question

manishverma-7371 avatar image
0 Votes"
manishverma-7371 asked ·

how can we create a custom role in Data Lake Store Gen 2 has access on azure storage user can view folder and container but not read file data

HI All,

in Data Lake Gen2.
we have one requirement- we need to create a custom role-adding user in this role

User- should be able to view folder , but not able to read data.

how can we create a custom role to get this requirement

azure-data-lake-storage
· 3
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi All,
few more points- User should have contributor access in Resource group so he has access of Data Lake store, once he has contributor by default he has access on Data Lake Gen2 folder and data.
Requirement- He can able to view folder but not data.

can any body help us on this .

0 Votes 0 ·

HI ,
any body from Microsoft can replay this as customer is waiting, if it is not possible we communicate to customer not possible in Data lake store Gen2

0 Votes 0 ·

hi all,
can we implement ACL without RBAC

0 Votes 0 ·

1 Answer

PRADEEPCHEEKATLA-MSFT avatar image
0 Votes"
PRADEEPCHEEKATLA-MSFT answered ·

@manishverma-7371 Welcome to the Microsoft Q&A platform.


Reader Role – Let you view everything, but not make any changes.


The Reader role is an Azure Resource Manager role that permits users to view storage account resources, but not modify them. It does not provide read permissions to data in Azure Storage, but only to account management resources.


Only roles explicitly defined for data access permit a security principal to access blob or queue data. Roles such as Owner, Contributor, and Storage Account Contributor permit a security principal to manage a storage account, but do not provide access to the blob or queue data within that account.


Access to blob or queue data in the Azure portal can be authorized using either your Azure AD account or the storage account access key. For more information, see Use the Azure portal to access blob or queue data.


To understand more in detail, you may go to Storage Account => Access Control (IAM) => Roles => Click on (…) => Permissions


Checkout permissions for Reader:


9891-adls-gen2-permissions.jpg


Hope this helps. Do let us know if you any further queries.




Do click on "Accept Answer" and Upvote on the post that helps you, this can be beneficial to other community members.



· 4 · Share
10 |1000 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks a lot for your time and effort.

YES you are correct if we use Reader role he can only view container.
but Requirement is he should able to see file and folder but not download or read. that is challenge here.


0 Votes 0 ·

@manishverma-7371, Unfortunately, there is no such role where you can only view files and folders.

I would suggest you to leave feedback for the same.

https://feedback.azure.com/forums/169401-azure-active-directory/category/166032-role-based-access-control

All of the feedback you share in these forums will be monitored and reviewed by the Microsoft engineering teams responsible for building Azure.


0 Votes 0 ·

@manishverma-7371, Just checking in to see if the answer(s) helped.

If you found a response helpful, please “Accept Answer” and Up-Vote for the same which might be beneficial to other community members reading this thread. And, if you have any further queries do let us know.

0 Votes 0 ·
Show more comments