[spacer] [spacer] [spacer]

Sign up with your email address to be the first to know about new publications

[mc4wp_form id="4946"] [spacer]

Create Azure Custom Reader Role for Data Factory

There isn’t an Azure Data Factory Reader role unless you create an Azure Custom Role. Having a Reader role comes in handy. You certainly don’t want to give everyone access to creating and developing Azure Data Factory solutions. 

I believe it’s really important to spend some time creating this role. In this post, you will see how to create a custom reader role. This article is valid for the creation of any other custom role. You can define what you need for your specific service. 

The contents of this blog post: 

  • Introduction to Azure Custom Roles 
  • Definition and creation of the Azure Data Factory Custom Reader Role 
  • Testing the Custom Role 

Introduction to Azure Custom Roles 

In order to create Azure Custom Roles you need to be an Owner, a User Access Administrator or be granted the ‘Microsoft.Authorization/roleDefinitions/write’ permission to create custom roles. 

The good news is that you can create them using PowerShell libraries and up to 5000 per directory. 

PowerShell library

You can also look at the existing roles to explore if you can re-use one or if it already exists. 

Access control IAM

In the case of Azure Data Factory, there is only a contributor which is aimed at data engineers who are going to develop solutions. 

Once that you create a role, you can find it using the filters. 

Custom Role

In addition, you can also modify it if required. 

Definition and creation of the Azure Data Factory Custom Reader Role 

During the creation of the custom roles, you need to configure the following options: 

Basics 

Define a name. Choose if you want to start creating a role from scratch, from an existing one or to import a JSON definition custom role file. 

Create a custom role

Permissions 

Time to define the permissions. 

Add permissions

One thing I’ve found is there is a well-defined naming convention for the permissions. First, choose the Azure Data Factory provider.  

Add Microsoft Data Factory

You can filter by using a keyword. In this example I’ve used the word ‘read.’ 

Data Factory Permissions keyword

After you define the permissions, you’ll see them in the window. 

Assignable Scopes 

Here you can define if the scope of the permission is at the subscription or resource group levels. 

Define scope of permission

JSON 

In this section, you can download the JSON definition file for code version control and re-use it if necessary.

JSON definition file

Review and Create 

The last section displays a summary. Finally, the creation of the role is executed. 

Review and update
Create custom role display

Testing the Custom Role 

Now we need to test the custom role. Assign the role to a different user. 

Assign role to new user
Add role assignment

In the following images, you will see that I am connected with the user that has been assigned to the new ADF_Reader role. 

ADF Reader role

The next step is to try to delete a dataset! 

It seems that it has been deleted successfully. 

But this is just a local copy. Once we try to publish the changes, the permission will be denied. 

Publishing error

Summary 

Having some control over defining our Custom Azure Roles is easy and allows you to meet specific needs within your environment. The input for defining the roles needs to come from the application and technical stakeholders in collaboration with security and infrastructure teams. Not even the best Azure administrator will be able to achieve the required organization roles for a company. 

Final Thoughts 

It’d be nice to have some default reader roles created in Azure for the different services. The creation of the role is not a time-consuming activity but it needs to be documented and included as part of any robust environment. 

See my previous post on Azure Synapse Analytics Serverless here.

2 Responses
  • Mark Kromer
    01 . 07 . 2020

    Well done, thank you so much for this!

    • David Alzamendi
      03 . 07 . 2020

      Thanks for the feedback Mark 🙂

Do you want to leave a comment?

Your email address will not be published. Required fields are marked *