az synapse role assignment
Manage Synapse's role assignments.
Commands
| Name | Description | Type | Status |
|---|---|---|---|
| az synapse role assignment create |
Create a role assignment. |
Core | GA |
| az synapse role assignment delete |
Delete role assignments of workspace. |
Core | GA |
| az synapse role assignment list |
List role assignments. |
Core | GA |
| az synapse role assignment show |
Get a role assignment by id. |
Core | GA |
az synapse role assignment create
Create a role assignment.
az synapse role assignment create --role
--workspace-name
[--assignee]
[--assignee-object-id]
[--assignee-principal-type {Group, ServicePrincipal, User}]
[--assignment-id]
[--item]
[--item-type {bigDataPools, credentials, integrationRuntimes, linkedServices}]
[--scope]Examples
Create a role assignment using service principal name.
az synapse role assignment create --workspace-name testsynapseworkspace \
--role "Synapse Administrator" --assignee sp_nameCreate a role assignment using user principal name.
az synapse role assignment create --workspace-name testsynapseworkspace \
--role "Synapse Administrator" --assignee username@contoso.comCreate a role assignment using objectId of the User, Group or Service Principal.
az synapse role assignment create --workspace-name testsynapseworkspace \
--role "Synapse Administrator" --assignee 00000000-0000-0000-0000-000000000000Create a role assignment at scope.
az synapse role assignment create --workspace-name testsynapseworkspace \
--scope "workspaces/{workspaceName}" --role "Synapse Administrator" --assignee username@contoso.comCreate a role assignment at scope that combination of item type and item name.
az synapse role assignment create --workspace-name testsynapseworkspace \
--item-type "bigDataPools" --item "bigDataPoolName" --role "Synapse Administrator" \
--assignee username@contoso.comWhen you are a user with permission to manage Azure RBAC role assignment on the workspace but not a Synapse Administrator, please create role assigment by -role roleid. The reason for this is , when you try to add a "Synapse Administrator" role, the cmdlet needs to get the role ID from the role name which requires workspace read permission, which the current user does not have.
az synapse role assignment create \
--workspace-name testsynapseworkspace \
--role "6e4bf58a-b8e1-4cc3-bbf9-d73143322b78" \
--assignee username@contoso.comRequired Parameters
The role name/id that is assigned to the principal.
The workspace name.
Optional Parameters
Represent a user or service principal. Supported format: object id, user sign-in name, or service principal name.
Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
Use with --assignee-object-id to avoid errors caused by propagation latency in AAD Graph.
Custom role assignment id in guid format, if not specified, assignment id will be randomly generated.
Item granted access in the workspace. Using with --item-type to combine the scope of assignment.
Item type granted access in the workspace. Using with --item to combine the scope of assignment.
A scope defines the resources or artifacts that the access applies to. Synapse supports hierarchical scopes. Permissions granted at a higher-level scope are inherited by objects at a lower level. In Synapse RBAC, the top-level scope is a workspace. Assigning a role with workspace scope grants permissions to all applicable objects in the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az synapse role assignment delete
Delete role assignments of workspace.
az synapse role assignment delete --workspace-name
[--assignee]
[--assignee-object-id]
[--ids]
[--item]
[--item-type {bigDataPools, credentials, integrationRuntimes, linkedServices}]
[--role]
[--scope]
[--yes]Examples
Delete role assignments by role and assignee.
az synapse role assignment delete --workspace-name testsynapseworkspace \
--role "Synapse Administrator" --assignee sp_nameDelete role assignments by role id/name.
az synapse role assignment delete --workspace-name testsynapseworkspace \
--role "Synapse Administrator"Delete role assignments by service principal name.
az synapse role assignment delete --workspace-name testsynapseworkspace \
--assignee sp_nameDelete role assignments by user principal name.
az synapse role assignment delete --workspace-name testsynapseworkspace \
--assignee username@contoso.comDelete role assignments by objectId of the User, Group or Service Principal.
az synapse role assignment delete --workspace-name testsynapseworkspace \
--assignee 00000000-0000-0000-0000-000000000001Delete role assignments by ids.
az synapse role assignment delete --workspace-name testsynapseworkspace \
--ids 10000000-0000-0000-0000-10000000-10000000-0000-0000-0000-10000000Delete role assignments by scope.
az synapse role assignment delete --workspace-name testsynapseworkspace \
--scope "workspaces/testsynapseworkspace/linkedServices/testlinkedServices"Required Parameters
The workspace name.
Optional Parameters
Represent a user or service principal. Supported format: object id, user sign-in name, or service principal name.
Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
Space-separated role assignment ids. You should not provide --role or --assignee when --ids is provided.
Item granted access in the workspace. Using with --item-type to combine the scope of assignment.Using az role assignment with filter condition before executing delete operation to be clearly aware of which assignments will be deleted.
Item type granted access in the workspace. Using with --item to combine the scope of assignment.Using az role assignment with filter condition before executing delete operation to be clearly aware of which assignments will be deleted.
The role name/id that is assigned to the principal.
A scope defines the resources or artifacts that the access applies to. Synapse supports hierarchical scopes. Permissions granted at a higher-level scope are inherited by objects at a lower level. In Synapse RBAC, the top-level scope is a workspace. Using az role assignment with filter condition before executing delete operation to be clearly aware of which assignments will be deleted.
Do not prompt for confirmation.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az synapse role assignment list
List role assignments.
az synapse role assignment list --workspace-name
[--assignee]
[--assignee-object-id]
[--item]
[--item-type {bigDataPools, credentials, integrationRuntimes, linkedServices}]
[--role]
[--scope]Examples
List role assignments.
az synapse role assignment list --workspace-name testsynapseworkspaceList role assignments by role id/name.
az synapse role assignment list --workspace-name testsynapseworkspace \
--role "Synapse Apache Spark Administrator"List role assignments by assignee.
az synapse role assignment list --workspace-name testsynapseworkspace \
--assignee sp_nameList role assignments by objectId of the User, Group or Service Principal.
az synapse role assignment list --workspace-name testsynapseworkspace \
--assignee-object-id 00000000-0000-0000-0000-000000000000List role assignments by scope.
az synapse role assignment list --workspace-name testsynapseworkspace \
--scope "workspaces/{workspaceName}"List role assignments by item type and item name.
az synapse role assignment list --workspace-name testsynapseworkspace \
--item-type "bigDataPools" --item "bigDataPoolName"Required Parameters
The workspace name.
Optional Parameters
Represent a user or service principal. Supported format: object id, user sign-in name, or service principal name.
Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
Item granted access in the workspace. Using with --item-type to combine the scope of assignment.
Item type granted access in the workspace. Using with --item to combine the scope of assignment.
The role name/id that is assigned to the principal.
A scope defines the resources or artifacts that the access applies to. Synapse supports hierarchical scopes. Permissions granted at a higher-level scope are inherited by objects at a lower level. In Synapse RBAC, the top-level scope is a workspace. Assigning a role with workspace scope grants permissions to all applicable objects in the workspace.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
az synapse role assignment show
Get a role assignment by id.
az synapse role assignment show --id
--workspace-nameExamples
Get a role assignment by id.
az synapse role assignment show --workspace-name testsynapseworkspace \
--id 00000000-0000-0000-0000-000000000000Required Parameters
Id of the role that is assigned to the principal.
The workspace name.
Global Parameters
Increase logging verbosity to show all debug logs.
Show this help message and exit.
Only show errors, suppressing warnings.
Output format.
JMESPath query string. See http://jmespath.org/ for more information and examples.
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Increase logging verbosity. Use --debug for full debug logs.
