Synapse RBAC Roles
The article describes the built-in Synapse RBAC (role-based access control) roles, the permissions they grant, and the scopes at which they can be used.
For more information on reviewing and assigning Synapse role memberships, see how to review Synapse RBAC role assignments and how to assign Synapse RBAC roles.
Built-in Synapse RBAC roles and scopes
The following table describes the built-in roles and the scopes at which they can be used.
Note
Users with any Synapse RBAC role at any scope automatically have the Synapse User role at workspace scope.
Important
Synapse RBAC roles do not grant permissions to create or manage SQL pools, Apache Spark pools, and Integration runtimes in Azure Synapse workspaces. Azure Owner or Azure Contributor roles on the resource group are required for these actions.
Role | Permissions | Scopes |
---|---|---|
Synapse Administrator | Full Synapse access to serverless and dedicated SQL pools, Data Explorer pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources. Synapse RBAC roles can be assigned even when the associated subscription is disabled.Can read and write artifacts Can do all actions on Spark activities. Can view Spark pool logs Can view saved notebook and pipeline output Can use the secrets stored by linked services or credentialsCan assign and revoke Synapse RBAC roles at current scope | Workspace Spark pool Integration runtime Linked serviceCredential |
Synapse Apache Spark Administrator | Full Synapse access to Apache Spark Pools. Create, read, update, and delete access to published Spark job definitions, notebooks and their outputs, and to libraries, linked services, and credentials. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. Can do all actions on Spark artifactsCan do all actions on Spark activities | WorkspaceSpark pool |
Synapse SQL Administrator | Full Synapse access to serverless SQL pools. Create, read, update, and delete access to published SQL scripts, credentials, and linked services. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. Can do all actions on SQL scripts Can connect to SQL serverless endpoints with SQL db_datareader , db_datawriter , connect , and grant permissions |
Workspace |
Synapse Contributor | Full Synapse access to Apache Spark pools and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts and their outputs, including scheduled pipelines, credentials and linked services. Includes compute operator permissions. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. Can read and write artifactsCan view saved notebook and pipeline outputCan do all actions on Spark activitiesCan view Spark pool logs | Workspace Spark pool Integration runtime |
Synapse Artifact Publisher | Create, read, update, and delete access to published code artifacts and their outputs, including scheduled pipelines. Doesn't include permission to run code or pipelines, or to grant access. Can read published artifacts and publish artifactsCan view saved notebook, Spark job, and pipeline output | Workspace |
Synapse Artifact User | Read access to published code artifacts and their outputs. Can create new artifacts but can't publish changes or run code without additional permissions. | Workspace |
Synapse Compute Operator | Submit Spark jobs and notebooks and view logs. Includes canceling Spark jobs submitted by any user. Requires additional use credential permissions on the workspace system identity to run pipelines, view pipeline runs and outputs. Can submit and cancel jobs, including jobs submitted by othersCan view Spark pool logs | WorkspaceSpark poolIntegration runtime |
Synapse Monitoring Operator | Read published code artifacts, including logs and outputs for pipeline runs and completed notebooks. Includes ability to list and view details of Apache Spark pools, Data Explorer pools, and Integration runtimes. Requires additional permissions to run/cancel pipelines, Spark notebooks, and Spark jobs. | Workspace |
Synapse Credential User | Runtime and configuration-time use of secrets within credentials and linked services in activities like pipeline runs. To run pipelines, this role is required, scoped to the workspace system identity. Scoped to a credential, permits access to data via a linked service that is protected by the credential (may also require compute use permission) Allows execution of pipelines protected by the workspace system identity credential | Workspace Linked ServiceCredential |
Synapse Linked Data Manager | Creation and management of managed private endpoints, linked services, and credentials. Can create managed private endpoints that use linked services protected by credentials | Workspace |
Synapse User | List and view details of SQL pools, Apache Spark pools, Integration runtimes, and published linked services and credentials. Doesn't include other published code artifacts. Can create new artifacts but can't run or publish without additional permissions. Can list and read Spark pools, Integration runtimes. | Workspace, Spark poolLinked service Credential |
Synapse RBAC roles and the actions they permit
Note
- All actions listed in the tables below are prefixed, "Microsoft.Synapse/..."
- All artifact read, write, and delete actions are with respect to published artifacts in the live service. These permissions do not affect access to artifacts in a connected Git repo.
The following table lists the built-in roles and the actions/permissions that each support.
