Built-in Roles in Azure Synapse Analytics Workspace

What is Azure Synapse Analytics?

Azure Synapse Analytics has many built-in roles that will help to manage access to Synapse resources. These roles allow you to control what users and applications can do within a Synapse workspace. Synapse RBAC Roles can be assigned by Synapse Administrators. A workspace-level Synapse Administrator can grant access to any workspace. A lower-level Synapse administrator can grant access to only a specific scope. When a new workspace is created, the creator is automatically given the Synapse Administrator role at workspace scope.

Here are some of the common built-in roles in Azure Synapse Analytics.

1. Synapse Administrator: The topmost and powerful role in Synapse Analytics which provides full control over the entire Synapse workspace. It has the ability to manage all resources within the workspace, including databases, SQL pools, data flows, and even the security settings.
   1. Full Control
   2. Workspace Management
   3. Security/Access Control
   4. SQL Pool Management
   5. Data Flow and Data Integration runtime control
   6. Resource Provisioning
   7. Integration with Other Azure Services

Due to the extensive control and privileges associated with the Synapse Administrator role, it's crucial to assign this role only to trusted individuals or teams who need to have this level of control over the workspace.

1. Synapse Contributor: Can create, update, and delete resources but don’t have control over access to the workspace. This role can manage all the resources within the synapse workspace. This role is less powerful than the "Synapse Administrator" role but still provides substantial control over resources within a Synapse Analytics workspace.
   1. Create, Update, Delete
   2. Data Flow and Data Integration
   3. Limited Security Control
   4. Resource Provisioning/Deprovisioning
2. Synapse SQL Administrator: This role focuses only on the SQL functionality of Synapse Analytics. It allows users to manage and configure SQL pools, databases, and data flows within the workspace.
   1. SQL Pool Management - Create, update, and delete SQL pools, as well as adjusting performance & scale
   2. Database Management
   3. SQL Query and Script Execution
   4. Limited Control over Workspace Resources
   5. Security and Access Control
3. Synapse Apache Spark Administrator: This role allows the Run a notebook and review its output, or submit a Spark job. It provides full access to apache spark pools and its activities but cannot grant access to other users. The users with this role can also read all other publish code artifacts.
   1. All actions on Spark artifacts
   2. All actions on Spark activities
4. Synapse Artifact Publisher: This role allows to read, update, delete and create to all the published code and outputs including the currently scheduled pipelines. The restriction is it doesn’t have the permission to run the code, pipelines or granting access to some other users.
   1. Read all the published artifacts and also publish the artifacts
   2. View notebooks, spark jobs and the pipeline outputs
5. Synapse Artifact User: This is a role which has limited permissions but works at workspace level. Can read to the published code artifacts and at the same time can create new artifacts but cannot publish them or run the code.
6. Synapse Compute Operator: Can monitor and cancel spark jobs submitted by any user. Can submit spark jobs and view all the jobs and view the spark pool logs.
7. Synapse Monitoring Operator: Specialized role for monitoring the workloads of synapse. For reading already published code artifacts and completed notebooks including output logs of the pipeline runs. Could not run or cancel pipelines, spark notebooks and their jobs.
8. Synapse Credential User: Use of secrets in credentials and connected services during runtime and configuration times throughout operations such as pipeline runs. This role, scoped to the workspace system identity, is necessary to run pipelines.
   1. Role is scoped to a credential
   2. Permits access to data via linked service by a credential
   3. Allows execution of pipelines protected by system identity credentials
9. Synapse Linked Data Manager: With this role it is used to create credentials, linked services, and managed private endpoint and also to manage them. Useful to establish credential-protected managed private endpoints that utilizes the linked services.
10. Synapse User:  List and examine the specifics of Integration runtimes, SQL pools, Apache Spark pools, published linked services, and the login credentials. But excludes additional publicly available code artifacts.  Can produce new artifacts but requires more permissions in order to run or publish.

Summary

These roles are assigned at different scopes, such as the subscription, resource group, workspace, or even individual resources. To assign roles, you can use Azure Portal, Azure PowerShell, Azure CLI, or Azure Resource Manager templates. As with any role assignment in Azure, it's crucial to follow the principle of least privilege, which means only granting the permissions necessary for users to perform their specific tasks and responsibilities, and avoiding over-assigning privileges that could potentially lead to security risks.