Synapse Workspace Permission Error

CharlRoux · ‎May 18 2020

With the release of Synapse Workspaces we have a new set of permissions to deal with allowing users access to the Synapse Workspace as well as the resources within the workspace.

Following the step by step instructions which are provided here users still have problems accessing the workspace and receive the following exception "You need permission to access workspace"

Resolution :

Confirm that your client breakout IP address has been granted access to the Workspace in the firewall blade of the Workspace in the Azure Portal. Firewall rules govern access to the workspace and will be reported as Permission Error while attempting to access the workspace.

WorkspaceFW Rules.PNG

In the event that you created the workspace via ARM template please follow the guidelines as documented here. The instructions will guide you through granting Storage Blob permissions for the Managed Identity.

In Powershell or Cloudshell Execute the following.

$identity=$(az synapse workspace show --name {workspace name} --resource-group {resource group name} --query "identity.principalId").
az role assignment create --role "Storage Blob Data Contributor" --assignee-object-id {identity } --scope {storage account resource id}.
az synapse firewall-rule create --name allowAll --start-ip-address 0.0.0.0 --end-ip-address 255.255.255.255.

Jayendran · ‎Aug 14 2020

Thanks @CharlRoux , Just giving some additional insights here. If you create the synapses workspace in portal all will work perfect. However if you create using ARM with SPN Accounts then you need to add yourself as the workspace admin . You can do this by calling data plan API listed below. As of today (08/14/2020) the api is getting ready to publish to the docs.

MicrosoftTeams-image (1).png

Until that you can use the above API's . (Just make sure to set audience claim "https://dev.azuresynapse.net/")

jaydeepbhola · ‎Sep 16 2020

This could be one of the issues but not always. IMHO if we allowing 0.0.0.0 to 255.255.255.255 then adding the client IP is not always the case for you to get error message "Permission Error while attempting to access the workspace."

To access the Synape studio, We need to make sure that the user who is trying to access should be added as workspace Admin as per Secure your Synapse workspace.

CharlRoux · ‎Sep 16 2020

If you read the article, you will notice that I say once you have performed the permissions configuration which include workspace admin, "Following the step by step instructions which are provided here "

Therefore the article is intended for users who have completed the permissions setup and verified them already who still run into the issue.

jaydeepbhola · ‎Sep 16 2020

Yes I understand. It could be client IP issue but I dont think so after allowing 0.0.0.0 to 255.255.255.255( AllowAll), I beleive AllowAll passthrough all the ips so we do not need to add specifically Client IP address.

pepijnkummel · ‎Sep 22 2020

Hi @Jayendran thanks for sharing your insight, this is exacly what is happening on my workspace after deploying a Synapse Workspace with an ARM template (through a DevOps pipeline)

Can you elaborate your solution because I don't know how to apply it.

Do you know of a solution where you can do this assignment in the arm template itself some how?

Thanks

Jayendran · ‎Sep 22 2020

Hi @pepijnkummel ,

Since the synapse is still in preview a lots of docs are still not published . To address this I actually wrote a detailed blog post which you can refer

https://dev.to/jayendran/azure-synapse-analytics-workspaces-deploy-and-debug-part-1-1fap

Hope this helps

~Jay

pepijnkummel · ‎Sep 23 2020

Thanks @Jayendran , worked like a charm

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Synapse Workspace Permission Error