Role | Actions |
---|---|
Synapse Administrator | workspaces/readworkspaces/roleAssignments/write, deleteworkspaces/managedPrivateEndpoint/write, deleteworkspaces/bigDataPools/useCompute/actionworkspaces/bigDataPools/viewLogs/actionworkspaces/integrationRuntimes/useCompute/actionworkspaces/integrationRuntimes/viewLogs/actionworkspaces/artifacts/readworkspaces/notebooks/write, deleteworkspaces/sparkJobDefinitions/write, deleteworkspaces/sqlScripts/write, deleteworkspaces/kqlScripts/write, deleteworkspaces/dataFlows/write, deleteworkspaces/pipelines/write, deleteworkspaces/triggers/write, deleteworkspaces/datasets/write, deleteworkspaces/libraries/write, deleteworkspaces/linkedServices/write, deleteworkspaces/credentials/write, deleteworkspaces/notebooks/viewOutputs/actionworkspaces/pipelines/viewOutputs/actionworkspaces/linkedServices/useSecret/actionworkspaces/credentials/useSecret/actionworkspaces/linkConnections/readworkspaces/linkConnections/writeworkspaces/linkConnections/deleteworkspaces/linkConnections/useCompute/action |
Synapse Apache Spark Administrator | workspaces/readworkspaces/bigDataPools/useCompute/actionworkspaces/bigDataPools/viewLogs/actionworkspaces/notebooks/viewOutputs/actionworkspaces/artifacts/readworkspaces/notebooks/write, deleteworkspaces/sparkJobDefinitions/write, deleteworkspaces/libraries/write, deleteworkspaces/linkedServices/write, deleteworkspaces/credentials/write, delete |
Synapse SQL Administrator | workspaces/readworkspaces/artifacts/readworkspaces/sqlScripts/write, deleteworkspaces/linkedServices/write, deleteworkspaces/credentials/write, delete |
Synapse Contributor | workspaces/readworkspaces/bigDataPools/useCompute/actionworkspaces/bigDataPools/viewLogs/actionworkspaces/integrationRuntimes/useCompute/actionworkspaces/integrationRuntimes/viewLogs/actionworkspaces/artifacts/readworkspaces/notebooks/write, deleteworkspaces/sparkJobDefinitions/write, deleteworkspaces/sqlScripts/write, deleteworkspaces/kqlScripts/write, deleteworkspaces/dataFlows/write, deleteworkspaces/pipelines/write, deleteworkspaces/triggers/write, deleteworkspaces/datasets/write, deleteworkspaces/libraries/write, deleteworkspaces/linkedServices/write, deleteworkspaces/credentials/write, deleteworkspaces/notebooks/viewOutputs/actionworkspaces/pipelines/viewOutputs/actionworkspaces/linkConnections/readworkspaces/linkConnections/writeworkspaces/linkConnections/deleteworkspaces/linkConnections/useCompute/action |
Synapse Artifact Publisher | workspaces/readworkspaces/artifacts/readworkspaces/notebooks/write, deleteworkspaces/sparkJobDefinitions/write, deleteworkspaces/sqlScripts/write, deleteworkspaces/kqlScripts/write, deleteworkspaces/dataFlows/write, deleteworkspaces/pipelines/write, deleteworkspaces/triggers/write, deleteworkspaces/datasets/write, deleteworkspaces/libraries/write, deleteworkspaces/linkedServices/write, deleteworkspaces/credentials/write, deleteworkspaces/notebooks/viewOutputs/actionworkspaces/pipelines/viewOutputs/action |
Synapse Artifact User | workspaces/readworkspaces/artifacts/readworkspaces/notebooks/viewOutputs/actionworkspaces/pipelines/viewOutputs/action |
Synapse Compute Operator | workspaces/readworkspaces/bigDataPools/useCompute/actionworkspaces/bigDataPools/viewLogs/actionworkspaces/integrationRuntimes/useCompute/actionworkspaces/integrationRuntimes/viewLogs/actionworkspaces/linkConnections/readworkspaces/linkConnections/useCompute/action |
Synapse Monitoring Operator | workspaces/readworkspaces/artifacts/readworkspaces/notebooks/viewOutputs/actionworkspaces/pipelines/viewOutputs/actionworkspaces/integrationRuntimes/viewLogs/actionworkspaces/bigDataPools/viewLogs/action |
Synapse Credential User | workspaces/readworkspaces/linkedServices/useSecret/actionworkspaces/credentials/useSecret/action |
Synapse Linked Data Manager | workspaces/readworkspaces/managedPrivateEndpoint/write, deleteworkspaces/linkedServices/write, deleteworkspaces/credentials/write, delete |
Synapse User | workspaces/read |
Synapse RBAC actions and the roles that permit them
The following table lists Synapse actions and the built-in roles that permit these actions:
Action | Role |
---|---|
workspaces/read | Synapse AdministratorSynapse Apache Spark AdministratorSynapse SQL AdministratorSynapse ContributorSynapse Artifact PublisherSynapse Artifact UserSynapse Compute Operator Synapse Monitoring Operator Synapse Credential UserSynapse Linked Data ManagerSynapse User |
