Synapse RBAC Roles

Article
06/16/2023

The article describes the built-in Synapse RBAC (role-based access control) roles, the permissions they grant, and the scopes at which they can be used.

For more information on reviewing and assigning Synapse role memberships, see how to review Synapse RBAC role assignments and how to assign Synapse RBAC roles.

Built-in Synapse RBAC roles and scopes

The following table describes the built-in roles and the scopes at which they can be used.

Note

Users with any Synapse RBAC role at any scope automatically have the Synapse User role at workspace scope.

Important

Synapse RBAC roles do not grant permissions to create or manage SQL pools, Apache Spark pools, and Integration runtimes in Azure Synapse workspaces. Azure Owner or Azure Contributor roles on the resource group are required for these actions.

Role	Permissions	Scopes
Synapse Administrator	Full Synapse access to serverless and dedicated SQL pools, Data Explorer pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources. Synapse RBAC roles can be assigned even when the associated subscription is disabled. Can read and write artifacts Can do all actions on Spark activities. Can view Spark pool logs Can view saved notebook and pipeline output Can use the secrets stored by linked services or credentials Can assign and revoke Synapse RBAC roles at current scope	Workspace Spark pool Integration runtime Linked service Credential
Synapse Apache Spark Administrator	Full Synapse access to Apache Spark Pools. Create, read, update, and delete access to published Spark job definitions, notebooks and their outputs, and to libraries, linked services, and credentials. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. Can do all actions on Spark artifacts Can do all actions on Spark activities	Workspace Spark pool
Synapse SQL Administrator	Full Synapse access to serverless SQL pools. Create, read, update, and delete access to published SQL scripts, credentials, and linked services. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. Can do all actions on SQL scripts Can connect to SQL serverless endpoints with SQL `db_datareader`, `db_datawriter`, `connect`, and `grant` permissions	Workspace
Synapse Contributor	Full Synapse access to Apache Spark pools and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts and their outputs, including scheduled pipelines, credentials and linked services. Includes compute operator permissions. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. Can read and write artifacts Can view saved notebook and pipeline output Can do all actions on Spark activities Can view Spark pool logs	Workspace Spark pool Integration runtime
Synapse Artifact Publisher	Create, read, update, and delete access to published code artifacts and their outputs, including scheduled pipelines. Doesn't include permission to run code or pipelines, or to grant access. Can read published artifacts and publish artifacts Can view saved notebook, Spark job, and pipeline output	Workspace
Synapse Artifact User	Read access to published code artifacts and their outputs. Can create new artifacts but can't publish changes or run code without additional permissions.	Workspace
Synapse Compute Operator	Submit Spark jobs and notebooks and view logs. Includes canceling Spark jobs submitted by any user. Requires additional use credential permissions on the workspace system identity to run pipelines, view pipeline runs and outputs. Can submit and cancel jobs, including jobs submitted by others Can view Spark pool logs	Workspace Spark pool Integration runtime
Synapse Monitoring Operator	Read published code artifacts, including logs and outputs for pipeline runs and completed notebooks. Includes ability to list and view details of Apache Spark pools, Data Explorer pools, and Integration runtimes. Requires additional permissions to run/cancel pipelines, Spark notebooks, and Spark jobs.	Workspace
Synapse Credential User	Runtime and configuration-time use of secrets within credentials and linked services in activities like pipeline runs. To run pipelines, this role is required, scoped to the workspace system identity. Scoped to a credential, permits access to data via a linked service that is protected by the credential (may also require compute use permission) Allows execution of pipelines protected by the workspace system identity credential	Workspace Linked Service Credential
Synapse Linked Data Manager	Creation and management of managed private endpoints, linked services, and credentials. Can create managed private endpoints that use linked services protected by credentials	Workspace
Synapse User	List and view details of SQL pools, Apache Spark pools, Integration runtimes, and published linked services and credentials. Doesn't include other published code artifacts. Can create new artifacts but can't run or publish without additional permissions. Can list and read Spark pools, Integration runtimes.	Workspace, Spark pool Linked service Credential