Hi,
I have a Synapse Workspace with 2 Lake Databases pointing to Gen 2 storage. All documentation points to the fact that we cannot create users against 'Replicated Dbs'. Any ideas on how bets to give User 1 access to one Lake Db and user 2 to another Lake Db. The option I can see available is giving users access to all Dbs with the Synapse Workspace, which is not great for data security. I also do not want to push the data to a standard AZ SQL instance... another copy ofvthe same data.
Thanks
Hello @ArifSyed-1648,
Thanks for the question and using MS Q&A platform.
We are reaching out to internal team to get more information about the requirement and will get back to you as soon as we have an update from the team.
Thank you
HI, Can I please get answer to the question in below link.
My questions stems from the D365 (Dynamics 365) platform. We are exporting data to the data lake (Dataverse/Synapse link) for CE and HR. These create Lake Databases in Synapse, one for each. I need to be able to implement data security. I could have separate Synapse Workspaces for each, but then I will not be able to create Synapse views across the two databases.
I may have had a light bulb moment. Lake databases in Synapse feed off datalake storage, I should be able to control user access at the storage - folder levels. The user will see the objects in the database but upon querying the access controls at storage level (gen2) will allow or prevent actual data retrieval.
Will need to test theory...
Hello @ArifSyed-1648,
Thanks for response. It is good idea to test; you may give a try with the alternative you have mentioned and keep us posted how it goes.
In the meantime, could you please confirm if you want user1 to access specific database with some specific feature (e.g. serverless SQL pool, Spark) or you need them to use all features? E.g. you can use custom roles/permissions via T-SQL for serverless SQL pool.
Hi,
the main challenge is around the Lake Databases, there is no ability to create users at the database level. We only want to give read access to certain users. At the moment our Synapse workspace has a mix of Serverless Dbs and Lake Dbs (Spark Db/replicated Db). Serverless Dbs we can create users just like any normal Db.
Some users may only require access to the Serverless Db, some only to the Lake Db and some to both.
We wish to avoid having separate Synapse Workspaces for each database.
Hope this makes thing clearer.
FYI... my team member is working through access controls at the Lake layer... will update
Thanks
Hi @ArifSyed-1648,
For Lake Databases (Spark or replicated) you can check this doc page to learn about granting permissions to server-level user. You can always manually specify which databases do you want some Azure AD user (or security group) to have access to, either serverless SQL pool databases or Lake Databases or however you want to organize.
Additionally, for serverless SQL pool databases you can create custom users/roles, but you can’t create users/roles in Lake databases, as these databases are read-only on serverless SQL pool level.
You can also add schema level permissions for some particular views/external tables.
Hope this info helps.
Thank you
11 people are following this question.
