question

NandanHegde-7720 avatar image
0 Votes"
NandanHegde-7720 asked KranthiPakala-MSFT commented

Provide trigger access on a specific pipeline in ADF

Hello Team,
Is there any way or custom role via which I can restrict someones access to trigger a specific pipeline P1 in ADF v2 which contains multiple pipelines (P1,P2,P3 etc).
The user can have read access on other pipelines but he/she should not be able to trigger any other pipeline except P1.

1 option is to create another ADF and provide access on that ADF but it does not make any sense to create a separate ADF just for single pipeline.

azure-data-factory
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @NandanHegde-7720,


Thanks for your query. I have reached out to internal team to get more inputs on your query. Will keep you posted as soon as I have a response from the team.


In the mean time please refer to below SO thread and see if that helps.
https://stackoverflow.com/questions/59399491/is-there-a-way-to-set-different-permissions-to-pipelines-and-datasets-in-the-sam




Thanks


0 Votes 0 ·

Thank you Kranthi.
We already have a custom role via which we control access on an entire data factory wherein a user can only trigger a pipeline but cannot edit any pipeline.
But the ask is rather than having access to all the pipelines within a data factory, can we restrict the role to specific pipelines?

This would help in better security governance.

0 Votes 0 ·

Hi @NandanHegde-7720,

Thanks much for clarifying on the ask. I am working on the same with internal team to see if there is any possible workaround to achieve your requirement. Will keep you posted once I have my findings ready.

Thank you for your patience.

0 Votes 0 ·

1 Answer

KranthiPakala-MSFT avatar image
1 Vote"
KranthiPakala-MSFT answered KranthiPakala-MSFT commented

Hi @NandanHegde-7720,


Apologizes for the delay in response. Finally I was able to figure out on how to grant a particular user "Create Pipeline run" access to specific pipeline.


Grant the user "Reader" built in role assignment on the data factory resource which will grant a user view (read) and monitor a data factory, but not edit or change it. So that user will be able to read all the pipelines (P1,P2,P3 etc) in that data factory but won't be able to run them.


Then go to the resource group -> "Access Control (IAM)" -> click on "Add (Create Custom Role)" -> Give Custom Role Name, then navigate to "JSON" section and use the below template to create a custom role and update with appropriate resource details accordingly, then click Review+Create which will create a custom role.



{
    "properties": {
        "roleName": "Run Data Factory pipeline",
        "description": "This allows to run this DF pipeline - factories/<YouDataFactoryName>/pipelines/<YourPipelineName>",
        "assignableScopes": [
            "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<YourResourceGroupName>/providers/Microsoft.DataFactory/factories/<YouDataFactoryName>/pipelines/<YourPipelineName>"
        ],
        "permissions": [
            {
                "actions": [
                    "Microsoft.DataFactory/factories/pipelines/createrun/action"
                ],
                "notActions": [],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}



Note: You won't be able to see this new custom role in Custom roles list as "assignableScopes" (pipeline scope in this use case) is not officially part of it. So, you won't be able to see it when you try to use this from Azure Portal "Access Control (IAM) -> Role assignments" . But you can use/assign this custom role to a user using Powershell.



To view your custom role details/definition that was created using pipeline scope, please use below command:


Get-AzRoleDefinition -Name "Run Data Factory pipeline"


Result:


Name             : Run Data Factory pipeline
Id               : xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
IsCustom         : True
Description      : This allows to run this DF pipeline - factories/<YouDataFactoryName>/pipelines/<YourPipelineName>
Actions          : {Microsoft.DataFactory/factories/pipelines/createrun/action}
NotActions       : {}
DataActions      : {}
NotDataActions   : {}
AssignableScopes : {/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<YourResourceGroupName>/providers/Microsoft.DataFactory/factories/<YouDataFactoryName>/pipelines/<YourPipelineName>}



To assign this custom role (only run a particular ADF pipeline) to a user, please use below command:


New-AzRoleAssignment -ObjectId "<ObjectID of the user>" -RoleDefinitionName "<Your Custom Role Name (In this example 'Run Data Factory pipeline')>" -Scope "/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/<YourResourceGroupName>/providers/Microsoft.DataFactory/factories/<YouDataFactoryName>/pipelines/<YourPipelineName>"



Two important things to consider:


Assign "Reader" built in at Resource (ADF) level for the user.


Assign Custom Role (only to run a particular pipeline - "Run Data Factory pipeline" in this example) at Resource (ADF) level for the user


Hope this helps. Please do let me know if you have any further query.


Related helpful docs:


Get-AzRoleDefinition


New-AzRoleAssignment


Create or update Azure custom roles using the Azure portal


Resource Provider Operations - Microsoft.DataFactory




Thank you
Please do consider to click on "Accept Answer" and "Upvote" on the post that helps you, as it can be beneficial to other community members.








· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you Kranthi for your help :)
Let me try this out and get back again.
This is very helpful

0 Votes 0 ·

Glad to be of help @NandanHegde-7720 :)

1 Vote 1 ·