Share via

How to control access to a folder in ADLS gen2 container while Storage account IAMs are in action

SP 5 Reputation points
2025-02-03T19:28:59.77+00:00

Hi,

I have a synapse pipeline that saves an output file in a folder (ex: salary) in an ADLS container (ex: employee). Now Mr. X wants the data saved in the folder to be accessible only to him but storage account level IAMs have already given access to many team members.
Is there a way to have the data saved in this container/storage account without meddling with the storage account level IAMs? If not, what would be the ideal solution?

Azure Data Lake Storage
Azure Data Lake Storage
An Azure service that provides an enterprise-wide hyper-scale repository for big data analytic workloads and is integrated with Azure Blob Storage.
1,541 questions
Azure Synapse Analytics
Azure Synapse Analytics
An Azure analytics service that brings together data integration, enterprise data warehousing, and big data analytics. Previously known as Azure SQL Data Warehouse.
5,200 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
882 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Keshavulu Dasari 3,380 Reputation points Microsoft Vendor
    2025-02-03T19:41:20.19+00:00

    Hi SP,

    Greetings & Welcome to Microsoft Q&A forum! Thanks for posting your query!

    To control access to a specific folder in an ADLS Gen2 container without changing the storage account level IAMs, you can use (ACLs). ACLs allow you to set fine-grained permissions at the directory and file level, which can help you restrict access to the "salary" folder for Mr. X.

    Assign Reader Role at Storage Account/Container Level: Ensure that the security principals (users, groups, service principals) have at least the Reader role at the storage account or container level. This provides the necessary control plane permissions.

    Set ACLs on the Folder:

    • Navigate to the "salary" folder in the ADLS Gen2 container.
    • Set the ACLs to grant Mr. X the required permissions (e.g., read, write) and remove or restrict permissions for other users.

    Use Access ACLs: Apply Access ACLs to control access to the "salary" folder. These ACLs will determine who can read, write, or execute within the folder.

    Default ACLs (Optional): If you want the permissions to be inherited by new files or subfolders created within the "salary" folder, set Default ACLs at the folder level.

    To set ACLs:

    1. Navigate to the ADLS Gen2 container in the Azure portal.
    2. Select the "salary" folder.
    3. Click on "Access control (IAM)" and then "Add role assignment" to ensure Mr. X has the necessary Reader role.
    4. Go to the "Access Control Lists" (ACLs) tab.
    5. Add an entry for Mr. X with the desired permissions (e.g., read, write).

    Remove or restrict permissions for other users as needed.To control access

    Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.           

    User's image

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.