Synapse User role - able to scale SQL Pool - How to prevent this? - azure-synapse

We have a group that has been assigned the Synapse "User" Role which is a readonly role. However, they are able to scale the SQL Pool in the Synapse Studio. How do we prevent this? I thought we needed to have Synapse "Administrator" or "SQL Administrator" roles to do this.

Generally, the azure synapse administrator has full Synapse access to SQL pools.
If you created the custom role, you can assign it to the users who should have read-only access to azure synapse without the ability to scale the SQL pool. This will give them all the same permissions as the "User" role.
For more information refer to this link it has detailed information about creating custom RBAC roles in azure.

Related

User should only be able to run SQL queries in Synapse workspace

We have a special scenario in Azure Synapse Workspace where we want the user to only be able to query the data that in the dedicated SQL pool which is connected to the Synapse workspace.
We don't want them to create pipelines, change Synapse settings etc. We want them only to be able to query the data in the dedicated SQL Pool.
Would assigning the Role "Synapse User" be sufficient enough to do this?
My thoughts are as long as the user needs to access the dedicated SQL pool , he/she can be granted access within the synapse pool directly and he/she can access it via SSMS/ Data studio.
https://www.sqlshack.com/dedicated-sql-pools-in-azure-synapse-analytics/
No need to access via synapse workspace itself.

What's the minimum role a SQL user needs to export a bacpac in Azure?

We're exporting bacpacs from Azure SQL Databases to Storage Accounts via New-AzSqlDatabaseExport. Docs for that command: https://learn.microsoft.com/en-us/powershell/module/az.sql/new-azsqldatabaseexport
What's the minimum role required for a SQL user to do this? We're trying to maintain the least privileges rule.
Having a single SQL user that can export bacpacs for all databases in a server is acceptable.
It should be db_backupoperator:
Members of the db_backupoperator fixed database role can back up the
database.
Note, that db_backupoperator roles is not applicable in Azure SQL database (not managed instance) and Azure Synapse serverless pool because backup and restore T-SQL commands are not available.
The user needs to be member of dbmanager:
Can create and delete databases. A member of the dbmanager role that
creates a database, becomes the owner of that database, which allows
that user to connect to that database as the dbo user. The dbo user
has all database permissions in the database. Members of the dbmanager
role don't necessarily have permission to access databases that they
don't own.
What’s the minimum role required for a SQL user to do this? We’re
trying to maintain the least privileges rule. Having a single SQL user
that can export bacpacs for all databases in a server is acceptable.
To perform any task in the Azure storage account, You’re required to assign at least Storage Blob Data Contributor or Storage Blob Data Owner role.
If you’re using SQL authentication with a local username and password, You can assign a User account with which you are logging into Azure Portal and accessing Azure SQL database with the storage blob data contributor role and SQL Server/DB contributor role to access the storage account and Azure SQL server. But the same Azure user account cannot access the SQL Server, Just perform management tasks. You can also use the same Azure user account to log into your Azure SQL database by adding it as an Azure AD SQL Admin. This will maintain a single user that can access both your Azure SQL and storage account.
I created one Azure AD user and assigned the following roles like below:-
Storage Blob data contributor role:- Allows managing storage containers and data and accessing the storage keys and performing storage account level tasks. [Assigned at Resource group level where our SQL and storage account exists.]
SQL DB Contributor role:- Allows to perform Azure SQL-related tasks but does not allow access to SQL DB. [Assigned at Resource group level where our SQL and storage account exists.]
Storage Account Contributor role:- Allows managing Storage account and its associated resources. [Assigned at Resource group level where our SQL and storage account exists.]
Note- I have added the Storage account Contributor role at the Subscription level just to allow the user to create a PowerShell
storage account in Azure cloud shell to run the export command. If you have your storage account and Azure SQL server in the same resource group as your cloud shell storage account, You can assign this role at that resource group level like above.
I tried the below command to export Azure SQL DB with siliconSQL user and it worked successfully like below:-
PowerShell Script:-
$SecurePassword=ConvertTo-SecureString xxxxxmelon#123 –asplaintext –force
New-AzSqlDatabaseExport -ResourceGroupName "siliconrg" -ServerName "azsqlservername" -DatabaseName "azsqlDBname" -StorageKeyType "StorageAccessKey" -StorageKey "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx<storage access key>dnzjSrjIC3k1IbT7ozsSw0WVGo+AStiPXEXA==" -StorageUri "https://siliconstrg123.blob.core.windows.net/bacpacs/database01.bacpac" -AdministratorLogin "siliconuser" -AdministratorLoginPassword $SecurePassword
Output:-
Alternatively, You can also add this user as Azure AD SQL admin to access the SQL server like below:-
Reference:-
Role required for bacpac import? · Issue #65893 · MicrosoftDocs/azure-docs · GitHub

