Share via


az synapse role assignment

Manage Synapse's role assignments.

Commands

Name Description Type Status
az synapse role assignment create

Create a role assignment.

Core GA
az synapse role assignment delete

Delete role assignments of workspace.

Core GA
az synapse role assignment list

List role assignments.

Core GA
az synapse role assignment show

Get a role assignment by id.

Core GA

az synapse role assignment create

Create a role assignment.

az synapse role assignment create --role
                                  --workspace-name
                                  [--assignee]
                                  [--assignee-object-id]
                                  [--assignee-principal-type {Group, ServicePrincipal, User}]
                                  [--assignment-id]
                                  [--item]
                                  [--item-type {bigDataPools, credentials, integrationRuntimes, linkedServices}]
                                  [--scope]

Examples

Create a role assignment using service principal name.

az synapse role assignment create --workspace-name testsynapseworkspace \
--role "Synapse Administrator" --assignee sp_name

Create a role assignment using user principal name.

az synapse role assignment create --workspace-name testsynapseworkspace \
--role "Synapse Administrator" --assignee username@contoso.com

Create a role assignment using objectId of the User, Group or Service Principal.

az synapse role assignment create --workspace-name testsynapseworkspace \
--role "Synapse Administrator" --assignee 00000000-0000-0000-0000-000000000000

Create a role assignment at scope.

az synapse role assignment create --workspace-name testsynapseworkspace \
--scope "workspaces/{workspaceName}" --role "Synapse Administrator" --assignee username@contoso.com

Create a role assignment at scope that combination of item type and item name.

az synapse role assignment create --workspace-name testsynapseworkspace \
--item-type "bigDataPools" --item "bigDataPoolName" --role "Synapse Administrator" \
--assignee username@contoso.com

When you are a user with permission to manage Azure RBAC role assignment on the workspace but not a Synapse Administrator, please create role assigment by -role roleid. The reason for this is , when you try to add a "Synapse Administrator" role, the cmdlet needs to get the role ID from the role name which requires workspace read permission, which the current user does not have.

az synapse role assignment create \
--workspace-name testsynapseworkspace \
--role "6e4bf58a-b8e1-4cc3-bbf9-d73143322b78" \
--assignee username@contoso.com

Required Parameters

--role

The role name/id that is assigned to the principal.

--workspace-name

The workspace name.

Optional Parameters

--assignee

Represent a user or service principal. Supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--assignee-principal-type --assignee-type

Use with --assignee-object-id to avoid errors caused by propagation latency in AAD Graph.

Accepted values: Group, ServicePrincipal, User
--assignment-id

Custom role assignment id in guid format, if not specified, assignment id will be randomly generated.

--item

Item granted access in the workspace. Using with --item-type to combine the scope of assignment.

--item-type

Item type granted access in the workspace. Using with --item to combine the scope of assignment.

Accepted values: bigDataPools, credentials, integrationRuntimes, linkedServices
--scope

A scope defines the resources or artifacts that the access applies to. Synapse supports hierarchical scopes. Permissions granted at a higher-level scope are inherited by objects at a lower level. In Synapse RBAC, the top-level scope is a workspace. Assigning a role with workspace scope grants permissions to all applicable objects in the workspace.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az synapse role assignment delete

Delete role assignments of workspace.

az synapse role assignment delete --workspace-name
                                  [--assignee]
                                  [--assignee-object-id]
                                  [--ids]
                                  [--item]
                                  [--item-type {bigDataPools, credentials, integrationRuntimes, linkedServices}]
                                  [--role]
                                  [--scope]
                                  [--yes]

Examples

Delete role assignments by role and assignee.

az synapse role assignment delete --workspace-name testsynapseworkspace \
--role "Synapse Administrator" --assignee sp_name

Delete role assignments by role id/name.

az synapse role assignment delete --workspace-name testsynapseworkspace \
--role "Synapse Administrator"

Delete role assignments by service principal name.

az synapse role assignment delete --workspace-name testsynapseworkspace \
--assignee sp_name

Delete role assignments by user principal name.

