With the release of Synapse Workspaces we have a new set of permissions to deal with allowing users access to the Synapse Workspace as well as the resources within the workspace.
Following the step by step instructions which are provided here users still have problems accessing the workspace and receive the following exception "You need permission to access workspace"
Resolution :
Confirm that your client breakout IP address has been granted access to the Workspace in the firewall blade of the Workspace in the Azure Portal. Firewall rules govern access to the workspace and will be reported as Permission Error while attempting to access the workspace.
In the event that you created the workspace via ARM template please follow the guidelines as documented here. The instructions will guide you through granting Storage Blob permissions for the Managed Identity.
In Powershell or Cloudshell Execute the following.
$identity=$(az synapse workspace show --name {workspace name} --resource-group {resource group name} --query "identity.principalId").
az role assignment create --role "Storage Blob Data Contributor" --assignee-object-id {identity } --scope {storage account resource id}.
az synapse firewall-rule create --name allowAll --start-ip-address 0.0.0.0 --end-ip-address 255.255.255.255.