We have a special scenario in Azure Synapse Workspace where we want the user to only be able to query the data that in the dedicated SQL pool which is connected to the Synapse workspace.
We don't want them to create pipelines, change Synapse settings etc. We want them only to be able to query the data in the dedicated SQL Pool.
Would assigning the Role "Synapse User" be sufficient enough to do this?
My thoughts are as long as the user needs to access the dedicated SQL pool , he/she can be granted access within the synapse pool directly and he/she can access it via SSMS/ Data studio.
https://www.sqlshack.com/dedicated-sql-pools-in-azure-synapse-analytics/
No need to access via synapse workspace itself.
Related
We have a group that has been assigned the Synapse "User" Role which is a readonly role. However, they are able to scale the SQL Pool in the Synapse Studio. How do we prevent this? I thought we needed to have Synapse "Administrator" or "SQL Administrator" roles to do this.
Generally, the azure synapse administrator has full Synapse access to SQL pools.
If you created the custom role, you can assign it to the users who should have read-only access to azure synapse without the ability to scale the SQL pool. This will give them all the same permissions as the "User" role.
For more information refer to this link it has detailed information about creating custom RBAC roles in azure.
We're exporting bacpacs from Azure SQL Databases to Storage Accounts via New-AzSqlDatabaseExport. Docs for that command: https://learn.microsoft.com/en-us/powershell/module/az.sql/new-azsqldatabaseexport
What's the minimum role required for a SQL user to do this? We're trying to maintain the least privileges rule.
Having a single SQL user that can export bacpacs for all databases in a server is acceptable.
It should be db_backupoperator:
Members of the db_backupoperator fixed database role can back up the
database.
Note, that db_backupoperator roles is not applicable in Azure SQL database (not managed instance) and Azure Synapse serverless pool because backup and restore T-SQL commands are not available.
The user needs to be member of dbmanager:
Can create and delete databases. A member of the dbmanager role that
creates a database, becomes the owner of that database, which allows
that user to connect to that database as the dbo user. The dbo user
has all database permissions in the database. Members of the dbmanager
role don't necessarily have permission to access databases that they
don't own.
What’s the minimum role required for a SQL user to do this? We’re
trying to maintain the least privileges rule. Having a single SQL user
that can export bacpacs for all databases in a server is acceptable.
To perform any task in the Azure storage account, You’re required to assign at least Storage Blob Data Contributor or Storage Blob Data Owner role.
If you’re using SQL authentication with a local username and password, You can assign a User account with which you are logging into Azure Portal and accessing Azure SQL database with the storage blob data contributor role and SQL Server/DB contributor role to access the storage account and Azure SQL server. But the same Azure user account cannot access the SQL Server, Just perform management tasks. You can also use the same Azure user account to log into your Azure SQL database by adding it as an Azure AD SQL Admin. This will maintain a single user that can access both your Azure SQL and storage account.
I created one Azure AD user and assigned the following roles like below:-
Storage Blob data contributor role:- Allows managing storage containers and data and accessing the storage keys and performing storage account level tasks. [Assigned at Resource group level where our SQL and storage account exists.]
SQL DB Contributor role:- Allows to perform Azure SQL-related tasks but does not allow access to SQL DB. [Assigned at Resource group level where our SQL and storage account exists.]
Storage Account Contributor role:- Allows managing Storage account and its associated resources. [Assigned at Resource group level where our SQL and storage account exists.]
Note- I have added the Storage account Contributor role at the Subscription level just to allow the user to create a PowerShell
storage account in Azure cloud shell to run the export command. If you have your storage account and Azure SQL server in the same resource group as your cloud shell storage account, You can assign this role at that resource group level like above.
