%3CLINGO-SUB%20id%3D%22lingo-sub-1588704%22%20slang%3D%22en-US%22%3ERe%3A%20Synapse%20Workspace%20Permission%20Error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1588704%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F346096%22%20target%3D%22_blank%22%3E%40CharlRoux%3C%2FA%3E%26nbsp%3B%2C%20Just%20giving%20some%20additional%20insights%20here.%20If%20you%20create%20the%20synapses%20workspace%20in%20portal%20all%20will%20work%20perfect.%20However%20if%20you%20create%20using%20ARM%20with%20SPN%20Accounts%20then%20you%20need%20to%20add%20yourself%20as%20the%20%3CSTRONG%3Eworkspace%20admin%20.%20%3C%2FSTRONG%3EYou%20can%20do%20this%20by%20calling%20data%20plan%20API%20listed%20below.%20As%20of%20today%20(08%2F14%2F2020)%20the%20api%20is%20getting%20ready%20to%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2Fazure-cli%2Fissues%2F14722%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Epublish%20to%20the%20docs.%20%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22MicrosoftTeams-image%20(1).png%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F212395i5754E6B4C721302D%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22MicrosoftTeams-image%20(1).png%22%20alt%3D%22MicrosoftTeams-image%20(1).png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EUntil%20that%20you%20can%20use%20the%20above%20API's%20.%20(Just%20make%20sure%20to%20set%26nbsp%3B%3CSPAN%3Eaudience%20claim%20%22%3CA%20href%3D%22https%3A%2F%2Fdev.azuresynapse.net%2F%26quot%3B)%26nbsp%3B%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdev.azuresynapse.net%2F%22)%26nbsp%3B%3C%2FA%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1675079%22%20slang%3D%22en-US%22%3ERe%3A%20Synapse%20Workspace%20Permission%20Error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1675079%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20could%20be%20one%20of%20the%20issues%20but%20not%20always.%20IMHO%20if%20we%20allowing%200.0.0.0%26nbsp%3B%20to%20255.255.255.255%26nbsp%3Bthen%20adding%20the%20client%20IP%20is%20not%20always%20the%20case%20for%20you%20to%20get%20error%20message%20%22%3CSPAN%3EPermission%20Error%20while%20attempting%20to%20access%20the%20workspace.%3C%2FSPAN%3E%22%26nbsp%3B%3C%2FP%3E%3CP%3ETo%20access%20the%20Synape%20studio%2C%20We%20need%20to%20make%20sure%20that%20the%20user%20who%20is%20trying%20to%20access%20should%20be%20added%20as%20workspace%20Admin%20as%20per%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsynapse-analytics%2Fsecurity%2Fhow-to-set-up-access-control%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3ESecure%20your%20Synapse%20workspace%3C%2FA%3E.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1675167%22%20slang%3D%22en-US%22%3ERe%3A%20Synapse%20Workspace%20Permission%20Error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1675167%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20read%20the%20article%2C%20you%20will%20notice%20that%20I%20say%20once%20you%20have%20performed%20the%20permissions%20configuration%20which%20include%20workspace%20admin%2C%20%22%3CSPAN%3EFollowing%20the%20step%20by%20step%20instructions%20which%20are%20provided%26nbsp%3B%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsynapse-analytics%2Fsecurity%2Fhow-to-set-up-access-control%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%26nbsp%3B%3C%2FA%3E%3CSPAN%3E%26nbsp%3B%22%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%3ETherefore%20the%20article%20is%20intended%20for%20users%20who%20have%20completed%20the%20permissions%20setup%20and%20verified%20them%20already%20who%20still%20run%20into%20the%20issue.%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1675224%22%20slang%3D%22en-US%22%3ERe%3A%20Synapse%20Workspace%20Permission%20Error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1675224%22%20slang%3D%22en-US%22%3E%3CP%3EYes%20I%20understand.%20It%20could%20be%20client%20IP%20issue%20but%20I%20dont%20think%20so%20after%20allowing%26nbsp%3B%3CSPAN%3E0.0.0.0%26nbsp%3B%20to%20255.255.255.255(%20AllowAll)%2C%20I%20beleive%20AllowAll%20passthrough%20all%20the%20ips%20so%26nbsp%3B%20we%20do%20not%20need%20to%20add%20specifically%20Client%20IP%20address.%3C%2FSPAN%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CDIV%20class%3D%22mceNonEditable%20lia-copypaste-placeholder%22%3E%26nbsp%3B%3C%2FDIV%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1698546%22%20slang%3D%22en-US%22%3ERe%3A%20Synapse%20Workspace%20Permission%20Error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1698546%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F161585%22%20target%3D%22_blank%22%3E%40Jayendran%20Arumugam%3C%2FA%3E%26nbsp%3Bthanks%20for%20sharing%20your%20insight%2C%20this%20is%20exacly%20what%20is%20happening%20on%20my%20workspace%20after%20deploying%20a%20Synapse%20Workspace%20with%20an%20ARM%20template%20(through%20a%20DevOps%20pipeline)%3C%2FP%3E%3CP%3ECan%20you%26nbsp%3Belaborate%20your%20solution%20because%20I%20don't%20know%20how%20to%20apply%20it.