Synapse RBAC Roles

The article describes the built-in Synapse RBAC roles, the permissions they grant, and the scopes at which they can be used.

What's changed since the preview?

For users familiar with the Synapse RBAC roles provided during the preview, the following changes apply:

  • Workspace Admin is renamed Synapse Administrator
  • Apache Spark Admin is renamed Synapse Apache Spark Administrator and has permission to see all published code artifacts, including SQL scripts. This role no longer gives permission to use the workspace MSI, which requires the Synapse Credential User role. This permission is required to run pipelines.
  • SQL Admin is renamed Synapse SQL Administrator and has permission to see all published code artifacts, including Spark notebooks and jobs. This role no longer gives permission to use the workspace MSI, which requires the Synapse Credential User role. This permission is required to run pipelines.
  • New finer-grained Synapse RBAC roles are introduced that focus on supporting development and operations personas rather than specific analytics runtimes.
  • New lower-level scopes are introduced for several roles. These scopes allow roles to be restricted to specific resources or objects.

Built-in Synapse RBAC roles and scopes

The following table describes the built-in roles and the scopes at which they can be used.

Note

Users with any Synapse RBAC role at any scope automatically have the Synapse User role at workspace scope.

Important

Synapse RBAC roles do not grant permissions to create or manage SQL pools, Apache Spark pools, and Integration runtimes in Synapse workspaces. Azure Owner or Azure Contributor roles on the resource group are required for these actions.

Role Permissions Scopes
Synapse Administrator Full Synapse access to serverless SQL pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources.

Can read and write artifacts
Can do all actions on Spark activities.
Can view Spark pool logs
Can view saved notebook and pipeline output
Can use the secrets stored by linked services or credentials
Can assign and revoke Synapse RBAC roles at current scope
Workspace
Spark pool
Integration runtime
Linked service
Credential
Synapse Apache Spark Administrator
Full Synapse access to Apache Spark Pools. Create, read, update, and delete access to published Spark job definitions, notebooks and their outputs, and to libraries, linked services, and credentials.  Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access.

Can do all actions on Spark artifacts
Can do all actions on Spark activities
Workspace
Spark pool
Synapse SQL Administrator Full Synapse access to serverless SQL pools. Create, read, update, and delete access to published SQL scripts, credentials, and linked services.  Includes read access to all other published code artifacts.  Doesn't include permission to use credentials and run pipelines. Doesn't include granting access.

Can do all actions on SQL scripts
Can connect to SQL serverless endpoints with SQL db_datareader, db_datawriter, connect, and grant permissions
Workspace
Synapse Contributor Full Synapse access to Apache Spark pools and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts and their outputs, including credentials and linked services.  Includes compute operator permissions. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access.

Can read and write artifacts
Can view saved notebook and pipeline output
Can do all actions on Spark activities
Can view Spark pool logs
Workspace
Spark pool
Integration runtime
Synapse Artifact Publisher Create, read, update, and delete access to published code artifacts and their outputs. Doesn't include permission to run code or pipelines, or to grant access.

Can read published artifacts and publish artifacts
Can view saved notebook, Spark job, and pipeline output
Workspace
Synapse Artifact User Read access to published code artifacts and their outputs. Can create new artifacts but can't publish changes or run code without additional permissions. Workspace
Synapse Compute Operator Submit Spark jobs and notebooks and view logs.  Includes canceling Spark jobs submitted by any user. Requires additional use credential permissions on the workspace system identity to run pipelines, view pipeline runs and outputs.

Can submit and cancel jobs, including jobs submitted by others
Can view Spark pool logs
Workspace
Spark pool
Integration runtime
Synapse Credential User Runtime and configuration-time use of secrets within credentials and linked services in activities like pipeline runs. To run pipelines, this role is required, scoped to the workspace system identity.

Scoped to a credential, permits access to data via a linked service that is protected by the credential (also requires compute use permission)
Allows execution of pipelines protected by the workspace system identity credential(with additional compute use permission)
Workspace
Linked Service
Credential
Synapse Linked Data Manager Creation and management of managed private endpoints, linked services, and credentials. Can create managed private endpoints that use linked services protected by credentials Workspace
Synapse User List and view details of SQL pools, Apache Spark pools, Integration runtimes, and published linked services and credentials. Doesn't include other published code artifacts.  Can create new artifacts but can't run or publish without additional permissions.

Can list and read Spark pools, Integration runtimes.
Workspace, Spark pool
Linked service
Credential

Synapse RBAC roles and the actions they permit

Note

  • All actions listed in the tables below are prefixed, "Microsoft.Synapse/..."
  • All artifact read, write, and delete actions are with respect to published artifacts in the live service. These permissions do not affect access to artifacts in a connected Git repo.

The following table lists the built-in roles and the actions/permissions that each supports.

