Azure-docs: Clarification on groups and role assignments
Hi, couple of comments on the Steps 1 and 2 of Access Control for Workspace:
In step 1, it indicates
Add Synapse_WORKSPACENAME_Admins to ProjectSynapse_WORKSPACENAME_Users
which I think is a typo and should be:
Add Synapse_WORKSPACENAME_Admins to Synapse_WORKSPACENAME_Users
Moreover, some explanation on this should be provided, such as group membership, permission inheritance and how to perform this tasks, maybe with links to the docs in additional comments.
This is important also because there are known limitations on groups membership, e.g. the Synapse_WORKSPACENAME_Users group could not be an on-premises AD Group, since that is not supported.
In the Step 2, it indicates which roles to assign to the different groups created on step 1, but step d) makes no sense, since there is no entity called WORKSPACENAME defined in step 1 or mentioned before that.
Finally, in the next steps links, _see Synapse SQL access control_ links to the same page.
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 13a3a2aa-5acb-33d8-9134-3a90b00dfc66
- Version Independent ID: 9a24eaad-d97b-2971-dfa0-af853e6c80cf
- Content: Manage access to workspaces, data, and pipelines - Azure Synapse Analytics
- Content Source: articles/synapse-analytics/sql/access-control.md
- Service: synapse-analytics
- Sub-service: **
- GitHub Login: @azaricstefan
- Microsoft Alias: v-stazar
jdocampo
All 4 comments
Hi @jdocampo
You are correct, there is a typo for step 1.
Thank you for raising this! I just added more informations related to the AAD groups in notes.
Related to
In the Step 2, it indicates which roles to assign to the different groups created on step 1, but step d) makes no sense, since there is no entity called WORKSPACENAME defined in step 1 or mentioned before that.
WORKSPACENAME is a placeholder for the actual workspace name, role in this case is Storage Blob Data Contributor.
Changes will be visible soon in the documentation when reviewers approve the change.
azaricstefan
on 2 Jun 2020
Hi @azaricstefan
First thanks for the quick response :)
So WORKSPACENAME relates to the Managed Identity created for the workspace?
That will make senses, although I thought that role assignment was automatically done on the workspace provisioning for the default storage.
If that's the case, maybe a prior mention to the managed identity will help to clarify things.
Again, many thanks!
jdocampo
on 2 Jun 2020
Name of the Managed Identity is same as name of the workspace.
Managed identity is assigned Storage Blob Data Contributor role only if you choose storage account from the dropdown menu, if you added manual config to the storage during provisioning of the workspace then you should assign permissions to the Managed Identity manually.
azaricstefan
on 2 Jun 2020
Thank you both! I'll close this out since the fix has been deployed.
MarileeTurscak-MSFT
on 3 Jun 2020
Related issues
varma31
·
3Comments
bdcoder2
·
3Comments
jamesgallagher-ie
·
3Comments
jharbieh
·
3Comments
behnam89
·
3Comments
Most helpful comment
Thank you both! I'll close this out since the fix has been deployed.