MicrosoftDocs
diff --git a/‎articles/synapse-analytics/security/how-to-grant-workspace-managed-identity-permissions.md
Lines changed: 62 additions & 24 deletions b/‎articles/synapse-analytics/security/how-to-grant-workspace-managed-identity-permissions.md
Lines changed: 62 additions & 24 deletions
diff --git a/‎articles/synapse-analytics/sql/best-practices-serverless-sql-pool.md
Lines changed: 64 additions & 32 deletions b/‎articles/synapse-analytics/sql/best-practices-serverless-sql-pool.md
Lines changed: 64 additions & 32 deletions
@@ -1,45 +1,44 @@
 ---
-title: Grant permissions to managed identity in Synapse workspace 
-description: An article that explains how to configure permissions for managed identity in Azure Synapse workspace. 
+title: Grant permissions to managed identity in Synapse workspace
+description: An article that explains how to configure permissions for managed identity in Azure Synapse workspace.
 author: meenalsri
-ms.service: synapse-analytics 
-ms.topic: how-to
-ms.subservice: security 
-ms.date: 04/15/2020 
 ms.author: mesrivas
 ms.reviewer: sngun
+ms.date: 09/01/2022
+ms.service: synapse-analytics
+ms.subservice: security
+ms.topic: how-to
 ms.custom: subject-rbac-steps
 ---
 
-
 # Grant permissions to workspace managed identity
 
 This article teaches you how to grant permissions to the managed identity in Azure synapse workspace. Permissions, in turn, allow access to dedicated SQL pools in the workspace and ADLS Gen2 storage account through the Azure portal.
 
->[!NOTE]
->This workspace managed identity will be referred to as managed identity through the rest of this document.
+> [!NOTE]  
+> This workspace managed identity will be referred to as managed identity through the rest of this document.
 
 ## Grant the managed identity permissions to ADLS Gen2 storage account
 
-An ADLS Gen2 storage account is required to create an Azure Synapse workspace. To successfully launch Spark pools in Azure Synapse workspace, the Azure Synapse managed identity needs the *Storage Blob Data Contributor* role on this storage account . Pipeline orchestration in Azure Synapse also benefits from this role.
+An ADLS Gen2 storage account is required to create an Azure Synapse workspace. To successfully launch Spark pools in Azure Synapse workspace, the Azure Synapse managed identity needs the *Storage Blob Data Contributor* role on this storage account. Pipeline orchestration in Azure Synapse also benefits from this role.
 
 ### Grant permissions to managed identity during workspace creation
 
 Azure Synapse will attempt to grant the Storage Blob Data Contributor role to the managed identity after you create the Azure Synapse workspace using Azure portal. You provide the ADLS Gen2 storage account details in the **Basics** tab.
 
-![Basics tab in workspace creation flow](./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-1.png)
+:::image type="content" source="./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-1.png" alt-text="Screenshot of the Basics tab in workspace creation flow.":::
 
 Choose the ADLS Gen2 storage account and filesystem in **Account name** and **File system name**.
 
-![Providing an ADLS Gen2 storage account details](./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-2.png)
+:::image type="content" source="./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-2.png" alt-text="Screenshot of providing the ADLS Gen2 storage account details.":::
 
 If the workspace creator is also **Owner** of the ADLS Gen2 storage account, then Azure Synapse will assign the *Storage Blob Data Contributor* role to the managed identity. You'll see the following message below the storage account details that you entered.
 
-![Successful Storage Blob Data Contributor assignment](./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-3.png)
+:::image type="content" source="./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-3.png" alt-text="Screenshot of the successful storage blob data contributor assignment.":::
 
 If the workspace creator isn't the owner of the ADLS Gen2 storage account, then Azure Synapse doesn't assign the *Storage Blob Data Contributor* role to the managed identity. The message appearing below the storage account details notifies the workspace creator that they don't have sufficient permissions to grant the *Storage Blob Data Contributor* role to the managed identity.
 
-![Unsuccessful Storage Blob Data Contributor assignment](./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-4.png)
+:::image type="content" source="./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-4.png" alt-text="Screenshot of an unsuccessful storage blob data contributor assignment, with the error box highlighted.":::
 
 As the message states, you can't create Spark pools unless the *Storage Blob Data Contributor* is assigned to the managed identity.
 