How do I grant access to users to Azure SQL DB with no rights to create Database?

I need to have rights to my Azure SQL Server where I can read and access data and also add other AD users to access the DB but they should not be allowed to create any new database. I couldnt find any roles which does that...nor I am able to find a custom role in AD which does that. Can someone please specify step by step how can I configure this for my AD users?

How make user or role specific triggers in AZURE DW or Azure synapse?

Is there any way to make user or role specific triggers in Azure Synapse or azure DW?
You do not need a trigger for this. Users can only do what you allow them to do. For example, when you first create a user in the database, they have no permissions. Users can only drop tables if they are members of the database role db_ddladmin or they are effectively db_owner or sysadmins. So the answer to your question is, make sure that user is not a member of the db_ddladmin role in the database.
You can look at using the DENY statement for certain roles but I think that would lead to an over-complicated setup that is hard to maintain and administer. See the Database Roles documentation for Synapse for more info.

How to add Azure AD Groups in Azure SQL Server

Can someone tell me how can I add Azure Active Directory groups into the azure sql server, I am using server manager tool to do this but cant find any way to figure this out, I can add simple Azure Active Directory user though..What about groups?
I will assume that you are wanting to provide access for end-users to connect, not Database Administrators. For my example below, let's say that the end-users are in a group called "AZ-Users", and that your Database Administrators (including you) are in a group called "AZ-DBAs".
For Azure SQL Databases, there are key things that must be in place to get this to work:
There must be an "Active Directory admin" configured for your server. This can be any AAD user or an AAD group. You can check if this has been set or not by going to the Azure portal page for your server. Be careful that you are looking at the Overview page for the server, not the individual database, they are not the same thing. Detailed instructions here. In our example, we would configure this to be the AAD group called "AZ-DBAs".
When you are ready to create the AAD login for "AZ-Users" on your Azure SQL Database, you must yourself be logged in using AAD... meaning a member of the "AZ-DBAs" group from my example above. You can use SSMS or any other similar tool for executing TSQL commands. Note that if you try a SQL auth connection instead, it won't work for step 4 below - you'll get this error:
Msg 33159, Level 16, State 1, Line 1
Principal 'AZ-Users' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
Change the context to the database you want to provide access to for your end users.
Execute this statement:
CREATE USER [AZ-Users] FROM EXTERNAL PROVIDER
Note that this will create a "contained database user", as detailed here. That's it. This process works for AAD groups and AAD users.
You will probably also want to grant some level of permissions as well, such as:
EXEC sp_addrolemember 'db_datareader', 'AZ-Users'
All you need to know about how to configure and manage Azure Active Directory Authentication you can find it in this article.
Then to connect to SQL Azure using Azure Active Directory authentication please read here.
Connect to the server via SSMS as your Azure AD admin. Create a new query with the db you want to affect. Run this:
ALTER ROLE db_datareader ADD MEMBER [AzureADGroupName];
GO
To modify permissions, do something like this:
ALTER ROLE db_datareader ADD MEMBER [AzureADGroupName];
GO