Wednesday, September 15, 2021

Azure Synapse Analytics RBAC roles are now Generally Available

Synapse RBAC roles provide sets of permissions that can be applied at scopes such as Workspace, Apache Spark pools, Integration Runtime, Linked Services, and Credentials.

 

The following Synapse RBAC roles are now generally available for use in production:

  • Synapse Contributor
  • Synapse Artifact Publisher
  • Synapse Artifact User
  • Synapse Compute Operator
  • Synapse Credential User
  • Synapse Linked Data Manager
  • Synapse User

These RBAC roles let you secure:

  • Access to code and configuration such as SQL scripts, Notebooks, and Linked Services
  • Code execution on Spark pools and Integration Runtimes
  • Monitoring and managing execution of Notebooks, Spark jobs, and pipelines

Learn more about Synapse RBAC roles here.

 

Additional considerations

  • SQL permissions are required for execution of scripts on SQL pools.
  • Read this document to learn how Azure RBAC, Synapse RBAC, and SQL permissions work with each other. 

 

Synapse RBAC roles for Data Engineers
Data Engineers typically focus on design and preparation of ETL/ELT pipelines, and data ingestion/export processes.

 

Grant the following Synapse RBAC roles to data engineers:

  • Synapse Artifact Publisher
  • Synapse Compute Operator on Spark pools or Integration runtimes
  • Synapse Credential User on WorkspaceSystemIdentity credential

 

Additional considerations

  • If data engineers in your organization also need to create or manage Apache Spark pools, Integration runtimes, or SQL pools in Synapse workspaces, then you can grant the Azure Owner or Contributor (Azure RBAC) role on the workspace or resource-group to these personas.
  • SQL permissions and the Storage Blob Data Contributor (Azure RBAC) role on primary ADLS gen 2 account may also be required depending on your specific use case.

 

Synapse RBAC roles for Data Analysts

Data Analysts develop business reports & dashboards, and perform ad-hoc data analysis tasks using Notebooks or T-SQL scripts.

 

Grant the following Synapse RBAC roles to data engineers:

  • Synapse Artifact Publisher
  • Synapse Compute Operator on Spark pools or Integration runtimes

 

Additional considerations

Data Analysts may also require SQL permissions and the Storage Blob Data Contributor (Azure RBAC) role on primary ADLS gen 2 account for your specific use case. 

 

Synapse RBAC roles for Cloud Administrators/Engineers

Cloud Administrators/Engineers maintain and secure operation of Synapse workspaces by creating role assignments, firewall rules, managed private endpoints, and linked services.

 

Grant the following Synapse RBAC roles to Cloud Administrators/Engineers:

  • Should be granted the Synapse Administrator role. 

 

To learn more

  • Synapse RBAC roles users may also require Azure RBAC roles to create Synapse workspaces, as well as to create and manage SQL pools, Apache Spark pools, and Integration runtimes.  Understand the roles required to perform common tasks in Synapse in the Synapse RBAC documentation.
  • Synapse RBAC roles may be modified in future to introduce additional permissions for new product features. New roles may also be introduced in the future.

 

Posted at https://sl.advdat.com/3tKSwEL