Synapse RBAC Roles

The article describes the built-in Synapse RBAC (role-based access control) roles, the permissions they grant, and the scopes at which they can be used.

For more information on reviewing and assigning Synapse role memberships, see how to review Synapse RBAC role assignments and how to assign Synapse RBAC roles.

Built-in Synapse RBAC roles and scopes

The following table describes the built-in roles and the scopes at which they can be used.

Note

Users with any Synapse RBAC role at any scope automatically have the Synapse User role at workspace scope.

Important

Synapse RBAC roles do not grant permissions to create or manage SQL pools, Apache Spark pools, and Integration runtimes in Azure Synapse workspaces. Azure Owner or Azure Contributor roles on the resource group are required for these actions.

Role Permissions Scopes
Synapse Administrator Full Synapse access to serverless and dedicated SQL pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources. Synapse RBAC roles can be assigned even when the associated subscription is disabled.

Can read and write artifacts
Can do all actions on Spark activities.
Can view Spark pool logs
Can view saved notebook and pipeline output
Can use the secrets stored by linked services or credentials
Can assign and revoke Synapse RBAC roles at current scope
Workspace
Spark pool
Integration runtime
Linked service
Credential
Synapse Apache Spark Administrator
Full Synapse access to Apache Spark Pools. Create, read, update, and delete access to published Spark job definitions, notebooks, and their outputs, and to libraries, linked services, and credentials. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access.

Can do all actions on Spark artifacts
Can do all actions on Spark activities
Workspace
Spark pool
Synapse SQL Administrator Full Synapse access to serverless SQL pools. Create, read, update, and delete access to published SQL scripts, credentials, and linked services. Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access.

Can do all actions on SQL scripts
Can connect to SQL serverless endpoints with SQL db_datareader, db_datawriter, connect, and grant permissions
Workspace
Synapse Contributor Full Synapse access to Apache Spark pools and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts and their outputs, including credentials and linked services.  Includes compute operator permissions. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access.

Can read and write artifacts
Can view saved notebook and pipeline output
Can do all actions on Spark activities
Can view Spark pool logs
Workspace
Spark pool
Integration runtime
Synapse Artifact Publisher Create, read, update, and delete access to published code artifacts and their outputs. Doesn't include permission to run code or pipelines, or to grant access.

Can read published artifacts and publish artifacts
Can view saved notebook, Spark job, and pipeline output
Workspace
Synapse Artifact User Read access to published code artifacts and their outputs. Can create new artifacts but can't publish changes or run code without more permissions. Workspace
Synapse Compute Operator Submit Spark jobs and notebooks and view logs. Includes canceling Spark jobs submitted by any user. Requires other use credential permissions on the workspace system identity to run pipelines, view pipeline runs and outputs.

Can submit and cancel jobs, including jobs submitted by others
Can view Spark pool logs
Workspace
Spark pool
Integration runtime
Synapse Monitoring Operator Read published code artifacts, including logs and outputs for pipeline runs and completed notebooks. Includes ability to list and view details of Apache Spark pools, and Integration runtimes. Requires other permissions to run/cancel pipelines, Spark notebooks, and Spark jobs. Workspace
Synapse Credential User Runtime and configuration-time use of secrets within credentials and linked services in activities like pipeline runs. To run pipelines, this role is required, scoped to the workspace system identity.

Scoped to a credential, permits access to data via a linked service that is protected by the credential (may also require compute use permission)
Allows execution of pipelines protected by the workspace system identity credential
Workspace
Linked Service
Credential
Synapse Linked Data Manager Creation and management of managed private endpoints, linked services, and credentials. Can create managed private endpoints that use linked services protected by credentials Workspace
Synapse User List and view details of SQL pools, Apache Spark pools, Integration runtimes, and published linked services and credentials. Doesn't include other published code artifacts. Can create new artifacts but can't run or publish without more permissions.

Can list and read Spark pools, Integration runtimes.
Workspace, Spark pool
Linked service
Credential

Synapse RBAC roles and the actions they permit

Note

  • All actions listed in the tables below are prefixed, "Microsoft.Synapse/..."
  • All artifact read, write, and delete actions are with respect to published artifacts in the live service. These permissions do not affect access to artifacts in a connected Git repo.