%3C%2FP%3E%3CP%3EDo%20you%20know%20of%20a%20solution%20where%20you%20can%20do%20this%20assignment%20in%20the%20arm%20template%20itself%20some%20how%3F%3C%2FP%3E%3CP%3EThanks%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1698577%22%20slang%3D%22en-US%22%3ERe%3A%20Synapse%20Workspace%20Permission%20Error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1698577%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F773039%22%20target%3D%22_blank%22%3E%40pepijnkummel%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3ESince%20the%20synapse%20is%20still%20in%20preview%20a%20lots%20of%20docs%20are%20still%20not%20published%20.%20To%20address%20this%20I%20actually%20wrote%20a%20detailed%20blog%20post%20which%20you%20can%20refer%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdev.to%2Fjayendran%2Fazure-synapse-analytics-workspaces-deploy-and-debug-part-1-1fap%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdev.to%2Fjayendran%2Fazure-synapse-analytics-workspaces-deploy-and-debug-part-1-1fap%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20this%20helps%26nbsp%3B%3C%2FP%3E%3CP%3E~Jay%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1701855%22%20slang%3D%22en-US%22%3ERe%3A%20Synapse%20Workspace%20Permission%20Error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1701855%22%20slang%3D%22en-US%22%3E%3CP%3EThanks%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F161585%22%20target%3D%22_blank%22%3E%40Jayendran%20Arumugam%3C%2FA%3E%26nbsp%3B%26nbsp%3B%2C%20worked%20like%20a%20charm%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1358045%22%20slang%3D%22en-US%22%3ESynapse%20Workspace%20Permission%20Error%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1358045%22%20slang%3D%22en-US%22%3E%3CP%3EWith%20the%20release%20of%20Synapse%20Workspaces%20we%20have%20a%20new%20set%20of%20permissions%20to%20deal%20with%20allowing%20users%20access%20to%20the%20Synapse%20Workspace%20as%20well%20as%20the%20resources%20within%20the%20workspace.%26nbsp%3B%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EFollowing%20the%20step%20by%20step%20instructions%20which%20are%20provided%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsynapse-analytics%2Fsecurity%2Fhow-to-set-up-access-control%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere%26nbsp%3B%3C%2FA%3E%26nbsp%3Busers%20still%20have%20problems%20accessing%20the%20workspace%20and%20receive%20the%20following%20exception%20%22You%20need%20permission%20to%20access%20workspace%22%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22wspace.png%22%20style%3D%22width%3A%20464px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F188724i3503ACC5DAD801C9%2Fimage-dimensions%2F464x298%3Fv%3D1.0%22%20width%3D%22464%22%20height%3D%22298%22%20title%3D%22wspace.png%22%20alt%3D%22wspace.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CU%3E%3CSTRONG%3EResolution%20%3A%3C%2FSTRONG%3E%3C%2FU%3E%3C%2FP%3E%0A%3CP%3EConfirm%20that%20your%20client%20breakout%20IP%20address%20has%20been%20granted%20access%20to%20the%20Workspace%20in%20the%20firewall%20blade%20of%20the%20Workspace%20in%20the%20Azure%20Portal.%20Firewall%20rules%20govern%20access%20to%20the%20workspace%20and%20will%20be%20reported%20as%20Permission%20Error%20while%20attempting%20to%20access%20the%20workspace.%26nbsp%3B%20%E2%80%83%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22WorkspaceFW%20Rules.PNG%22%20style%3D%22width%3A%20495px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F188726i1A17DC999DA2C7D5%2Fimage-dimensions%2F495x293%3Fv%3D1.0%22%20width%3D%22495%22%20height%3D%22293%22%20title%3D%22WorkspaceFW%20Rules.PNG%22%20alt%3D%22WorkspaceFW%20Rules.PNG%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%E2%80%83%3C%2FP%3E%0A%3CP%3EIn%20the%20event%20that%20you%20created%20the%20workspace%20via%20ARM%20template%20please%20follow%20the%20guidelines%20as%20documented%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fsynapse-analytics%2Frelease-notes%23azure-cli%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3Ehere.%3C%2FA%3E%26nbsp%3BThe%20instructions%20will%20guide%20you%20through%20granting%20Storage%20Blob%20permissions%20for%20the%20Managed%20Identity.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20Powershell%20or%20Cloudshell%20Execute%20the%20following.%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%24identity%3D%24(az%20synapse%20workspace%20show%20--name%20%7Bworkspace%20name%7D%20--resource-group%20%7Bresource%20group%20name%7D%20--query%20%22identity.principalId%22).%3CBR%20%2F%3Eaz%20role%20assignment%20create%20--role%20%22Storage%20Blob%20Data%20Contributor%22%20--assignee-object-id%20%7Bidentity%20%7D%20--scope%20%7Bstorage%20account%20resource%20id%7D.%3CBR%20%2F%3Eaz%20synapse%20firewall-rule%20create%20--name%20allowAll%20--start-ip-address%200.0.0.0%20--end-ip-address%20255.255.255.255.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-1358045%22%20slang%3D%22en-US%22%3E%3CP%3ESynapse%20Analytics%20Workspaces%20have%20their%20own%20subset%20of%20permissions.%20Find%20out%20how%20to%20ensure%20you%20configure%20the%20workspace%20and%20grant%20all%20permissions%20which%20are%20required.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-1358045%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESynapse%20Administration%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESynapse%20Studio%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Microsoft

