This article is contributed. See the original author and article here.
Restrict ADF pipeline developers to create connection using linked services
Azure Data Factory has some built-in role such as Data Factory Contributor. Once this role is granted to the developers, they can create and run pipelines in Azure Data Factory. The role can be granted at the resource group or above depending on the assignable scope you want the users or group to have access to.
When there is a requirement that the Azure Data Factory pipeline developers should not create or delete linked services to connect to the data sources that they have access to, the built-in role (Data Factory Contributor) will not restrict them. This calls for the creation of custom roles. However, you need to be cognizant about the number of role assignments that you can have depending on your subscription. This can be verified by choosing your resource group and selection the Role assignments under Access Control (IAM).
How do we create a custom role to allow the Data Factory pipeline developers to create pipelines but restrict them only to the existing linked service for connection but not create or delete them?
The following steps will help to restrict them:
- In the Azure portal, select the resource group where you have the data factory created.
- Select Access Control (IAM)
- Click + Add
- Select Add custom role
- Under Basics provide a Custom role name. For example: Pipeline Developers
- Provide a description
- Select Clone a role for Baseline permissions
- Select Data Factory Contributor for Role to clone
- Click Next
- Under Permissions select + Exclude permissions
- Under Exclude Permissions, type Microsoft Data Factory and select it.
- Under Microsoft.DataFactory permissions, type Linked service
- Select Not Actions
- Select Delete: Delete Linked Service and Write: Create or Update any Linked service
- Click Add
- Click Next
- Under Assignable Scopes, make sure you want assignable scope to resource group or subscription. Delete and Add assignable scopes accordingly
- Go over the JSON Tab
- Click Review + create
- Once validated, click create
Note: Once the custom role is created, you can assign a user or group to this role. You can login with this user to Azure Data Factory. You will still be able to create a linked service but will not be able to save/publish.
Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.