The following table lists the built-in roles and the actions/permissions that each support.

Role Actions
Synapse Administrator workspaces/read
workspaces/roleAssignments/write, delete
workspaces/managedPrivateEndpoint/write, delete
workspaces/bigDataPool/useCompute/action
workspaces/bigDataPool/viewLogs/action
workspaces/scopePool/useCompute/action
workspaces/scopePool/viewLogs/action
workspaces/integrationRuntime/useCompute/action
workspaces/integrationRuntime/viewLogs/action
workspaces/artifacts/read
workspaces/notebooks/write
workspaces/sparkJobDefinitions/write, delete
workspaces/scopeJobDefinitions/write, delete
workspaces/sqlScripts/write, delete
workspaces/dataFlows/write, delete
workspaces/dataMappers/write, delete
workspaces/pipelines/write, delete
workspaces/triggers/write, delete
workspaces/datasets/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
workspaces/notebooks/delete
workspaces/cancelPipelineRun/action
workspaces/notebooksViewOutputs/action
workspaces/pipelinesViewOutputs/action
workspaces/linkedServicesUseSecret/action
workspaces/credentialsUseSecret/action
workspaces/libraries/write, delete
workspaces/kQLScripts/write, delete
workspaces/sparkConfigurations/write, delete
workspaces/synapseLinkConnections/read, write, delete
workspaces/synapseLinkConnections/useCompute/action
Synapse Apache Spark Administrator workspaces/read
orkspaces/bigDataPoolUseCompute/action
orkspaces/bigDataPoolViewLogs/action
orkspaces/artifacts/read
orkspaces/notebooks/write, delete
orkspaces/sparkJobDefinitions/write, delete
orkspaces/linkedServices/write, delete
orkspaces/credentials/write, delete
orkspaces/libraries/write, delete
orkspaces/notebooksViewOutputs/action
Synapse SQL Administrator workspaces/read
workspaces/artifacts/read
workspaces/sqlScripts/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
Synapse Scope Administrator workspaces/read
workspaces/scopePoolUseCompute/action
workspaces/scopePoolViewLogs/action
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
workspaces/scopeJobDefinitions/write, delete
Synapse Private Endpoint Manager workspaces/read
workspaces/managedPrivateEndpoint/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
Synapse Contributor workspaces/read
workspaces/bigDataPool/useCompute/action
workspaces/bigDataPool/viewLogs/action
workspaces/scopePool/useCompute/action
workspaces/scopePool/viewLogs/action
workspaces/integrationRuntime/useCompute/action
workspaces/integrationRuntime/viewLogs/action
workspaces/artifacts/read
workspaces/notebooks/write, delete
workspaces/sparkJobDefinitions/write, delete
workspaces/sqlScripts/write, delete
workspaces/dataFlows/write, delete
workspaces/dataMappers/write, delete
workspaces/pipelines/write, delete
workspaces/triggers/write, delete
workspaces/datasets/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
workspaces/cancelPipelineRun/action
workspaces/notebooksViewOutputs/action
workspaces/pipelinesViewOutputs/action
workspaces/libraries/write, delete
workspaces/kQLScripts/write, delete
workspaces/sparkConfigurations/write, delete
workspaces/synapseLinkConnections/read,write, delete
workspaces/synapseLinkConnections/useComputeAction
Synapse Artifact Publisher workspaces/read
workspaces/artifacts/read
workspaces/notebooks/write, delete
workspaces/sparkJobDefinitions/write, delete
workspaces/scopeJobDefinitions/write, delete
workspaces/sqlScripts/write, delete
workspaces/dataFlows/write, delete
workspaces/dataMappers/write, delete
workspaces/pipelines/write, delete
workspaces/triggers/write, delete
workspaces/datasets/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
workspaces/notebooksViewOutputs/action
workspaces/pipelinesViewOutputs/action
workspaces/libraries/write, delete
workspaces/kQLScripts/write, delete
workspaces/sparkConfigurations/write, delete
Synapse Artifact User workspaces/read
workspaces/artifacts/read
workspaces/notebooks/viewOutputs/action
workspaces/pipelines/viewOutputs/action
Synapse Compute Operator workspaces/read
workspaces/bigDataPools/useCompute/action
workspaces/bigDataPools/viewLogs/action
workspaces/scopePool/useCompute/action
workspaces/scopePool/viewLogs/action
workspaces/integrationRuntimes/useCompute/action
workspaces/integrationRuntimes/viewLogs/action
workspaces/cancelPipelineRun/action
workspaces/linkConnections/read
workspaces/linkConnections/useCompute/action
Synapse Monitoring Operator workspaces/read
workspaces/artifacts/read
workspaces/notebooks/viewOutputs/action
workspaces/pipelines/viewOutputs/action
workspaces/integrationRuntimes/viewLogs/action
workspaces/bigDataPools/viewLogs/action
Synapse Credential User workspaces/read
workspaces/linkedServices/useSecret/action
workspaces/credentials/useSecret/action
Synapse Linked Data Manager workspaces/read
workspaces/managedPrivateEndpoint/write, delete
workspaces/linkedServices/write, delete
workspaces/credentials/write, delete
Synapse User workspaces/read