I tried the below command to export Azure SQL DB with siliconSQL user and it worked successfully like below:-
PowerShell Script:-
$SecurePassword=ConvertTo-SecureString xxxxxmelon#123 –asplaintext –force
New-AzSqlDatabaseExport -ResourceGroupName "siliconrg" -ServerName "azsqlservername" -DatabaseName "azsqlDBname" -StorageKeyType "StorageAccessKey" -StorageKey "xxxxxxxxxxxxxxxxxxxxxxxxxxxxx<storage access key>dnzjSrjIC3k1IbT7ozsSw0WVGo+AStiPXEXA==" -StorageUri "https://siliconstrg123.blob.core.windows.net/bacpacs/database01.bacpac" -AdministratorLogin "siliconuser" -AdministratorLoginPassword $SecurePassword
Output:-
Alternatively, You can also add this user as Azure AD SQL admin to access the SQL server like below:-
Reference:-
Role required for bacpac import? · Issue #65893 · MicrosoftDocs/azure-docs · GitHub
I'm trying to find a way from within Azure SQL to either 1) enumerate members of an Azure Active Directory security group or 2) check if a user login is a member of an SG. I've found various articles about doing it from a domain joined standalone SQL installation but not from Azure SQL. Most of the samples for the standalone installation use system sprocs like xp_cmdshell which don't exist in Azure SQL. I know I can create an Azure Function or Logic App to sync users to a table but I'd like to avoid using an external process to do this if possible.
#Kalyan Chanumolu-MSFT's comment should be very helpful to you. This scenario is not supported today.
You can try to use his suggestion.
You will have to talk to Microsoft Graph API from an intermediate like an Azure function to relay the data to Azure SQL Database.
You also can raise a support ticket to confirm it and also can put forward your suggestions in the feedback.
Can someone tell me how can I add Azure Active Directory groups into the azure sql server, I am using server manager tool to do this but cant find any way to figure this out, I can add simple Azure Active Directory user though..What about groups?
I will assume that you are wanting to provide access for end-users to connect, not Database Administrators. For my example below, let's say that the end-users are in a group called "AZ-Users", and that your Database Administrators (including you) are in a group called "AZ-DBAs".
For Azure SQL Databases, there are key things that must be in place to get this to work:
There must be an "Active Directory admin" configured for your server. This can be any AAD user or an AAD group. You can check if this has been set or not by going to the Azure portal page for your server. Be careful that you are looking at the Overview page for the server, not the individual database, they are not the same thing. Detailed instructions here. In our example, we would configure this to be the AAD group called "AZ-DBAs".
When you are ready to create the AAD login for "AZ-Users" on your Azure SQL Database, you must yourself be logged in using AAD... meaning a member of the "AZ-DBAs" group from my example above. You can use SSMS or any other similar tool for executing TSQL commands. Note that if you try a SQL auth connection instead, it won't work for step 4 below - you'll get this error:
Msg 33159, Level 16, State 1, Line 1
Principal 'AZ-Users' could not be created. Only connections established with Active Directory accounts can create other Active Directory users.
Change the context to the database you want to provide access to for your end users.
Execute this statement:
CREATE USER [AZ-Users] FROM EXTERNAL PROVIDER
Note that this will create a "contained database user", as detailed here. That's it. This process works for AAD groups and AAD users.
You will probably also want to grant some level of permissions as well, such as:
EXEC sp_addrolemember 'db_datareader', 'AZ-Users'
All you need to know about how to configure and manage Azure Active Directory Authentication you can find it in this article.
Then to connect to SQL Azure using Azure Active Directory authentication please read here.
Connect to the server via SSMS as your Azure AD admin. Create a new query with the db you want to affect. Run this:
ALTER ROLE db_datareader ADD MEMBER [AzureADGroupName];
GO
To modify permissions, do something like this:
ALTER ROLE db_datareader ADD MEMBER [AzureADGroupName];
GO
I am trying to synchronise databases in two different subscriptions using Azure datasync on the new portal
https://learn.microsoft.com/en-us/azure/sql-database/sql-database-get-started-sql-data-sync
On the portal, I do not get the ability to choose subscription or connection string to connect to a Azure database on a different subscription (this is not on premise)
The options presented are either
a) Database from existing subscription + database server
b) on-premise database- with a sync agent to be downloaded
Can linking to another database via connection string be implemented via API's or is there any restriction or feature limitation around this?
Based on your comment, your issue is due to you having different logins for each subscription. In order to achieve what you want to do, you will need to cross add the various users to the subscriptions.
First, log into your Azure portal. Navigate to the subscription you are the admin for. Click on Access control (IAM) to manage the permissions for it.
Click the Add button which will bring up a dialog to add permissions. Simply select the role you wish to grant (I believe you will need contributor for this) and enter the email address of the user that you want to grant permissions to.