@@ -49,17 +48,19 @@ During workspace creation, if you don't assign the *Storage Blob Data contributo
 
 #### Step 1: Navigate to the ADLS Gen2 storage account in Azure portal
 
-In Azure portal, open the ADLS Gen2 storage account and select **Overview** from the left navigation. You'll only need to assign The *Storage Blob Data Contributor* role at the container or filesystem level. Select **Containers**.  
-![ADLS Gen2 storage account overview](./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-5.png)
+In Azure portal, open the ADLS Gen2 storage account and select **Overview** from the left navigation. You'll only need to assign The *Storage Blob Data Contributor* role at the container or filesystem level. Select **Containers**.
+  
+:::image type="content" source="./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-5.png" alt-text="Screenshot of the Azure portal, of the Overview of the ADLS Gen2 storage account.":::
 
 #### Step 2: Select the container
 
 The managed identity should have data access to the container (file system) that was provided when the workspace was created. You can find this container or file system in Azure portal. Open the Azure Synapse workspace in Azure portal and select the **Overview** tab from the left navigation.
-![ADLS Gen2 storage account container](./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-7.png)
 
+:::image type="content" source="./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-7.png" alt-text="Screenshot of the Azure portal showing the name of the ADLS Gen2 storage file 'contosocontainer'.":::
 
 Select that same container or file system to grant the *Storage Blob Data Contributor* role to the managed identity.
-![Screenshot that shows the container or file system that you should select.](./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-6.png)
+
+:::image type="content" source="./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-6.png" alt-text="Screenshot that shows the container or file system that you should select.":::
 
 #### Step 3: Open Access control and add role assignment
 
@@ -68,29 +69,66 @@ Select that same container or file system to grant the *Storage Blob Data Contri
 1. Select **Add** > **Add role assignment** to open the Add role assignment page.
 
 1. Assign the following role. For detailed steps, see [Assign Azure roles using the Azure portal](../../role-based-access-control/role-assignments-portal.md).
-    
+
     | Setting | Value |
     | --- | --- |
     | Role | Storage Blob Data Contributor |
     | Assign access to | MANAGEDIDENTITY |
     | Members | managed identity name  |
 
-    > [!NOTE]
+    > [!NOTE]  
     > The managed identity name is also the workspace name.
 
-    ![Add role assignment page in Azure portal.](../../../includes/role-based-access-control/media/add-role-assignment-page.png)
+    :::image type="content" source="../../../includes/role-based-access-control/media/add-role-assignment-page.png" alt-text="Screenshot of the add role assignment page in the Azure portal.":::
 
 1. Select **Save** to add the role assignment.
 
 #### Step 4: Verify that the Storage Blob Data Contributor role is assigned to the managed identity
 
 Select **Access Control(IAM)** and then select **Role assignments**.
 
-![Verify role assignment](./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-14.png)
+:::image type="content" source="./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-14.png" alt-text="Screenshot of the Role Assignments button in the Azure portal, used to verify role assignment.":::
+
+You should see your managed identity listed under the **Storage Blob Data Contributor** section with the *Storage Blob Data Contributor* role assigned to it.  
+:::image type="content" source="./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-15.png" alt-text="Screenshot of the Azure portal, showing ADLS Gen2 storage account container selection.":::
+
+#### Alternative to Storage Blob Data Contributor role
+
+Instead of granting yourself a Storage Blob Data Contributor role, you can also grant more granular permissions on a subset of files.
+
+All users who need access to some data in this container also must have EXECUTE permission on all parent folders up to the root (the container).
+
+Learn more about how to [set ACLs in Azure Data Lake Storage Gen2](../../storage/blobs/data-lake-storage-explorer-acl.md).
 
-You should see your managed identity listed under the **Storage Blob Data Contributor** section with the *Storage Blob Data Contributor* role assigned to it. 
-![ADLS Gen2 storage account container selection](./media/how-to-grant-workspace-managed-identity-permissions/configure-workspace-managed-identity-15.png)
+> [!NOTE]  
+> Execute permission on the container level must be set within Data Lake Storage Gen2.
+> Permissions on the folder can be set within Azure Synapse.
+
+If you want to query data2.csv in this example, the following permissions are needed:
+
+   - Execute permission on container
+   - Execute permission on folder1
+   - Read permission on data2.csv
+
+:::image type="content" source="../sql/media/resources-self-help-sql-on-demand/folder-structure-data-lake.png" alt-text="Diagram that shows permission structure on data lake.":::
+
+1. Sign in to Azure Synapse with an admin user that has full permissions on the data you want to access.
+1. In the data pane, right-click the file and select **Manage access**.
+
+   :::image type="content" source="../sql/media/resources-self-help-sql-on-demand/manage-access.png" alt-text="Screenshot that shows the manage access option.":::
+
+1. Select at least **Read** permission. Enter the user's UPN or object ID, for example, [email protected]. Select **Add**.
+1. Grant read permission for this user.
+
+   :::image type="content" source="../sql/media/resources-self-help-sql-on-demand/grant-permission.png" alt-text="Screenshot that shows granting read permissions.":::
+
+> [!NOTE]  
+> For guest users, this step needs to be done directly with Azure Data Lake because it can't be done directly through Azure Synapse.
 
