Azure-docs: How to give access to a subdirectory?

Created on 21 May 2020  Â·  8Comments  Â·  Source: MicrosoftDocs/azure-docs

Hello,

I'm trying to give access to a subdirectory, but access is only granted in the subdirectory, in previous directories access is not granted. Can someone help me please?

Below is the step by step:

Data Lake Structure

image

Commands

$resourceGroup = "rg-cmanalytics-dsv-brs"
$dataLakeName = "dlscmanalyticsdsv"
$fileSystemName = "staging"
$fileSystemACL = "r-x"
$directoryACL = "r-x"
$dirName = "marketing/adm"
$objectid = "8fbe6773-87b5-44f7-a2f0-555f3a000556" #Group C-G-DATA-LAKE-MARKETING

$dataLakeAccount = Get-AzStorageAccount -ResourceGroupName $resourceGroup -Name $dataLakeName
$ctx = $dataLakeAccount.Context

File System

$acl = New-AzDataLakeGen2ItemAclObject -AccessControlType group -EntityId $objectid -Permission $fileSystemACL
Update-AzDataLakeGen2Item -Context $ctx -FileSystem $fileSystemName -Acl $acl

Directory

Update-AzDataLakeGen2Item -Context $ctx -FileSystem $fileSystemName -Path $dirName -Acl $acl
$dir = Get-AzDataLakeGen2Item -Context $ctx -FileSystem $fileSystemName -Path $dirName
$dir.ACL

image

Result

Access was granted in the "adm" subdirectory.

image

But the user cannot access the subdirectory because he doesn't have access in the "marketing" directory. This is the problem.

image

Best regards,
Cristina

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

Pri2 assigned-to-author data-lake-storage-gensubsvc product-question storagsvc triaged
Source
picture crisansou

All 8 comments

@crisansou Thanks for the question! We are investigating and will update you shortly.

CHEEKATLAPRADEEP-MSFT picture CHEEKATLAPRADEEP-MSFT on 21 May 2020
👍1

@normesta Could you please provide insight on how to give access to a subdirectory without providing access to the parent directory?

CHEEKATLAPRADEEP-MSFT picture CHEEKATLAPRADEEP-MSFT on 26 May 2020

Hi @crisansou - For the user to see the "adm" subdirectory, you'll have to grant execute perms to the marketing directory. Please see Common scenarios related to permissions for examples. Thx for asking!

normesta picture normesta on 28 May 2020

please-close

normesta picture normesta on 28 May 2020

Hi @crisansou - For the user to see the "adm" subdirectory, you'll have to grant execute perms to the marketing directory. Please see Common scenarios related to permissions for examples. Thx for asking!

Hi @normesta ,

So if I have 10 subdirectories before the "adm" subdirectory would I have to give access one by one?

Best regards,
Cristina

crisansou picture crisansou on 28 May 2020

Hi @crisansou my understanding is yes. If you create a new directory after the ACL of the parent directory is set, then the child directory inherits those ACLs. However, if you apply an ACL to the parent directory (such as execute), it doesn't auto propagate down to the child directories. @priyashetty-gh can check my understanding. Thx

normesta picture normesta on 29 May 2020
👍1

What @normesta has described is the current system behavior. We have this capability planned in the roadmap, that will allow propagation of ACLs to child items, to handle such cases where ACLs are being assigned to parent items after child items are created.

priyashetty-gh picture priyashetty-gh on 29 May 2020
👍1

Ok guys, thank you.

crisansou picture crisansou on 29 May 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

jamesgallagher-ie picture jamesgallagher-ie  Â·  3Comments
Ponant picture Ponant  Â·  3Comments
bdcoder2 picture bdcoder2  Â·  3Comments
JeffLoo-ong picture JeffLoo-ong  Â·  3Comments
DeepPuddles picture DeepPuddles  Â·  3Comments