With the release of Synapse Workspaces we have a new set of permissions to deal with allowing users access to the Synapse Workspace as well as the resources within the workspace.  

 

Following the step by step instructions which are provided here  users still have problems accessing the workspace and receive the following exception "You need permission to access workspace" 

wspace.png

 

Resolution :

Confirm that your client breakout IP address has been granted access to the Workspace in the firewall blade of the Workspace in the Azure Portal. Firewall rules govern access to the workspace and will be reported as Permission Error while attempting to access the workspace.   

 

WorkspaceFW Rules.PNG

In the event that you created the workspace via ARM template please follow the guidelines as documented here. The instructions will guide you through granting Storage Blob permissions for the Managed Identity.

 

In Powershell or Cloudshell Execute the following. 

$identity=$(az synapse workspace show --name {workspace name} --resource-group {resource group name} --query "identity.principalId").
az role assignment create --role "Storage Blob Data Contributor" --assignee-object-id {identity } --scope {storage account resource id}.
az synapse firewall-rule create --name allowAll --start-ip-address 0.0.0.0 --end-ip-address 255.255.255.255.

 

7 Comments
Occasional Contributor

Thanks @CharlRoux , Just giving some additional insights here. If you create the synapses workspace in portal all will work perfect. However if you create using ARM with SPN Accounts then you need to add yourself as the workspace admin . You can do this by calling data plan API listed below. As of today (08/14/2020) the api is getting ready to publish to the docs.

 

 

MicrosoftTeams-image (1).png

 

 

Until that you can use the above API's . (Just make sure to set audience claim "https://dev.azuresynapse.net/") 

Occasional Visitor

This could be one of the issues but not always. IMHO if we allowing 0.0.0.0  to 255.255.255.255 then adding the client IP is not always the case for you to get error message "Permission Error while attempting to access the workspace.

To access the Synape studio, We need to make sure that the user who is trying to access should be added as workspace Admin as per Secure your Synapse workspace.

 

Microsoft

If you read the article, you will notice that I say once you have performed the permissions configuration which include workspace admin, "Following the step by step instructions which are provided here  "

Therefore the article is intended for users who have completed the permissions setup and verified them already who still run into the issue. 

 

Occasional Visitor

Yes I understand. It could be client IP issue but I dont think so after allowing 0.0.0.0  to 255.255.255.255( AllowAll), I beleive AllowAll passthrough all the ips so  we do not need to add specifically Client IP address.

 

 

 

 

Regular Visitor

Hi @Jayendran Arumugam thanks for sharing your insight, this is exacly what is happening on my workspace after deploying a Synapse Workspace with an ARM template (through a DevOps pipeline)

Can you elaborate your solution because I don't know how to apply it.

Do you know of a solution where you can do this assignment in the arm template itself some how?

Thanks

Occasional Contributor

Hi @pepijnkummel ,

Since the synapse is still in preview a lots of docs are still not published . To address this I actually wrote a detailed blog post which you can refer 

https://dev.to/jayendran/azure-synapse-analytics-workspaces-deploy-and-debug-part-1-1fap 

 

Hope this helps 

~Jay

Regular Visitor

Thanks @Jayendran Arumugam  , worked like a charm