question

arkiboys avatar image
0 Votes"
arkiboys asked Sumarigo-MSFT answered

manage ACL

Hello,
My question is regarding the access level to the folders inside the blobstorage containers.
For example, inside blobstorage1, I have created three containers, i.e. Container1, Container2, Container3
Inside Container2, I have created a folder called market to hold .csv files
I would like to give access only to certian users to be able to edit these .csv files which are inside the market folder.
Is this to do with Manage ACL? If so, then is this on the container level or can it be at file level as well?

Thank you

azure-blob-storage
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sumarigo-MSFT avatar image
0 Votes"
Sumarigo-MSFT answered

@arkiboys Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

The answer to this question is No for azure blob at file level, Instead you can you ADLS gen 2 account and manage ACL at file level . You can associate a security principal with an access level for files and directories in ADLS Gen 2 . ADLS Gen 2 is built on Blob Storage. You can easily manage the ACLs with many tools/languages such as Storage Explorer, PowerShell or Python.

Folder-level ACL with Blob storage accounts: If you use ADLS (HNS) I believe you can set an ACL on a folder. For existing storage account blob container, you would need to copy into an HNS enabled storage account (current situation)

You can use Shared access signature (SAS) can be used to restrict access to either an entire blob container or an individual blob. This is because a folder in blob storage is virtual and not a real folder. You can achieve through SAS service also refer to this Q&A thread which gives more information on your scenario

The Set Container ACL operation sets the permissions for the specified container. The permissions indicate whether blobs in a container may be accessed publicly.

Sets the public access permission to a storage container. and you may refer to the suggestion mentioned in this article through storage explorer

Additional information: Authorizing access to Azure Storage

Assign an Azure role for access to blob data

Please let us know if you have any further queries. I’m happy to assist you further.


Please do not forget to 135963-image.png and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.




image.png (1.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

AlanKinane avatar image
0 Votes"
AlanKinane answered

Hi, I'm assuming your users are accessing the storage containers through the Azure portal here. If so, you can use RBAC assignments to delegate permissions but you can only go as low as the container level, i.e. to container2 in your example. You can't assign permissions on the blob (file) level. https://docs.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory

If you use an Azure Files share instead then you can integrate this share with Active Directory to apply NTFS permissions at the file level. This might be the better option as you can mount this file share to your devices rather than accessing through the Azure portal. https://docs.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-active-directory-enable

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.