Problem Statement :
One can grant a user access to execute all pipelines within an Azure data factory by adding the user in Reader role for that ADF and creating a custom role with the below definition :
/ Microsoft.DataFactory/factories/pipelines/createrun/action / Microsoft.DataFactory/factories/cancelpipelinerun/action / Microsoft.DataFactory/factories/pipelineruns/cancel/action |
Is it possible to grant a user access to trigger a specific pipeline in an Azure data factory.
Prerequisites :
- Azure Data Factory
Solution :
- Add the user under Reader role in the Azure data factory (ADF) which contains the pipeline for which the user needs execute permission.
2. Go at the Subscription and under Access Control (IAM) , Select ‘Add Custom Role’.
3. Select ‘JSON’ editor and Click ‘Edit’.
4. Use the below JSON template to update the Custom Role and Click ‘Save’.
{ “properties”: { “roleName”: “OnDemandADFPipeLineExecution”, “description”: “This allows to run a particular DF pipeline”, “assignableScopes”: [ “/subscriptions/<<SubscriptionID>>/resourceGroups/<<RGName>>/providers/Microsoft.DataFactory/factories/<<ADFName>>/pipelines/<<PipelineName>>” ], “permissions”: [ { “actions”: [ “Microsoft.DataFactory/factories/pipelines/createrun/action” ], “notActions”: [], “dataActions”: [], “notDataActions”: [] } ] } } |
4. Click Review+Create which will create a custom role.
5. To view your custom role details/definition that was created using pipeline scope, please use below command.
Get-AzRoleDefinition -Name “<<Custom Role Name>>” |
Note: One won’t be able to see this new custom role in Custom roles list as “assignableScopes” (pipeline scope in this use case) is not officially part of it. So, you won’t be able to see it when you try to use this from Azure Portal “Access Control (IAM) -> Role assignments” . But one can use/assign this custom role to a user using Powershell.
6. To assign this custom role (only run a particular ADF pipeline) to a user, please use below command:
New-AzRoleAssignment -ObjectId “<<ObjectID of the user/DL>>” -RoleDefinitionName “<<Custom Role Name>>” -Scope “/subscriptions/<<Subscription Id>>/resourceGroups/<<Resource Group Name>>/providers/Microsoft.DataFactory/factories/<<Data Factory Name>>/pipelines/<<Pipeline Name>>” |
Everything is very open with a precise explanation of the challenges. It was definitely informative. Your website is very helpful. Many thanks for sharing!
LikeLike
I was able to find good information from your content.
LikeLike