Home
%3CLINGO-SUB%20id%3D%22lingo-sub-746734%22%20slang%3D%22en-US%22%3EAzure%20DW%20Vulnerability%20Assessment%20Permissions%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-746734%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20the%20event%20that%20you%20have%20enabled%26nbsp%3B%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsql-database%2Fsql-database-advanced-data-security%234-manage-ads-settings-for-a-sql-database%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAdvanced%20Data%20security%3C%2FA%3E%26nbsp%3Bfeature%20in%20Azure%20Data%20Warehouse%20and%20you%20have%20configured%20the%20Vulnerability%20assessment%20successfully%20and%20you%20require%20a%20non%20Subscription%20administrator%20to%20view%20the%20report%20data%20you%20have%20to%20assign%20permissions%20in%20order%20to%20do%20so.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20permissions%20which%20are%20required%20are%20at%20a%20SQL%20level%20and%20at%20a%20Storage%20account%20level%20these%20can%20be%20easily%20assigned%20through%20RBAC%20roles%20within%20Azure.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20SQL%20Server%20Admin%20Role%20or%20SQL%20Security%20Manager%20Role%26nbsp%3B%3C%2FP%3E%0A%3CP%3E-%20Reader%20and%20Data%20Access%20role%20at%20storage%20level%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20could%20use%20a%20script%20like%20the%20following%20which%20creates%20a%20custom%20Role%20Script%20that%20assigns%20the%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Frole-based-access-control%2Fbuilt-in-roles%23sql-security-manager%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESQL%20Security%20Manager%3C%2FA%3E%26nbsp%3Brole%20by%20default%20and%20grants%20the%20actions%20which%20the%20%3CA%20href%3D%22https%3A%2F%2Fnam06.safelinks.protection.outlook.com%2F%3Furl%3Dhttps%253A%252F%252Fdocs.microsoft.com%252Fen-us%252Fazure%252Frole-based-access-control%252Fbuilt-in-roles%2523reader-and-data-access%26amp%3Bdata%3D02%257C01%257Ccharlrou%2540microsoft.com%257C0ef2fa740d3640619ca208d700387625%257C72f988bf86f141af91ab2d7cd011db47%257C1%257C0%257C636978114902738675%26amp%3Bsdata%3DFYeS%252FKNpvMqvs9IoJ%252Bn2FJj5A5sws4mF31a3yKDdYLc%253D%26amp%3Breserved%3D0%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noopener%20noreferrer%20noopener%20noreferrer%22%3EReader%20and%20Data%20Access%3C%2FA%3EBuilt%20in%20role%20grants%20you%2C%20thus%20enabling%20you%20to%20view%20the%20Assessment%20once%20you%20have%20been%20granted%20the%20Custom%20created%20role%20called%26nbsp%3B%22DW%20Vulnerability%20Assessment%22%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EConnect-AzureRmAccount%20%3CBR%20%2F%3ESelect-AzureRmSubscription%20'......'%20%3CBR%20%2F%3E%24role%20%3D%20Get-AzureRmRoleDefinition%20-Name%20%22SQL%20Security%20Manager%22%3CBR%20%2F%3E%24role.Name%20%3D%20%22DW%20Vulnerability%20Assessment%22%20%3CBR%20%2F%3E%24role.Description%20%3D%20%22Grants%20you%20permission%20to%20view%20Vulnerability%20Assessment%22%20%3CBR%20%2F%3E%24role.IsCustom%20%3D%20%24true%20%3CBR%20%2F%3E%24role.Actions.Add(%22Microsoft.Storage%2FstorageAccounts%2FlistKeys%2Faction%22)%3B%20%3CBR%20%2F%3E%24role.Actions.Add(%22Microsoft.Storage%2FstorageAccounts%2FListAccountSas%2Faction%22)%3B%20%3CBR%20%2F%3E%24role.Actions.Add(%22Microsoft.Storage%2FstorageAccounts%2Fread%22)%3B%20%3CBR%20%2F%3E%24role.AssignableScopes.Clear()%20%3CBR%20%2F%3E%24role.AssignableScopes.Add(%22%2Fsubscriptions%2Fxxxxxx-xxxx-xxxx-xxx-xxxxxxxxx%22)%20%3CBR%20%2F%3ENew-AzureRmRoleDefinition%20%24role%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EThe%20scope%20above%20is%20for%20the%20entire%20subscription%20and%20all%20storage%20accounts%20and%20SQL%20Instances%2C%20if%20you%20want%20to%20limit%20this%20grant%20the%20permissions%20at%20a%20resource%20level%20and%20not%20subscription%20level.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-746734%22%20slang%3D%22en-US%22%3E%3CP%3EIn%20order%20to%20grant%20a%20user%20access%20to%20the%20vulnerability%20assessment%20you%20require%20specific%20permissions%20some%20of%20which%20are%20undocumented.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-746734%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

In the event that you have enabled  the Advanced Data security feature in Azure Data Warehouse and you have configured the Vulnerability assessment successfully and you require a non Subscription administrator to view the report data you have to assign permissions in order to do so.

 

The permissions which are required are at a SQL level and at a Storage account level these can be easily assigned through RBAC roles within Azure. 

- SQL Server Admin Role or SQL Security Manager Role 

- Reader and Data Access role at storage level

 

You could use a script like the following which creates a custom Role Script that assigns the SQL Security Manager role by default and grants the actions which the Reader and Data Access Built in role grants you, thus enabling you to view the Assessment once you have been granted the Custom created role called "DW Vulnerability Assessment" 

 

Connect-AzureRmAccount
Select-AzureRmSubscription '......'
$role = Get-AzureRmRoleDefinition -Name "SQL Security Manager"
$role.Name = "DW Vulnerability Assessment"
$role.Description = "Grants you permission to view Vulnerability Assessment"
$role.IsCustom = $true
$role.Actions.Add("Microsoft.Storage/storageAccounts/listKeys/action");
$role.Actions.Add("Microsoft.Storage/storageAccounts/ListAccountSas/action");
$role.Actions.Add("Microsoft.Storage/storageAccounts/read");
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/xxxxxx-xxxx-xxxx-xxx-xxxxxxxxx")
New-AzureRmRoleDefinition $role

 

The scope above is for the entire subscription and all storage accounts and SQL Instances, if you want to limit this grant the permissions at a resource level and not subscription level.