Security Access to Trigger a specific Pipeline in Azure Data Factory

Posted byNandan HegdePosted inAzure Data FactoryTags:

Problem Statement :

One can grant a user access to execute all pipelines within an Azure data factory by adding the user in Reader role for that ADF and creating a custom role with the below definition :

/ Microsoft.DataFactory/factories/pipelines/createrun/action
/ Microsoft.DataFactory/factories/cancelpipelinerun/action
/ Microsoft.DataFactory/factories/pipelineruns/cancel/action

Is it possible to grant a user access to trigger a specific pipeline in an Azure data factory.

Prerequisites :

  1. Azure Data Factory

Solution :

  1. Add the user under Reader role in the Azure data factory (ADF) which contains the pipeline for which the user needs execute permission.

2. Go at the Subscription and under Access Control (IAM) , Select ‘Add Custom Role’.

3. Select ‘JSON’ editor and Click ‘Edit’.

4. Use the below JSON template to update the Custom Role and Click ‘Save’.


{
    “properties”: {
        “roleName”: “OnDemandADFPipeLineExecution”,
        “description”: “This allows to run a particular DF pipeline”,
        “assignableScopes”: [
            “/subscriptions/<<SubscriptionID>>/resourceGroups/<<RGName>>/providers/Microsoft.DataFactory/factories/<<ADFName>>/pipelines/<<PipelineName>>”
        ],
        “permissions”: [
            {
                “actions”: [
                    “Microsoft.DataFactory/factories/pipelines/createrun/action”
                ],
                “notActions”: [],
                “dataActions”: [],
                “notDataActions”: []
            }
        ]
    }
}

4. Click Review+Create which will create a custom role.

5. To view your custom role details/definition that was created using pipeline scope, please use below command.

Get-AzRoleDefinition -Name “<<Custom Role Name>>”

Note: One won’t be able to see this new custom role in Custom roles list as “assignableScopes” (pipeline scope in this use case) is not officially part of it. So, you won’t be able to see it when you try to use this from Azure Portal “Access Control (IAM) -> Role assignments” . But one can use/assign this custom role to a user using Powershell.

6. To assign this custom role (only run a particular ADF pipeline) to a user, please use below command:

New-AzRoleAssignment -ObjectId “<<ObjectID of the user/DL>>” -RoleDefinitionName “<<Custom Role Name>>” -Scope “/subscriptions/<<Subscription Id>>/resourceGroups/<<Resource Group Name>>/providers/Microsoft.DataFactory/factories/<<Data Factory Name>>/pipelines/<<Pipeline Name>>”

Published by Nandan Hegde

Microsoft Data MVP |Microsoft Data platform Architect | Blogger | MSFT Community Champion I am a MSFT Data Platform MVP and Business Intelligence and Data Warehouse professional working within the Microsoft data platform eco-system which includes Azure Synapse Analytics ,Azure Data Factory ,Azure SQL Database and Power BI. To help people keep up with this ever-changing landscape, I frequently posts on LinkedIn, Twitter and to his blog on https://datasharkx.wordpress.com. LinkedIn Profile : www.linkedin.com/in/nandan-hegde-4a195a66 GitHUB Profile : https://github.com/NandanHegde15 Twitter Profile : @nandan_hegde15 MSFT MVP Profile : https://mvp.microsoft.com/en-US/MVP/profile/8977819f-95fb-ed11-8f6d-000d3a560942

2 thoughts on “Security Access to Trigger a specific Pipeline in Azure Data Factory

Leave a comment

Design a site like this with WordPress.com
Get started