cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Custom role to restrict Azure Data Factory pipeline developers to create/delete linked services
By
JohnEmileLucien
Published Apr 30 2022 11:32 AM 4,635 Views
JohnEmileLucien
Microsoft
‎Apr 30 2022 11:32 AM

Custom role to restrict Azure Data Factory pipeline developers to create/delete linked services

‎Apr 30 2022 11:32 AM

 

Restrict ADF pipeline developers to create connection using linked services

 

Azure Data Factory has some built-in role such as Data Factory Contributor. Once this role is granted to the developers, they can create and run pipelines in Azure Data Factory. The role can be granted at the resource group or above depending on the assignable scope you want the users or group to have access to.

 

When there is a requirement that the Azure Data Factory pipeline developers should not create or delete linked services to connect to the data sources that they have access to, the built-in role (Data Factory Contributor) will not restrict them. This calls for the creation of custom roles. However, you need to be cognizant about the number of role assignments that you can have depending on your subscription. This can be verified by choosing your resource group and selection the Role assignments under Access Control (IAM).

 

How do we create a custom role to allow the Data Factory pipeline developers to create pipelines but restrict them only to the existing linked service for connection but not create or delete them?

 

The following steps will help to restrict them:

  1. In the Azure portal, select the resource group where you have the data factory created.
  2. Select Access Control (IAM)
  3. Click + Add
  4. Select Add custom role
  5. Under Basics provide a Custom role name. For example: Pipeline Developers
  6. Provide a description
  7. Select Clone a role for Baseline permissions
  8. Select Data Factory Contributor for Role to clone

JohnEmileLucien_0-1651263328599.png

 

  1. Click Next
  2. Under Permissions select + Exclude permissions

JohnEmileLucien_1-1651263328630.png

 

  1. Under Exclude Permissions, type Microsoft Data Factory and select it.

JohnEmileLucien_2-1651263328637.png

 

  1. Under Microsoft.DataFactory permissions, type Linked service
  2. Select Not Actions
  3. Select Delete: Delete Linked Service and Write: Create or Update any Linked service

JohnEmileLucien_3-1651263328652.png

 

  1. Click Add
  2. Click Next
  3. Under Assignable Scopes, make sure you want assignable scope to resource group or subscription. Delete and Add assignable scopes accordingly
  4. Go over the JSON Tab
  5. Click Review + create
  6. Once validated, click create

 

Note: Once the custom role is created, you can assign a user or group to this role. You can login with this user to Azure Data Factory. You will still be able to create a linked service but will not be able to save/publish.

 

JohnEmileLucien_4-1651263328673.png

 

 

Co-Authors
Version history
Last update:
‎Apr 30 2022 11:32 AM
Updated by:
Labels