workspace scope grants permissions to all applicable objects in the workspace.
57
57
58
58
Current supported scopes within a workspace are:
59
59
@@ -62,23 +62,23 @@ Current supported scopes within a workspace are:
62
62
- linked service
63
63
- credential
64
64
65
-
Access to code artifacts is granted with workspace scope. Granting access to collections of artifacts within a workspace will be supported in a later release.
65
+
Access to code artifacts is granted with workspace scope. Granting access to collections of artifacts within a workspace will be supported in a later release.
66
66
67
67
## Resolving role assignments to determine permissions
68
68
69
69
A role assignment grants a principal the permissions defined by the role at the specified scope.
70
70
71
-
Synapse RBAC is an additive model like Azure RBAC. Multiple roles may be assigned to a single principal and at different scopes. When computing the permissions of a security principal, the system considers all roles assigned to the principal and to groups that directly or indirectly include the principal. It also considers the scope of each assignment in determining the permissions that apply.
71
+
Synapse RBAC is an additive model like Azure RBAC. Multiple roles may be assigned to a single principal and at different scopes. When computing the permissions of a security principal, the system considers all roles assigned to the principal and to groups that directly or indirectly include the principal. It also considers the scope of each assignment in determining the permissions that apply.
72
72
73
73
## Enforcing assigned permissions
74
74
75
75
In Synapse Studio, specific buttons or options may be grayed out or a permissions error may be returned when attempting an action if you don't have the required permissions.
76
76
77
-
If a button or option is disabled, hovering over the button or option shows a tooltip with the required permission. Contact a Synapse Administrator to assign a role that grants the required permission. You can see the roles that provide specific actions, see [Synapse RBAC Roles](./synapse-workspace-synapse-rbac-roles.md).
77
+
If a button or option is disabled, hovering over the button or option shows a tooltip with the required permission. Contact a Synapse Administrator to assign a role that grants the required permission. You can see the roles that provide specific actions, see [Synapse RBAC Roles](./synapse-workspace-synapse-rbac-roles.md).
78
78
79
79
## Who can assign Synapse RBAC roles?
80
80
81
-
Synapse Administrators can assign Synapse RBAC roles. A Synapse Administrator at the workspace level can grant access at any scope. A Synapse Administrator at a lower-level scope can only grant access at that scope.
81
+
Synapse Administrators can assign Synapse RBAC roles. A Synapse Administrator at the workspace level can grant access at any scope. A Synapse Administrator at a lower-level scope can only grant access at that scope.
82
82
83
83
When a new workspace is created, the creator is automatically given the Synapse Administrator role at workspace scope.
84
84
@@ -88,10 +88,10 @@ To help you regain access to a workspace in the event that no Synapse Administra
88
88
89
89
Synapse RBAC is managed from within Synapse Studio using the access control tools in the **Manage** hub.
90
90
91
-
## Next steps
91
+
## Related content
92
92
93
93
Understand the built-in [Synapse RBAC roles](./synapse-workspace-synapse-rbac-roles.md).
94
94
95
95
Learn [how to review Synapse RBAC role assignments](./how-to-review-synapse-rbac-role-assignments.md) for a workspace.
96
96
97
-
Learn [how to assign Synapse RBAC roles](./how-to-manage-synapse-rbac-role-assignments.md)
97
+
Learn [how to assign Synapse RBAC roles](./how-to-manage-synapse-rbac-role-assignments.md).
0 commit comments