 ## Next steps
 
 Learn more about [Workspace managed identity](../../data-factory/data-factory-service-identity.md?context=/azure/synapse-analytics/context/context&tabs=synapse-analytics)
+
+- [Best practices for dedicated SQL pools](../sql/best-practices-dedicated-sql-pool.md)
+- [Troubleshoot serverless SQL pool in Azure Synapse Analytics](../sql/resources-self-help-sql-on-demand.md)
+- [Azure Synapse Analytics frequently asked questions](../overview-faq.yml)
@@ -1,14 +1,14 @@
 ---
 title: Best practices for serverless SQL pool
-description: Recommendations and best practices for working with serverless SQL pool. 
+description: Recommendations and best practices for working with serverless SQL pool.
 author: filippopovic
+ms.author: fipopovi
 manager: craigg
+ms.reviewer: sngun, wiassaf
+ms.date: 09/01/2022
 ms.service: synapse-analytics
-ms.topic: conceptual
 ms.subservice: sql
-ms.date: 05/01/2020
-ms.author: fipopovi
-ms.reviewer: sngun
+ms.topic: conceptual
 ---
 
 # Best practices for serverless SQL pool in Azure Synapse Analytics
@@ -51,7 +51,7 @@ Multiple applications and services might access your storage account. Storage th
 
 When throttling is detected, serverless SQL pool has built-in handling to resolve it. Serverless SQL pool makes requests to storage at a slower pace until throttling is resolved.
 
-> [!TIP]
+> [!TIP]  
 > For optimal query execution, don't stress the storage account with other workloads during query execution.
 
 ### Prepare files for querying
@@ -66,11 +66,7 @@ If possible, you can prepare files for better performance:
 
 ### Colocate your Azure Cosmos DB analytical storage and serverless SQL pool
 
-Make sure your Azure Cosmos DB analytical storage is placed in the same region as an Azure Synapse workspace. Cross-region queries might cause huge latencies. Use the region property in the connection string to explicitly specify the region where the analytical store is placed (see [Query Azure Cosmos DB by using serverless SQL pool](query-cosmos-db-analytical-store.md#overview)):
-
-```
-'account=<database account name>;database=<database name>;region=<region name>'
-```
+Make sure your Azure Cosmos DB analytical storage is placed in the same region as an Azure Synapse workspace. Cross-region queries might cause huge latencies. Use the region property in the connection string to explicitly specify the region where the analytical store is placed (see [Query Azure Cosmos DB by using serverless SQL pool](query-cosmos-db-analytical-store.md#overview)): `account=<database account name>;database=<database name>;region=<region name>'`
 
 ## CSV optimizations
 
@@ -90,7 +86,7 @@ Here are best practices for using data types in serverless SQL pool.
 
 ### Use appropriate data types
 
-The data types you use in your query affect performance and concurrency. You can get better performance if you follow these guidelines: 
+The data types you use in your query affect performance and concurrency. You can get better performance if you follow these guidelines:
 
 - Use the smallest data size that can accommodate the largest possible value.
   - If the maximum character value length is 30 characters, use a character data type of length 30.
@@ -111,15 +107,15 @@ You can use [sp_describe_first_results_set](/sql/relational-databases/system-sto
 
 The following example shows how you can optimize inferred data types. This procedure is used to show the inferred data types:
 
-```sql  
+```sql
 EXEC sp_describe_first_result_set N'
-	SELECT
+    SELECT
         vendor_id, pickup_datetime, passenger_count
-	FROM 
-		OPENROWSET(
-        	BULK ''https://sqlondemandstorage.blob.core.windows.net/parquet/taxi/*/*/*'',
-	        FORMAT=''PARQUET''
-    	) AS nyc';
+    FROM  
+        OPENROWSET(
+            BULK ''https://sqlondemandstorage.blob.core.windows.net/parquet/taxi/*/*/*'',
+            FORMAT=''PARQUET''
+        ) AS nyc';
 ```
 
 Here's the result set:
@@ -132,19 +128,19 @@ Here's the result set:
 
 After you know the inferred data types for the query, you can specify appropriate data types:
 
-```sql  
+```sql
 SELECT
     vendorID, tpepPickupDateTime, passengerCount
-FROM 
-	OPENROWSET(
-		BULK 'https://azureopendatastorage.blob.core.windows.net/nyctlc/yellow/puYear=2018/puMonth=*/*.snappy.parquet',
-		FORMAT='PARQUET'
-    ) 
-	WITH (
-		vendorID varchar(4), -- we used length of 4 instead of the inferred 8000
-		tpepPickupDateTime datetime2,
-		passengerCount int
-	) AS nyc;
+FROM  
+    OPENROWSET(
+        BULK 'https://azureopendatastorage.blob.core.windows.net/nyctlc/yellow/puYear=2018/puMonth=*/*.snappy.parquet',
+        FORMAT='PARQUET'
+    )  
+    WITH (
+        vendorID varchar(4), -- we used length of 4 instead of the inferred 8000
+        tpepPickupDateTime datetime2,
+        passengerCount int
+    ) AS nyc;
 ```
 
