question

arkiboys avatar image
0 Votes"
arkiboys asked cooldadtx answered

Access rights to the blob folders

Hello,
In the synapse workspace, We have created several views created using the synapse SQL Scripts which read the data from the blob storage folders...
In order to give report deveopers access to these views (Which read data from blob folders), I have added the report users to the following Roles:

"Reader"
"Storage Blob Data Reader" --> Allows for read access to Azure Storage blob containers and data

However, adding the users to the above list does not give them read access.
I had to add them to another Role: "Storage Blob Data Contributor" as well in order for them to read the data inside blob storage...

Question:
The Role: "Storage Blob Data Contributor" seems to have rights such as "write", "delete" as well as which they really should not have.

"Storage Blob Data Contributor" --> Allows for read, write and delete access to Azure Storage blob containers and data

Any suggestions?

Thank you

azure-blob-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

cooldadtx avatar image
1 Vote"
cooldadtx answered

As discussed here the Readers role has nothing to do with the data in a container, confusingly. The role allows you to read the data within the container. This role is needed if users want to be able to see container information in the Portal but by itself does not give them any access to the container's data. It is best used for people who need to manage resources (e.g. infrastructure) but not the data itself (e.g. a person's private files).

To actually read data from a container you must have the Reader and Data Access role at a minimum. This will allow a user to read the container data. Contributor should only be used if the user needs to be able to modify the data as well. The confusing part, which I haven't tested, is that it is documented as giving write access to the data as well for the blobs but that seems wrong to me.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.