The document outlines various user roles and permissions within Azure Synapse Analytics, including administrative and non-administrative roles, their responsibilities, and access management. It emphasizes the importance of role assignments, workspace items, and the integration of different services like Azure Data Lake and Power BI. Additionally, it provides guidance on managing access levels for data engineers and data scientists while detailing security considerations and usage tips.

1. InSpark
Erwin de Kreuk
Dealing with different Roles
in
Azure Synapse Analytics

2. InSpark
We help organizations
accelerating their digital
transformation with impactful
Microsoft solutions & expertise
We Are InSpark

3. InSpark
Roles in Azure Synapse Analytics

4. InSpark
Access Control
Azure Roles
Synapse Roles
SQL Roles
Git Permissions
Azure Synape

5. InSpark
Azure Synapse Studio
Integration Management Monitoring Security
Analytics runtimes
Azure Data Lake Storage
Azure Synapse Analytics
Resource Group Development Resource Group Production
Integration runtimes Integration runtimes
Workspace
Workspace Item
Apache Spark Pool Integration
Runtime
Linked Services Credentials
Data Engineers
Data Scientists
Azure Synapse Studio
Integration Management Monitoring Security
Analytics runtimes
Azure Data Lake Storage
Azure Synapse Analytics
Integration runtimes
Workspace
Workspace Item
Apache Spark Pool Integration
Runtime
Linked Services Credentials

6. InSpark
Azure Synapse Studio
Integration Management Monitoring Security
Analytics runtimes
Azure Data Lake Storage
Azure Synapse Analytics
Resource Group Development
Integration runtimes
Workspace
Workspace Item
Apache Spark Pool Integration
Runtime
Linked Services Credentials

7. InSpark
Azure Synapse Analytics
Resource Group Development
Azure Owner or Contributor
 Resource Group
 Create Synapse Workspace
 Manage Synapse Workspace
 Synapse Resource
 Manage Synapse Workspace
Azure Contributor
 Resource Group
 ARM templates for automated deployment
Resource Management
Azure Roles

8. InSpark
Azure Synapse Analytics
Resource Group Development
Azure Storage Blob Data Contributor
 User and workspace MSI
Reader
 Resource Group or Synapse Workspace
Access Management
Azure Roles
Azure Data Lake Storage

9. InSpark
Synapse
Administrator
Administrators
Synapse
Apache Spark
Administrator
Synapse SQL
Administrator
Synapse Data
Explorer
Administrator????
Synapse Linked Data Manager
Synapse Credential User
Synapse Contributor
Synapse Roles

10. InSpark
Azure Synapse Analytics
Resource Group Development
Roles:
 Synapse Administrator
 Synapse SQL Administrator
 Synapse Apache Spark Administrator
 SQL Active Directory Admin
Administrators
Synapse Roles
Azure Data Lake Storage
Analytics runtimes Integration runtimes

11. InSpark
Activities:
 Can read and write artifacts
 Can do all actions on Spark activities.
 Can view Spark pool logs
 Can view saved notebook and pipeline output
 Can use the secrets stored by linked services or credentials
 Can assign and revoke Synapse RBAC roles at current scope
Synapse Administrator
Synapse Roles

12. InSpark
Activities:
 Can do all actions on Spark artifacts
 Can do all actions on Spark activities
Synapse Apache Spark Administrator
Synapse Roles

13. InSpark
Activities:
 Can do all actions on SQL scripts
 Can connect to SQL serverless endpoints with SQL db_datareader,
db_datawriter, connect, and grant permissions
Synapse SQL Administrator
Synapse Roles

14. InSpark
Non-Administrators
Synapse Roles
Contributor
Artifact
Publisher
User
Artifact
User
Compute
Operator
Linked Data
Manager
Credential
User

15. InSpark
Roles:
 Synapse Contributor
 Synapse Artifact Publisher
 Synapse Artifact User
 Synapse Compute Operator
 Synapse Credential User
 Synapse Linked Data Manager
 Synapse User
Workspace
Synapse Roles
Integration runtimes
Azure Synapse Studio
Integration Management Monitoring Security
Analytics runtimes
Azure Data Lake Storage
Azure Synapse Analytics
Resource Group Development
Integration runtimes
Workspace

16. InSpark
Workspace

17. InSpark
Workspace Items
Synapse Roles

18. InSpark
Item:
 Linked Service
 Apache Spark Pool
 Integration Runtime
 Credentials
Workspace Item
Synapse Roles
Azure Synapse Studio
Integration Management Monitoring Security
Analytics runtimes
Azure Data Lake Storage
Azure Synapse Analytics
Resource Group Development
Integration runtimes
Workspace
Workspace Item
Apache Spark Pool Integration
Runtime
Linked Services Credentials

19. InSpark
 Role assignment on Workspace or Workspace Item
 Needs to be Synapse Administrator
 Can also be a guest user
 No Synapse Administrator
 Contributor or Owner on the Workspace
 Advice! => create role assignments based on
Security Groups
 Changes in assignments will take up 2-5 minutes
 Changes in SG can take 10-15 minutes
Role Assignment
Synapse Roles

20. InSpark
 No access message in Azure Portal
 https://web.azuresynapse.net
Tips and Tricks
Synapse Roles

21. InSpark
 No access message in Azure Portal
 https://web.azuresynapse
 Power BI
 Access is defined on Power BI workspace level
Tips and Tricks
Synapse Roles