workspaces/roleAssignments/write, delete | Synapse Administrator |
workspaces/managedPrivateEndpoint/write, delete | Synapse AdministratorSynapse Linked Data Manager |
workspaces/bigDataPools/useCompute/action | Synapse AdministratorSynapse Apache Spark AdministratorSynapse ContributorSynapse Compute Operator Synapse Monitoring Operator |
workspaces/bigDataPools/viewLogs/action | Synapse AdministratorSynapse Apache Spark AdministratorSynapse ContributorSynapse Compute Operator |
workspaces/integrationRuntimes/useCompute/action | Synapse AdministratorSynapse ContributorSynapse Compute OperatorSynapse Monitoring Operator |
workspaces/integrationRuntimes/viewLogs/action | Synapse AdministratorSynapse ContributorSynapse Compute OperatorSynapse Monitoring Operator |
workspaces/linkConnections/read | Synapse AdministratorSynapse ContributorSynapse Compute Operator |
workspaces/linkConnections/useCompute/action | Synapse AdministratorSynapse ContributorSynapse Compute Operator |
workspaces/artifacts/read | Synapse AdministratorSynapse Apache Spark AdministratorSynapse SQL AdministratorSynapse ContributorSynapse Artifact PublisherSynapse Artifact User |
workspaces/notebooks/write, delete | Synapse AdministratorSynapse Apache Spark AdministratorSynapse ContributorSynapse Artifact Publisher |
workspaces/sparkJobDefinitions/write, delete | Synapse AdministratorSynapse Apache Spark AdministratorSynapse ContributorSynapse Artifact Publisher |
workspaces/sqlScripts/write, delete | Synapse AdministratorSynapse SQL AdministratorSynapse ContributorSynapse Artifact Publisher |
workspaces/kqlScripts/write, delete | Synapse AdministratorSynapse ContributorSynapse Artifact Publisher |
workspaces/dataFlows/write, delete | Synapse AdministratorSynapse ContributorSynapse Artifact Publisher |
workspaces/pipelines/write, delete | Synapse AdministratorSynapse ContributorSynapse Artifact Publisher |
workspaces/linkConnections/write, delete | Synapse AdministratorSynapse Contributor |
workspaces/triggers/write, delete | Synapse AdministratorSynapse ContributorSynapse Artifact Publisher |
workspaces/datasets/write, delete | Synapse AdministratorSynapse ContributorSynapse Artifact Publisher |
workspaces/libraries/write, delete | Synapse AdministratorSynapse Apache Spark AdministratorSynapse ContributorSynapse Artifact Publisher |
workspaces/linkedServices/write, delete | Synapse AdministratorSynapse Apache Spark AdministratorSynapse SQL AdministratorSynapse ContributorSynapse Artifact PublisherSynapse Linked Data Manager |
workspaces/credentials/write, delete | Synapse AdministratorSynapse Apache Spark AdministratorSynapse SQL AdministratorSynapse ContributorSynapse Artifact PublisherSynapse Linked Data Manager |
workspaces/notebooks/viewOutputs/action | Synapse AdministratorSynapse Apache Spark AdministratorSynapse ContributorSynapse Artifact PublisherSynapse Artifact User |
workspaces/pipelines/viewOutputs/action | Synapse AdministratorSynapse ContributorSynapse Artifact PublisherSynapse Artifact User |
workspaces/linkedServices/useSecret/action | Synapse AdministratorSynapse Credential User |
workspaces/credentials/useSecret/action | Synapse AdministratorSynapse Credential User |
Synapse RBAC scopes and their supported roles
The table below lists Synapse RBAC scopes and the roles that can be assigned at each scope.
Note
To create or delete an object you must have permissions at a higher-level scope.
Scope | Roles |
---|---|
Workspace | Synapse AdministratorSynapse Apache Spark AdministratorSynapse SQL AdministratorSynapse ContributorSynapse Artifact PublisherSynapse Artifact UserSynapse Compute Operator Synapse Monitoring Operator Synapse Credential UserSynapse Linked Data ManagerSynapse User |
Apache Spark pool | Synapse Administrator Synapse Contributor Synapse Compute Operator |
Integration runtime | Synapse Administrator Synapse Contributor Synapse Compute Operator |
Linked service | Synapse Administrator Synapse Credential User |
Credential | Synapse Administrator Synapse Credential User |
Note
All artifact roles and actions are scoped at the workspace level.
Next steps
- Learn how to review Synapse RBAC role assignments for a workspace.
- Learn how to assign Synapse RBAC roles
Feedback
https://aka.ms/ContentUserFeedback.
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see:Submit and view feedback for