Role Actions
Synapse Administrator workspaces/read
workspaces/roleAssignments/write, delete
workspaces/managedPrivateEndpoint/write, delete
workspaces/bigDataPools/useCompute/action
workspaces/bigDataPools/viewLogs/action
workspaces/integrationRuntimes/useCompute/action
workspaces/integrationRuntimes/viewLogs/action
workspaces/artifacts/read
workspaces/notebooks/write, delete
workspaces/sparkJobDefinitions/write, delete
workspaces/sqlScripts/write, delete
workspaces/dataFlows/write, delete
workspaces/pipelines/write, delete
workspaces/triggers/write, delete
workspaces/datasets/write, delete
workspaces/libraries/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
workspaces/notebooks/viewOutputs/action
workspaces/pipelines/viewOutputs/action
workspaces/linkedServices/useSecret/action
workspaces/credentials/useSecret/action
Synapse Apache Spark Administrator workspaces/read
workspaces/bigDataPools/useCompute/action
workspaces/bigDataPools/viewLogs/action
workspaces/notebooks/viewOutputs/action
workspaces/artifacts/read
workspaces/notebooks/write, delete
workspaces/sparkJobDefinitions/write, delete
workspaces/libraries/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
Synapse SQL Administrator workspaces/read
workspaces/artifacts/read
workspaces/sqlScripts/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
Synapse Contributor workspaces/read
workspaces/bigDataPools/useCompute/action
workspaces/bigDataPools/viewLogs/action
workspaces/integrationRuntimes/useCompute/action
workspaces/integrationRuntimes/viewLogs/action
workspaces/artifacts/read
workspaces/notebooks/write, delete
workspaces/sparkJobDefinitions/write, delete
workspaces/sqlScripts/write, delete
workspaces/dataFlows/write, delete
workspaces/pipelines/write, delete
workspaces/triggers/write, delete
workspaces/datasets/write, delete
workspaces/libraries/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
workspaces/notebooks/viewOutputs/action
workspaces/pipelines/viewOutputs/action
Synapse Artifact Publisher workspaces/read
workspaces/artifacts/read
workspaces/notebooks/write, delete
workspaces/sparkJobDefinitions/write, delete
workspaces/sqlScripts/write, delete
workspaces/dataFlows/write, delete
workspaces/pipelines/write, delete
workspaces/triggers/write, delete
workspaces/datasets/write, delete
workspaces/libraries/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
workspaces/notebooks/viewOutputs/action
workspaces/pipelines/viewOutputs/action
Synapse Artifact User workspaces/read
workspaces/artifacts/read
workspaces/notebooks/viewOutputs/action
workspaces/pipelines/viewOutputs/action
Synapse Compute Operator workspaces/read
workspaces/bigDataPools/useCompute/action
workspaces/bigDataPools/viewLogs/action
workspaces/integrationRuntimes/useCompute/action
workspaces/integrationRuntimes/viewLogs/action
Synapse Credential User workspaces/read
workspaces/linkedServices/useSecret/action
workspaces/credentials/useSecret/action
Synapse Linked Data Manager workspaces/read
workspaces/managedPrivateEndpoint/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
Synapse User workspaces/read

Synapse RBAC actions and the roles that permit them

The following table lists Synapse actions and the built-in roles that permit these actions:

Action Role
workspaces/read Synapse Administrator
Synapse Apache Spark Administrator
Synapse SQL Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Artifact User
Synapse Compute Operator
Synapse Credential User
Synapse Linked Data Manager
Synapse User
workspaces/roleAssignments/write, delete Synapse Administrator
workspaces/managedPrivateEndpoint/write, delete Synapse Administrator
Synapse Linked Data Manager
workspaces/bigDataPools/useCompute/action Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Compute Operator
workspaces/bigDataPools/viewLogs/action Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Compute Operator
workspaces/integrationRuntimes/useCompute/action Synapse Administrator
Synapse Contributor
Synapse Compute Operator
workspaces/integrationRuntimes/viewLogs/action Synapse Administrator
Synapse Contributor
Synapse Compute Operator
workspaces/artifacts/read Synapse Administrator
Synapse Apache Spark Administrator
Synapse SQL Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Artifact User
workspaces/notebooks/write, delete Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/sparkJobDefinitions/write, delete Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/sqlScripts/write, delete Synapse Administrator
Synapse SQL Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/dataFlows/write, delete Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/pipelines/write, delete Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/triggers/write, delete Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/datasets/write, delete Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/libraries/write, delete Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/linkedServices/write, delete Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Linked Data Manager
workspaces/credentials/write, delete Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Linked Data Manager
workspaces/notebooks/viewOutputs/action Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Artifact User
workspaces/pipelines/viewOutputs/action Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Artifact User
workspaces/linkedServices/useSecret/action Synapse Administrator
Synapse Credential User
workspaces/credentials/useSecret/action Synapse Administrator
Synapse Credential User

Synapse RBAC scopes and their supported roles

The table below lists Synapse RBAC scopes and the roles that can be assigned at each scope.

Note

To create or delete an object you must have permissions at a higher-level scope.

Scope Roles
Workspace Synapse Administrator
Synapse Apache Spark Administrator
Synapse SQL Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Artifact User
Synapse Compute Operator
Synapse Credential User
Synapse Linked Data Manager
Synapse User
Apache Spark pool Synapse Administrator
Synapse Contributor
Synapse Compute Operator
Integration runtime Synapse Administrator
Synapse Contributor
Synapse Compute Operator
Linked service Synapse Administrator
Synapse Credential User
Credential Synapse Administrator
Synapse Credential User

Note

All artifact roles and actions are scoped at the workspace level.

Next steps

Learn how to review Synapse RBAC role assignments for a workspace.

Learn how to assign Synapse RBAC roles