I have a below scenario
I have 3 Database roles(roles are pointing to Active Directory Groups) created in my database ( on Synapse Analytics Serverless Pool) . Each role represents the set of data that each role based users can access ( there are possibility to have overlapping users i.e, user 1 can be on Role 1 and Role 2 as well) . These AD groups are configured and made available to me - by a different team and I have a need to reuse the same AD Groups to grant access to the Synapse Serverless Pool/Instance that I am hosting to connect to ADLS Gen-2 and read the data(data exploration use case).
example SQL scripts below
SQL>>create user ADGroupA from external provider;
SQL>>create role finance;
SQL>>ALTER ROLE [finance] ADD MEMBER [ADGroupA ];
SQL>>Grant select on SCHEMA ::finance to finance ;
SQL>>GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL ::SynapseManagedIdentity TO ADGroupA ;
Above listed scripts are executed for ADGroupB and ADGroupC
2. ADGroupA has 20 users, ADGroupB has 10 users, ADGroupC has 5 users
I have a requirement to grant access to Serverless Pool for 15 users ( by looking upon ADGroupA, ADGroupB and ADGroupC access for the 15 users to ensure - they get access to only required dataset/objects)
I have one challenge here in handling this scenario ; the user set of Serverless Pool are subset users from Role A , Role B and Role C ; so since I am creating my roles using ADGroupA , ADGroupB and ADGroupC - I am ending up with granting access to all 35 users ; but I am supposed to grant access only to 15 users ( who could be part of ADGroupD).
No - My question is - Is there a way to grant access by doing a INTERSECT of ADGroupA and ADGroupD for each roles that I create ?
Adding additional information on the expected outcome
Related
Can i create a Custom role or edit existing role in Azure Synapse, where
i can provide only SELECT query access using Built-in serverless Pool and
Pipelines access should be restricted
Ideally i'm looking for a role who can only read SQL & Lake data, query it using different technologies (SQL, Spark) and should not have access to anything else
You can actually create the External Table on the required using the Database Scoped Credential and first GRANT REFERENCES and then SELECT permission to the External Table for SQL user. Follow the below steps:
CREATE DATABASE SCOPED CREDENTIAL SampleIdentity
WITH IDENTITY = 'Managed Identity'
GO
CREATE EXTERNAL DATA SOURCE [DataLakeStorage] WITH (LOCATION = N'https://theorders.dfs.core.windows.net/', CREDENTIAL = SampleIdentity)
GO
Caller must have one of the following permissions to execute OPENROWSET function:
One of the permissions to execute OPENROWSET:
ADMINISTER BULK OPERATIONS enables login to execute OPENROWSET function.
ADMINISTER DATABASE BULK OPERATIONS enables database scoped user to execute OPENROWSET function.
REFERENCES DATABASE SCOPED CREDENTIAL to the credential that is referenced in EXTERNAL DATA SOURCE.
GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL::[SampleIdentity] TO [SQLUser];
GO
CREATE EXTERNAL TABLE [dbo].[DimProductexternal]
( ProductKey int, ProductLabel nvarchar, ProductName nvarchar )
WITH
(
LOCATION='/DimProduct/year=*/month=*' ,
DATA_SOURCE = AzureDataLakeStore ,
FILE_FORMAT = TextFileFormat
) ;
You can now Grant SELECT permission to the user for external table.
GRANT SELECT ON [dbo].[DimProductexternal] TO [SQLUser]
GO
To restrict the access to the resource in Synapse, you can assign ROLE BASED ACEESS CONTROL (RBAC)
To restrict run/cancel pipelines access in Synapse workspace you can assign Synapse Monitoring Operator role using the RBAC in synapse. Refer Synapse RBAC roles and the actions they permit for more details.
I try to created Row-Level-Security in a Azure Synapse ondemand database. The data is stored in Azure Datalake Storage Gen 2. The script is working fine, but members of the restricted user group can still run the OPENROWSET command manually and see al the data. Does somebody knows what part I'am missing?
CREATE DATABASE SCOPED CREDENTIAL WorkspaceIdentity
WITH IDENTITY = 'Managed Identity'
GO
CREATE EXTERNAL DATA SOURCE [DataLakeStorage] WITH (LOCATION = N'https://theorders.dfs.core.windows.net/', CREDENTIAL = WorkspaceIdentity )
GO
GRANT REFERENCES ON DATABASE SCOPED CREDENTIAL::[WorkspaceIdentity] TO [MyTestGroup];
GO
CREATE VIEW [model].[my_orders] as
SELECT * FROM
OPENROWSET(BULK 'dimorders/*.parquet',
DATA_SOURCE = 'DataLakeStorage', FORMAT = 'parquet') as rows
WHERE [UserName] = suser_name()
GO
GRANT SELECT ON [model].[my_orders] TO [MyTestGroup]
GO
The example script for receiving all the data, without restriction
SELECT * FROM
OPENROWSET(BULK 'dimorders/*.parquet',
DATA_SOURCE = 'DataLakeStorage', FORMAT = 'parquet') as rows
I would suggest you follow below steps which shows how to give a user permission to access a particular database.
