We’d like to give support personnel Read Only access to Azure Data Factories so they can troubleshoot issues. Following this guide I was able to create a custom role that mostly does the trick but on further review I can see that the user granted this role can still add/delete/save pipelines which is a no-no for us. Any suggestions here? the template below is what we use:
{
"Name": "MGB Data Factory Reader",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Read Only Access to Data Factories ",
"Actions": [
"Microsoft.DataFactory/datafactories/read",
"Microsoft.DataFactory/datafactories/activitywindows/read",
"Microsoft.DataFactory/datafactories/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.DataFactory/datafactories/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.DataFactory/datafactories/datasets/read",
"Microsoft.DataFactory/datafactories/datasets/activitywindows/read",
"Microsoft.DataFactory/datafactories/datasets/sliceruns/read",
"Microsoft.DataFactory/datafactories/datasets/slices/read",
"Microsoft.DataFactory/datafactories/tables/read",
"Microsoft.DataFactory/datafactories/gateways/read",
"Microsoft.DataFactory/datafactories/linkedServices/read",
"Microsoft.DataFactory/datafactories/datapipelines/read",
"Microsoft.DataFactory/datafactories/datapipelines/activities/activitywindows/read",
"Microsoft.DataFactory/datafactories/datapipelines/activitywindows/read",
"Microsoft.DataFactory/datafactories/runs/loginfo/read",
"Microsoft.DataFactory/factories/read",
"Microsoft.DataFactory/factories/adfcdcs/read",
"Microsoft.DataFactory/factories/adflinkconnections/read",
"Microsoft.DataFactory/factories/getDataPlaneAccess/read",
"Microsoft.DataFactory/factories/getFeatureValue/read",
"Microsoft.DataFactory/factories/operationResults/read",
"Microsoft.DataFactory/factories/pipelineruns/read",
"Microsoft.DataFactory/factories/pipelineruns/activityruns/read",
"Microsoft.DataFactory/factories/pipelineruns/queryactivityruns/read",
"Microsoft.DataFactory/factories/providers/Microsoft.Insights/diagnosticSettings/read",
"Microsoft.DataFactory/factories/providers/Microsoft.Insights/metricDefinitions/read",
"Microsoft.DataFactory/factories/queryFeaturesValue/read",
"Microsoft.DataFactory/factories/querypipelineruns/read",
"Microsoft.DataFactory/factories/querytriggerruns/read",
"Microsoft.DataFactory/factories/triggerruns/read",
"Microsoft.DataFactory/factories/dataflows/read",
"Microsoft.DataFactory/factories/dataMappers/read",
"Microsoft.DataFactory/factories/datasets/read",
"Microsoft.DataFactory/factories/sandboxpipelineruns/read",
"Microsoft.DataFactory/factories/sandboxpipelineruns/sandboxActivityRuns/read",
"Microsoft.DataFactory/factories/globalParameters/read",
"Microsoft.DataFactory/factories/integrationruntimes/read",
"Microsoft.DataFactory/factories/integrationruntimes/getstatus/read",
"Microsoft.DataFactory/factories/integrationruntimes/monitoringdata/read",
"Microsoft.DataFactory/factories/integrationruntimes/nodes/read",
"Microsoft.DataFactory/factories/integrationruntimes/outboundNetworkDependenciesEndpoints/read",
"Microsoft.DataFactory/factories/linkedServices/read",
"Microsoft.DataFactory/factories/managedVirtualNetworks/read",
"Microsoft.DataFactory/factories/managedVirtualNetworks/managedPrivateEndpoints/read",
"Microsoft.DataFactory/factories/privateEndpointConnectionProxies/read",
"Microsoft.DataFactory/factories/privateEndpointConnectionProxies/operationresults/read",
"Microsoft.DataFactory/factories/privateEndpointConnectionProxies/operationstatuses/read",
"Microsoft.DataFactory/factories/privateEndpointConnections/read",
"Microsoft.DataFactory/factories/privateLinkResources/read",
"Microsoft.DataFactory/factories/pipelines/read",
"Microsoft.DataFactory/factories/pipelines/pipelineruns/read",
"Microsoft.DataFactory/factories/pipelines/pipelineruns/activityruns/progress/read",
"Microsoft.DataFactory/factories/providers/Microsoft.Insights/logDefinitions/read",
"Microsoft.DataFactory/factories/triggers/read",
"Microsoft.DataFactory/factories/triggers/triggerruns/read",
"Microsoft.DataFactory/locations/getFeatureValue/read",
"Microsoft.DataFactory/checkazuredatafactorynameavailability/read",
"Microsoft.DataFactory/operations/read"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/providers/Microsoft.Management/managementGroups/{groupId1}"
]
}
2
Answers
After testing granting read only permissions at the resource and resource group level, the standard out of the box Reader role works fine. At first blush it seems like it's giving users access to add/delete pipelines but in reality nothing changes unless it's published, function to which read only users do not have access. Thanks for the replies.
Why not provide the built-in reader role on the data factory resource for the user.why create a custom role