 ## Filter optimization
@@ -161,7 +157,7 @@ Data is often organized in partitions. You can instruct serverless SQL pool to q
 
 For more information, read about the [filename](query-data-storage.md#filename-function) and [filepath](query-data-storage.md#filepath-function) functions and see the examples for [querying specific files](query-specific-files.md).
 
-> [!TIP]
+> [!TIP]  
 > Always cast the results of the filepath and filename functions to appropriate data types. If you use character data types, be sure to use the appropriate length.
 
 Functions used for partition elimination, filepath and filename, aren't currently supported for external tables, other than those created automatically for each table created in Apache Spark for Azure Synapse Analytics.
@@ -186,6 +182,42 @@ You can use CETAS to materialize frequently used parts of queries, like joined r
 
 As CETAS generates Parquet files, statistics are automatically created when the first query targets this external table. The result is improved performance for subsequent queries targeting table generated with CETAS.
 
+## Query Azure data
+
+Serverless SQL pools enable you to query data in Azure Storage or Azure Cosmos DB by using [external tables and the OPENROWSET function](develop-storage-files-overview.md).  Make sure that you have proper [permission set up](develop-storage-files-overview.md#permissions) on your storage.
+
+### Query CSV data
+
+Learn how to [query a single CSV file](query-single-csv-file.md) or [folders and multiple CSV files](query-folders-multiple-csv-files.md). You can also [query partitioned files](query-specific-files.md)
+
+### Query Parquet data
+
+Learn how to [query Parquet files](query-parquet-files.md) with [nested types](query-parquet-nested-types.md). You can also [query partitioned files](query-specific-files.md).
+
+### Query Delta Lake
+
+Learn how to [query Delta Lake files](query-delta-lake-format.md) with [nested types](query-parquet-nested-types.md).
+
+### Query Azure Cosmos DB data
+
+Learn how to [query Azure Cosmos DB analytical store](query-cosmos-db-analytical-store.md). You can use an [online generator](https://htmlpreview.github.io/?https://github.com/Azure-Samples/Synapse/blob/main/SQL/tools/cosmosdb/generate-openrowset.html) to generate the WITH clause based on a sample Azure Cosmos DB document. You can [create views](create-use-views.md#cosmosdb-view) on top of Azure Cosmos DB containers.
+
+### Query JSON data
+
+Learn how to [query JSON files](query-json-files.md). You can also [query partitioned files](query-specific-files.md).
+
+### Create views, tables, and other database objects
+
+Learn how to create and use [views](create-use-views.md) and [external tables](create-use-external-tables.md) or set up [row-level security](https://techcommunity.microsoft.com/t5/azure-synapse-analytics-blog/how-to-implement-row-level-security-in-serverless-sql-pools/ba-p/2354759).
+If you have [partitioned files](query-specific-files.md), make sure you use [partitioned views](create-use-views.md#partitioned-views).
+
+### Copy and transform data (CETAS)
+
+Learn how to [store query results to storage](create-external-table-as-select.md) by using the CETAS command.
+
 ## Next steps
 
-Review the [troubleshooting](resources-self-help-sql-on-demand.md) article for solutions to common problems. If you're working with a dedicated SQL pool rather than serverless SQL pool, see [Best practices for dedicated SQL pools](best-practices-dedicated-sql-pool.md) for specific guidance.
+- Review the [troubleshooting serverless SQL pools](resources-self-help-sql-on-demand.md) article for solutions to common problems.  
+- If you're working with a dedicated SQL pool rather than serverless SQL pool, see [Best practices for dedicated SQL pools](best-practices-dedicated-sql-pool.md) for specific guidance.
+- [Azure Synapse Analytics frequently asked questions](../overview-faq.yml)
+- [Grant permissions to workspace managed identity](../security/how-to-grant-workspace-managed-identity-permissions.md)