Note - The steps below need to be run for each SQL pool to grant user
access to all SQL databases except in section Workspace-scoped
permission where you can assign a user a sysadmin role at the
workspace level.
Set up security groups
Prepare your ADLS Gen2 storage account
Create and configure your Azure Synapse Workspace
Grant the workspace MSI access to the default storage container
Grant Synapse administrators the Azure Contributor role on the workspace
Assign SQL Active Directory Admin role
Grant access to SQL pools
Add users to security groups
Network security
Refer - https://learn.microsoft.com/en-us/azure/synapse-analytics/security/how-to-set-up-access-control#supporting-more-advanced-scenarios
Use case-
After learning that AD Passthrough is not working as expected on Synapse Serverless pool with ADLS Gen-2 ; I am trying to use traditional method of creating external tables on Serverless Pool and granting READ ONLY access to users to a set of tales and enable WRITE BACK option to another ADLS Gen-2 container using CETAS option .
Looks like I am stuck there as well - to move forward.
I have tried to explain my scenario in below image.
Now - I have 5 external tables on a database where I have a READ ONLY access to the schema's where those table exists.
I wanted to create few more tables - which ideally does a JOIN between those 5 tables and aggregates the data and writes back to ADLS Gen-2 for reporting/data science purpose.
What access should I grant for WRITE back purpose ?
I tried creating new schema and granting ALTER, CONTROL, SELECT access to that schema along with CREATE TABLE access at database level . I dont want to grant more access to database level - as it has data scoped credential having managed identity referenced- which will grant full access on ROC container objects.
Grant select on SCHEMA ::sandbox to sls_svc ;
Grant ALTER on SCHEMA ::sandbox to sls_svc ;
GRANT CONTROL ON SCHEMA::[sandbox ] TO [sls_svc];
Grant CREATE TABLE to sls_svc;
CREATE EXTERNAL TABLE sanbox.revenue-by-month
WITH (
LOCATION = '/ROW/revenue-by-month/',
DATA_SOURCE = ADLS-ROW,
FILE_FORMAT = EF_PARQUET
)
AS
SELECT * from table1;
all users in sls_svc role has STORAGE DATA CONTRIBUTOR access on READ-WRITE-CONTAINER (ROW)
Below are the error messages I am getting
I also tried creating a new database. hoping that i can grant full access on that database - so that cross DB query can work - but I am out of luck there as well.
Any thoughts ?
It seems that you have correctly set permissions https://learn.microsoft.com/en-us/azure/synapse-analytics/sql/develop-storage-files-overview?tabs=impersonation#permissions
Are you sure that you can successfully execute just select statement and that the issue is not in SELECT part?
GRANT CONNECT to the database that was created
+
GRANT DDL_ADMIN access
resolved the issue
I have created a Hive database HR, which has 3 tables person, dept, contact.I have two users for HR -ad1 and us1. ad1-Admin us1-User. I want us1 to access only contact table and nothing else. How do I go about it in Hive?
This is what I tried:
1) Logged into Hive as ad1
2) Executed set hive.security.authorization.enabled=true;
3) create role r1
4) grant select on table contact to role r1;
5) grant role r1 to user us_1
Now when I log into Hive as us_1, I'm still able to query all tables
What am I doing wrong?
The way to handle security in Hive is via Unix POSIX. Secure the unix folder where Hive stores data, and you will secure access
I have an oracle database with two roles assigned to the same user.
The user will connect from .Net application.
Since each role has its own privileges I would like, when using my application, only one role to be considered. So the user will choose the role to be considered when logging to the application. And the privileges related to the other role wont be "active".
for example
Role 1 can access Table A
Role 2 can access Table B
So theoretically The user can access A & B
When using my application :
Choose either 1 or 2
if 1, show only A table
if 2, show only B table
Is that possible please ?
Thank you
Use of ROLES is one way:
CREATE ROLE roleA;
CREATE ROLE roleB;
GRANT SELECT ON tableA to roleA;
GRANT SELECT ON tableB to roleB;
GRANT roleA to TheUser;
GRANT roleB to TheUser;
When the user chooses a role in your application, issue the appropriate SET ROLE command:
User chooses 1:
SET ROLE roleA;
Otherwise,
SET ROLE roleB;
Since the roles are not defaults, they will only be active via the SET ROLE command. You can password protect the roles, too.