Azure Custom Role Guidance and Azure Data Factory Custom Operator Role

Azure Platform has rich RBAC (role based access control) capabilities for very fine grained controls around authorization. There are quite a few built-in roles available but in cases where built-in roles don’t meet the needs of the organization custom roles can also be created. In case of Azure Data Factory (ADF), only built-in role available is Azure Data Factory Contributor which allows users to create and manage data factories as well as any child resources within them. In Production environments, most likely you would want more restricted role where a set of users are only allowed to execute and monitor the ADF Pipelines but not have the ability to make any changes. Since, no such built-in Role exists for ADF I am sharing guidance on creating a custom ADF Operator Role as well as general guidance for custom role creation in a big organization with large number of Azure Subscriptions.

Custom Role Creation Considerations

There are two important pieces of information you need to decide on when creating such a custom role:

1. The Actions allowed or not allowed for the Role
2. The Scope at which this role needs to be defined, possible values are Management Group (Preview), Subscription and Resource Group.

Important Considerations for Custom RBAC Roles in a big organization with multiple Azure Subscriptions

A big organization is expected to have quite a few Azure Subscriptions so the question becomes should each Subscription define its own set of Custom Roles or such Custom Roles should be shared across Subscriptions. In most cases, Azure Subscriptions for an organization are created in the same Azure AD Tenant so the general guidance would be to share the Custom Roles between Azure Subscriptions rather than creating redundant roles in each Subscription. I would also like to point out that Custom Role limit for an Azure AD Tenant is 5000 so you want to be judicious in Custom Role creation from that perspective as well.

Custom Role Scope at higher level but Assignment to users at a Lower Level

The scope hierarchy for Azure Role Assignment from higher to lower is Management Group, Subscription, Resource Group and then Resource. To make a Custom Role available in multiple subscriptions, the Assignable Scope can be set to Management Group or list of explicit Azure Subscription GUIDs. The Management Group scope would be more maintainable in comparison to explicitly listing Subscription GUIDs in role definition but the Management Group scope for Custom Role feature is currently in Preview (expected to go GA soon). You can read more about the Azure Management Groups here — https://docs.microsoft.com/en-us/azure/governance/azure-management

One very important thing to understand is that creating the Role at a Higher Level Scope does not mean that assignment to users has to happen at that scope, it just determines the availability of the role for assignment at that level or below. For example, a Custom Role can be created at the Subscription Scope but the assignment can be done at the Resource Group or even individual resource level.

Please read the ADF Operator Role section below to see an example of how permissions take affect for Role defined at Subscription Level but assignment at lower level.

ADF Operator Role

The requirement for the ADF Operator role is to allow the user to read the Data Factory instacne(definition, monitoring information, etc.) and run pipelines but not make any changes.

Step 1: Create JSON file with Role Definition using the sample snippet below. You can update the Assignable Scope as per your need, it can be a list of Subscription Guids, Management Scope or Resource Group.

{
“Name”: “ADF Operator”,
“IsCustom”: true,
“Description”: “Can start an ADF Pipeline Run”,
“Actions”: [
“Microsoft.DataFactory/factories/pipelines/createrun/action”,
“*/read”
],
“NotActions”: [ ],
“AssignableScopes”: [
“/subscriptions/<subscriptionguid>”
]
}

When creating Custom Roles you can find list of all Azure Resource Provider Operations here — https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations

Step 2: Run the Azure CLI command with the file created in Step 1 as an argument

az role definition create —role-definition <role-definition-json-file-path>

You can also create Custom Role from Azure Portal but depending upon the options you select the JSON to be specified might be slightly different — https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles-portal

Once the Custom Role is defined it’s pretty easy to assign the role to users using Portal, Azure Powershell or Azure CLI options — https://docs.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal

Role Assignment and effective permissions

Following shows how the permissions will take affect for the ADF Operator Role defined at different scopes:

• If the Role Assignment is at Subscription level, user will have read permissions on all resources within the Subscription and permissions to run all ADF Pipelines in the Azure Subscription.
• If the Role Assignment is at Resource Group level, user will have read permissions on all resources within the Subscription and permissions to run all ADF Pipelines in that Resource Group (all pipelines for all Data Factory instances in that Resource Group).
• If the Role Assignment is at the individual Azure Data Factory level, user will have read permissions on that particular Data Factory instance and permissions to run all AD Pipelines only in that particular Data Factory instance.

Other References

• Custom Roles Overview — https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
• Azure Built-in Roles — https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles