Synapse RBAC Roles
The article describes the built-in Synapse RBAC (role-based access control) roles, the permissions they grant, and the scopes at which they can be used.
For more information on reviewing and assigning Synapse role memberships, see how to review Synapse RBAC role assignments and how to assign Synapse RBAC roles.
Built-in Synapse RBAC roles and scopes
The following table describes the built-in roles and the scopes at which they can be used.
Note
Users with any Synapse RBAC role at any scope automatically have the Synapse User role at workspace scope.
Important
Synapse RBAC roles do not grant permissions to create or manage SQL pools, Apache Spark pools, and Integration runtimes in Azure Synapse workspaces. Azure Owner or Azure Contributor roles on the resource group are required for these actions.
Role | Permissions | Scopes |
---|---|---|
Synapse Administrator | Full Synapse access to serverless and dedicated SQL pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources. Synapse RBAC roles can be assigned even when the associated subscription is disabled. Can read and write artifacts Can do all actions on Spark activities. Can view Spark pool logs Can view saved notebook and pipeline output Can use the secrets stored by linked services or credentials Can assign and revoke Synapse RBAC roles at current scope |
Workspace Spark pool Integration runtime Linked service Credential |
Synapse Apache Spark Administrator |
Full Synapse access to Apache Spark Pools. Create, read, update, and delete access to published Spark job definitions, notebooks, and their outputs, and to libraries, linked services, and credentials. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. Can do all actions on Spark artifacts Can do all actions on Spark activities |
Workspace Spark pool |
Synapse SQL Administrator | Full Synapse access to serverless SQL pools. Create, read, update, and delete access to published SQL scripts, credentials, and linked services. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. Can do all actions on SQL scripts Can connect to SQL serverless endpoints with SQL db_datareader , db_datawriter , connect , and grant permissions |
Workspace |
Synapse Contributor | Full Synapse access to Apache Spark pools and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts and their outputs, including credentials and linked services. Includes compute operator permissions. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access. Can read and write artifacts Can view saved notebook and pipeline output Can do all actions on Spark activities Can view Spark pool logs |
Workspace Spark pool Integration runtime |
Synapse Artifact Publisher | Create, read, update, and delete access to published code artifacts and their outputs. Doesn't include permission to run code or pipelines, or to grant access. Can read published artifacts and publish artifacts Can view saved notebook, Spark job, and pipeline output |
Workspace |
Synapse Artifact User | Read access to published code artifacts and their outputs. Can create new artifacts but can't publish changes or run code without more permissions. | Workspace |
Synapse Compute Operator | Submit Spark jobs and notebooks and view logs. Includes canceling Spark jobs submitted by any user. Requires other use credential permissions on the workspace system identity to run pipelines, view pipeline runs and outputs. Can submit and cancel jobs, including jobs submitted by others Can view Spark pool logs |
Workspace Spark pool Integration runtime |
Synapse Monitoring Operator | Read published code artifacts, including logs and outputs for pipeline runs and completed notebooks. Includes ability to list and view details of Apache Spark pools, and Integration runtimes. Requires other permissions to run/cancel pipelines, Spark notebooks, and Spark jobs. | Workspace |
Synapse Credential User | Runtime and configuration-time use of secrets within credentials and linked services in activities like pipeline runs. To run pipelines, this role is required, scoped to the workspace system identity. Scoped to a credential, permits access to data via a linked service that is protected by the credential (may also require compute use permission) Allows execution of pipelines protected by the workspace system identity credential |
Workspace Linked Service Credential |
Synapse Linked Data Manager | Creation and management of managed private endpoints, linked services, and credentials. Can create managed private endpoints that use linked services protected by credentials | Workspace |
Synapse User | List and view details of SQL pools, Apache Spark pools, Integration runtimes, and published linked services and credentials. Doesn't include other published code artifacts. Can create new artifacts but can't run or publish without more permissions. Can list and read Spark pools, Integration runtimes. |
Workspace, Spark pool Linked service Credential |
Synapse RBAC roles and the actions they permit
Note
- All actions listed in the tables below are prefixed, "Microsoft.Synapse/..."
- All artifact read, write, and delete actions are with respect to published artifacts in the live service. These permissions do not affect access to artifacts in a connected Git repo.
The following table lists the built-in roles and the actions/permissions that each support.
Role | Actions |
---|---|
Synapse Administrator | workspaces/read workspaces/roleAssignments/write, delete workspaces/managedPrivateEndpoint/write, delete workspaces/bigDataPools/useCompute/action workspaces/bigDataPools/viewLogs/action workspaces/integrationRuntimes/useCompute/action workspaces/integrationRuntimes/viewLogs/action workspaces/artifacts/read workspaces/notebooks/write, delete workspaces/sparkJobDefinitions/write, delete workspaces/sqlScripts/write, delete workspaces/kqlScripts/write, delete workspaces/dataFlows/write, delete workspaces/pipelines/write, delete workspaces/triggers/write, delete workspaces/datasets/write, delete workspaces/libraries/write, delete workspaces/linkedServices/write, delete workspaces/credentials/write, delete workspaces/notebooks/viewOutputs/action workspaces/pipelines/viewOutputs/action workspaces/linkedServices/useSecret/action workspaces/credentials/useSecret/action workspaces/linkConnections/read workspaces/linkConnections/write workspaces/linkConnections/delete workspaces/linkConnections/useCompute/action |
Synapse Apache Spark Administrator | workspaces/read workspaces/bigDataPools/useCompute/action workspaces/bigDataPools/viewLogs/action workspaces/notebooks/viewOutputs/action workspaces/artifacts/read workspaces/notebooks/write, delete workspaces/sparkJobDefinitions/write, delete workspaces/libraries/write, delete workspaces/linkedServices/write, delete workspaces/credentials/write, delete |
Synapse SQL Administrator | workspaces/read workspaces/artifacts/read workspaces/sqlScripts/write, delete workspaces/linkedServices/write, delete workspaces/credentials/write, delete |
Synapse Contributor | workspaces/read workspaces/bigDataPools/useCompute/action workspaces/bigDataPools/viewLogs/action workspaces/integrationRuntimes/useCompute/action workspaces/integrationRuntimes/viewLogs/action workspaces/artifacts/read workspaces/notebooks/write, delete workspaces/sparkJobDefinitions/write, delete workspaces/sqlScripts/write, delete workspaces/kqlScripts/write, delete workspaces/dataFlows/write, delete workspaces/pipelines/write, delete workspaces/triggers/write, delete workspaces/datasets/write, delete workspaces/libraries/write, delete workspaces/linkedServices/write, delete workspaces/credentials/write, delete workspaces/notebooks/viewOutputs/action workspaces/pipelines/viewOutputs/action workspaces/linkConnections/read workspaces/linkConnections/write workspaces/linkConnections/delete workspaces/linkConnections/useCompute/action |
Synapse Artifact Publisher | workspaces/read workspaces/artifacts/read workspaces/notebooks/write, delete workspaces/sparkJobDefinitions/write, delete workspaces/sqlScripts/write, delete workspaces/kqlScripts/write, delete workspaces/dataFlows/write, delete workspaces/pipelines/write, delete workspaces/triggers/write, delete workspaces/datasets/write, delete workspaces/libraries/write, delete workspaces/linkedServices/write, delete workspaces/credentials/write, delete workspaces/notebooks/viewOutputs/action workspaces/pipelines/viewOutputs/action |
Synapse Artifact User | workspaces/read workspaces/artifacts/read workspaces/notebooks/viewOutputs/action workspaces/pipelines/viewOutputs/action |
Synapse Compute Operator | workspaces/read workspaces/bigDataPools/useCompute/action workspaces/bigDataPools/viewLogs/action workspaces/integrationRuntimes/useCompute/action workspaces/integrationRuntimes/viewLogs/action workspaces/linkConnections/read workspaces/linkConnections/useCompute/action |
Synapse Monitoring Operator | workspaces/read workspaces/artifacts/read workspaces/notebooks/viewOutputs/action workspaces/pipelines/viewOutputs/action workspaces/integrationRuntimes/viewLogs/action workspaces/bigDataPools/viewLogs/action |
Synapse Credential User | workspaces/read workspaces/linkedServices/useSecret/action workspaces/credentials/useSecret/action |
Synapse Linked Data Manager | workspaces/read workspaces/managedPrivateEndpoint/write, delete workspaces/linkedServices/write, delete workspaces/credentials/write, delete |
Synapse User | workspaces/read |
Synapse RBAC actions and the roles that permit them
The following table lists Synapse actions and the built-in roles that permit these actions:
Action | Role |
---|---|
workspaces/read | Synapse Administrator Synapse Apache Spark Administrator Synapse SQL Administrator Synapse Contributor Synapse Artifact Publisher Synapse Artifact User Synapse Compute Operator Synapse Monitoring Operator Synapse Credential User Synapse Linked Data Manager Synapse User |
workspaces/roleAssignments/write, delete | Synapse Administrator |
workspaces/managedPrivateEndpoint/write, delete | Synapse Administrator Synapse Linked Data Manager |
workspaces/bigDataPools/useCompute/action | Synapse Administrator Synapse Apache Spark Administrator Synapse Contributor Synapse Compute Operator Synapse Monitoring Operator |
workspaces/bigDataPools/viewLogs/action | Synapse Administrator Synapse Apache Spark Administrator Synapse Contributor Synapse Compute Operator |
workspaces/integrationRuntimes/useCompute/action | Synapse Administrator Synapse Contributor Synapse Compute Operator Synapse Monitoring Operator |
workspaces/integrationRuntimes/viewLogs/action | Synapse Administrator Synapse Contributor Synapse Compute Operator Synapse Monitoring Operator |
workspaces/linkConnections/read | Synapse Administrator Synapse Contributor Synapse Compute Operator |
workspaces/linkConnections/useCompute/action | Synapse Administrator Synapse Contributor Synapse Compute Operator |
workspaces/artifacts/read | Synapse Administrator Synapse Apache Spark Administrator Synapse SQL Administrator Synapse Contributor Synapse Artifact Publisher Synapse Artifact User |
workspaces/notebooks/write, delete | Synapse Administrator Synapse Apache Spark Administrator Synapse Contributor Synapse Artifact Publisher |
workspaces/sparkJobDefinitions/write, delete | Synapse Administrator Synapse Apache Spark Administrator Synapse Contributor Synapse Artifact Publisher |
workspaces/sqlScripts/write, delete | Synapse Administrator Synapse SQL Administrator Synapse Contributor Synapse Artifact Publisher |
workspaces/kqlScripts/write, delete | Synapse Administrator Synapse Contributor Synapse Artifact Publisher |
workspaces/dataFlows/write, delete | Synapse Administrator Synapse Contributor Synapse Artifact Publisher |
workspaces/pipelines/write, delete | Synapse Administrator Synapse Contributor Synapse Artifact Publisher |
workspaces/linkConnections/write, delete | Synapse Administrator Synapse Contributor |
workspaces/triggers/write, delete | Synapse Administrator Synapse Contributor Synapse Artifact Publisher |
workspaces/datasets/write, delete | Synapse Administrator Synapse Contributor Synapse Artifact Publisher |
workspaces/libraries/write, delete | Synapse Administrator Synapse Apache Spark Administrator Synapse Contributor Synapse Artifact Publisher |
workspaces/linkedServices/write, delete | Synapse Administrator Synapse Apache Spark Administrator Synapse SQL Administrator Synapse Contributor Synapse Artifact Publisher Synapse Linked Data Manager |
workspaces/credentials/write, delete | Synapse Administrator Synapse Apache Spark Administrator Synapse SQL Administrator Synapse Contributor Synapse Artifact Publisher Synapse Linked Data Manager |
workspaces/notebooks/viewOutputs/action | Synapse Administrator Synapse Apache Spark Administrator Synapse Contributor Synapse Artifact Publisher Synapse Artifact User |
workspaces/pipelines/viewOutputs/action | Synapse Administrator Synapse Contributor Synapse Artifact Publisher Synapse Artifact User |
workspaces/linkedServices/useSecret/action | Synapse Administrator Synapse Credential User |
workspaces/credentials/useSecret/action | Synapse Administrator Synapse Credential User |
Synapse RBAC scopes and their supported roles
The table below lists Synapse RBAC scopes and the roles that can be assigned at each scope.
Note
To create or delete an object you must have permissions at a higher-level scope.
Scope | Roles |
---|---|
Workspace | Synapse Administrator Synapse Apache Spark Administrator Synapse SQL Administrator Synapse Contributor Synapse Artifact Publisher Synapse Artifact User Synapse Compute Operator Synapse Monitoring Operator Synapse Credential User Synapse Linked Data Manager Synapse User |
Apache Spark pool | Synapse Administrator Synapse Contributor Synapse Compute Operator |
Integration runtime | Synapse Administrator Synapse Contributor Synapse Compute Operator |
Linked service | Synapse Administrator Synapse Credential User |
Credential | Synapse Administrator Synapse Credential User |
Note
All artifact roles and actions are scoped at the workspace level.
Next steps
- Learn how to review Synapse RBAC role assignments for a workspace.
- Learn how to assign Synapse RBAC roles