az synapse role assignment delete --workspace-name testsynapseworkspace \
--assignee username@contoso.com

Delete role assignments by objectId of the User, Group or Service Principal.

az synapse role assignment delete --workspace-name testsynapseworkspace \
--assignee 00000000-0000-0000-0000-000000000001

Delete role assignments by ids.

az synapse role assignment delete --workspace-name testsynapseworkspace \
--ids 10000000-0000-0000-0000-10000000-10000000-0000-0000-0000-10000000

Delete role assignments by scope.

az synapse role assignment delete --workspace-name testsynapseworkspace \
--scope "workspaces/testsynapseworkspace/linkedServices/testlinkedServices"

Required Parameters

--workspace-name

The workspace name.

Optional Parameters

--assignee

Represent a user or service principal. Supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--ids

Space-separated role assignment ids. You should not provide --role or --assignee when --ids is provided.

--item

Item granted access in the workspace. Using with --item-type to combine the scope of assignment.Using az role assignment with filter condition before executing delete operation to be clearly aware of which assignments will be deleted.

--item-type

Item type granted access in the workspace. Using with --item to combine the scope of assignment.Using az role assignment with filter condition before executing delete operation to be clearly aware of which assignments will be deleted.

Accepted values: bigDataPools, credentials, integrationRuntimes, linkedServices
--role

The role name/id that is assigned to the principal.

--scope

A scope defines the resources or artifacts that the access applies to. Synapse supports hierarchical scopes. Permissions granted at a higher-level scope are inherited by objects at a lower level. In Synapse RBAC, the top-level scope is a workspace. Using az role assignment with filter condition before executing delete operation to be clearly aware of which assignments will be deleted.

--yes -y

Do not prompt for confirmation.

Default value: False
Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az synapse role assignment list

List role assignments.

az synapse role assignment list --workspace-name
                                [--assignee]
                                [--assignee-object-id]
                                [--item]
                                [--item-type {bigDataPools, credentials, integrationRuntimes, linkedServices}]
                                [--role]
                                [--scope]

Examples

List role assignments.

az synapse role assignment list --workspace-name testsynapseworkspace

List role assignments by role id/name.

az synapse role assignment list --workspace-name testsynapseworkspace \
--role "Synapse Apache Spark Administrator"

List role assignments by assignee.

az synapse role assignment list --workspace-name testsynapseworkspace \
--assignee sp_name

List role assignments by objectId of the User, Group or Service Principal.

az synapse role assignment list --workspace-name testsynapseworkspace \
--assignee-object-id 00000000-0000-0000-0000-000000000000

List role assignments by scope.

az synapse role assignment list --workspace-name testsynapseworkspace \
--scope "workspaces/{workspaceName}"

List role assignments by item type and item name.

az synapse role assignment list --workspace-name testsynapseworkspace \
--item-type "bigDataPools" --item "bigDataPoolName"

Required Parameters

--workspace-name

The workspace name.

Optional Parameters

--assignee

Represent a user or service principal. Supported format: object id, user sign-in name, or service principal name.

--assignee-object-id

Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.

--item

Item granted access in the workspace. Using with --item-type to combine the scope of assignment.

--item-type

Item type granted access in the workspace. Using with --item to combine the scope of assignment.

Accepted values: bigDataPools, credentials, integrationRuntimes, linkedServices
--role

The role name/id that is assigned to the principal.

--scope

A scope defines the resources or artifacts that the access applies to. Synapse supports hierarchical scopes. Permissions granted at a higher-level scope are inherited by objects at a lower level. In Synapse RBAC, the top-level scope is a workspace. Assigning a role with workspace scope grants permissions to all applicable objects in the workspace.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az synapse role assignment show

Get a role assignment by id.

az synapse role assignment show --id
                                --workspace-name

Examples

Get a role assignment by id.

az synapse role assignment show --workspace-name testsynapseworkspace \
--id 00000000-0000-0000-0000-000000000000

Required Parameters

--id

Id of the role that is assigned to the principal.

--workspace-name

The workspace name.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.