22. InSpark
 No access message in Azure Portal
 https://web.azuresynapse
 Power BI
 Access is defined on Power BI workspace level
 Publish Error
Tips and Tricks
Synapse Roles

23. InSpark
Administrator
Contributor
Artifact
Publisher
Apache
Spark
Administrator
SQL
Administrator
Artifact
User
Compute
Operator
Credential
User
Linked
Data
Manager
User
workspaces/read
workspaces/roleAssignments/write, delete
workspaces/managedPrivateEndpoint/write, delete
workspaces/bigDataPools/useCompute/action
workspaces/bigDataPools/viewLogs/action
workspaces/integrationRuntimes/useCompute/action
workspaces/integrationRuntimes/viewLogs/action
workspaces/artifacts/read
workspaces/notebooks/write, delete
workspaces/sparkJobDefinitions/write, delete
workspaces/sqlScripts/write, delete
workspaces/kqlScripts/write, delete
workspaces/dataFlows/write, delete
workspaces/pipelines/write, delete
workspaces/triggers/write, delete
workspaces/datasets/write, delete
workspaces/libraries/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
workspaces/notebooks/viewOutputs/action
workspaces/pipelines/viewOutputs/action
workspaces/linkedServices/useSecret/action
workspaces/credentials/useSecret/action
Role actions
Synapse Roles

24. InSpark
Demo

25. InSpark
SQL

26. InSpark
Synapse Administrator:
 db_owner (DBO) permissions on the ‘Built-In’
serverless SQL pool
Synapse SQL Administrator:
 Can do all actions on SQL scripts
 Can connect to SQL serverless endpoints with SQL
db_datareader, db_datawriter, connect, and grant
permissions
Serverless SQL Pool
SQL
Serverless

27. InSpark
Synapse Administrator:
 Full access to data in dedicated SQL pools
 Grant access to other users
 Perform configuration and maintenance activities
 Can't drop dedicated SQL pools
Synapse SQL Administrator:
 No access by default
Active Directory Admin:
 Full access
Dedicated SQL Pool
SQL
Dedicated

28. InSpark
Serverless SQL pool:
Dedicated SQL pool:
SQL Pools
SQL
Dedicated
Serverless
use master
go
CREATE LOGIN [erwin.de.kreuk@demo.com] FROM EXTERNAL PROVIDER;
go
use yourdb -- Use your database name
go
CREATE USER demouser FROM LOGIN [erwin.de.kreuk@demo.com];
use yourdb -- Use your database name
go
alter role db_owner Add member demouser
--Create user in the database
CREATE USER [erwin.dekreuk@gmail.com] FROM EXTERNAL PROVIDER;
--Grant role to the user in the database
EXEC sp_addrolemember 'db_owner', 'erwin.dekreuk@gmail.com';

29. InSpark
Demo

30. InSpark
Azure Dev Ops:
 Basic user settings
 Azure Artifact Publisher
 Azure Contributor (Azure RBAC) or higher role on
the Synapse workspace
Dev Ops Service Connection:
 Azure Contributor (Azure RBAC) or higher role on
the Resource Group
 Azure Synapse Administrator
Azure Dev Ops
GIT Integration

31. InSpark
Azure Synapse Studio
Integration Management Monitoring Security
Analytics runtimes
Azure Data Lake Storage
Azure Synapse Analytics
Azure Synapse Studio
Integration Management Monitoring Security
Azure Data Lake Storage
Azure Synapse Analytics
Resource Group Development Resource Group Production
Integration runtimes Analytics runtimes Integration runtimes
Workspace
Workspace Item
Apache Spark Pool Integration
Runtime
Linked Services Credentials
Workspace Item
Apache Spark Pool Integration
Runtime
Linked Services Credentials
Workspace
Data Engineers
Data Scientists

32. InSpark
Data Engineers
 Needs to access SQL Serverless
 Publish or edit Code
 Debug pipelines
Data Scientist:
 Needs to access SQL Serverless
 Needs access to a specified Spark Pool
 Publish or edit Code
 Submit Spark Jobs
Security Groups
Azure Synapse Studio
Integration Management Monitoring Security
Analytics runtimes
Azure Data Lake Storage
Azure Synapse Analytics
Resource Group Development
Integration runtimes
Workspace
Workspace Item
Apache Spark Pool Integration
Runtime
Linked Services Credentials
Data Engineers
Data Scientists

33. InSpark
Demo

34. InSpark
 Acces to Azure Synapse Studio
 Create SQL Pools/Spark Pools /Data Explorer
Pools
 Execute Notebooks
 View and edit code Artifacts
 Debug or Trigger Pipelines
 Monitor
 Publish Code
Recap
Azure Synapse
Azure Synapse Studio
Integration Management Monitoring Security
Analytics runtimes
Azure Data Lake Storage
Azure Synapse Analytics
Resource Group Development
Integration runtimes
Workspace
Workspace Item
Apache Spark Pool Integration
Runtime
Linked Services Credentials
Data Engineers
Data Scientists

35. InSpark
@erwindekreuk
https://www.linkedin.com/in/erwindekreuk/
https://erwindekreuk.com
Slides will be available on my blog

36. InSpark