Synapse RBAC actions and the roles that permit them

The following table lists Synapse actions and the built-in roles that permit these actions:

Action Role
workspaces/read Synapse Administrator
Synapse Apache Spark Administrator
Synapse SQL Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Artifact User
Synapse Compute Operator
Synapse Monitoring Operator
Synapse Credential User
Synapse Linked Data Manager
Synapse User
workspaces/roleAssignments/write, delete Synapse Administrator
workspaces/managedPrivateEndpoint/write, delete Synapse Administrator
Synapse Linked Data Manager
workspaces/bigDataPools/useCompute/action Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Compute Operator
Synapse Monitoring Operator
workspaces/bigDataPools/viewLogs/action Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Compute Operator
workspaces/integrationRuntimes/useCompute/action Synapse Administrator
Synapse Contributor
Synapse Compute Operator
Synapse Monitoring Operator
workspaces/integrationRuntimes/viewLogs/action Synapse Administrator
Synapse Contributor
Synapse Compute Operator
Synapse Monitoring Operator
workspaces/linkConnections/read Synapse Administrator
Synapse Contributor
Synapse Compute Operator
workspaces/linkConnections/useCompute/action Synapse Administrator
Synapse Contributor
Synapse Compute Operator
workspaces/artifacts/read Synapse Administrator
Synapse Apache Spark Administrator
Synapse SQL Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Artifact User
workspaces/notebooks/write, delete Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/sparkJobDefinitions/write, delete Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/sqlScripts/write, delete Synapse Administrator
Synapse SQL Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/kqlScripts/write, delete Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/dataFlows/write, delete Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/pipelines/write, delete Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/linkConnections/write, delete Synapse Administrator
Synapse Contributor
workspaces/triggers/write, delete Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/datasets/write, delete Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/libraries/write, delete Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Artifact Publisher
workspaces/linkedServices/write, delete Synapse Administrator
Synapse Apache Spark Administrator
Synapse SQL Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Linked Data Manager
workspaces/credentials/write, delete Synapse Administrator
Synapse Apache Spark Administrator
Synapse SQL Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Linked Data Manager
workspaces/notebooks/viewOutputs/action Synapse Administrator
Synapse Apache Spark Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Artifact User
workspaces/pipelines/viewOutputs/action Synapse Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Artifact User
workspaces/linkedServices/useSecret/action Synapse Administrator
Synapse Credential User
workspaces/credentials/useSecret/action Synapse Administrator
Synapse Credential User

Synapse RBAC scopes and their supported roles

The table below lists Synapse RBAC scopes and the roles that can be assigned at each scope.

Note

To create or delete an object you must have permissions at a higher-level scope.

Scope Roles
Workspace Synapse Administrator
Synapse Apache Spark Administrator
Synapse SQL Administrator
Synapse Contributor
Synapse Artifact Publisher
Synapse Artifact User
Synapse Compute Operator
Synapse Monitoring Operator
Synapse Credential User
Synapse Linked Data Manager
Synapse User
Apache Spark pool Synapse Administrator
Synapse Contributor
Synapse Compute Operator
Integration runtime Synapse Administrator
Synapse Contributor
Synapse Compute Operator
Linked service Synapse Administrator
Synapse Credential User
Credential Synapse Administrator
Synapse Credential User

Note

All artifact roles and actions are scoped at the workspace level.

Next steps