Microsoft has very good documentation for ADLS Gen2 access controls here. However there is still sometimes confusion around the different layers of permissions and how they work in combination, and this article is an attempt to simplify that.
In general there are three different kinds of permissions for your data inside an ADLS Gen2 Storage Account:
- RBAC (Role-Based Access Control) – Control Plane Permisions
- RBAC (Role-Based Access Control) – Data Plane Permisions
- POSIX-like Access Control Lists
RBAC permissions can be assigned on Azure resource level. In this context, the lowest level RBAC can be assigned is at the Storage Account Container level. It is the same case for both RBAC Control and Data Plane permissions.
RBAC Data Plane Permissions:
RBAC Data Plane permissions are processed first and once a security principal (i.e. user, group, etc.) is assigned such permissions, all the other ACLs are ignored. The disadvatage here is that you will not anymore be able to assign permissions on files and folders level. As mentioned, Storage Account Containers are the lowest-level entity on which you can assign RBAC data permissions. Here is a list of built-in RBAC Data Plane Roles you can assign to your security principals: (To get more information you can refer to this link.)
- Storage Blob Data Owner: Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2.
- Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
- Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
- Storage Queue Data Contributor: Use to grant read/write/delete permissions to Azure queues.
- Storage Queue Data Reader: Use to grant read-only permissions to Azure queues.
- Storage Queue Data Message Processor: Use to grant peek, retrieve, and delete permissions to messages in Azure Storage queues.
- Storage Queue Data Message Sender: Use to grant add permissions to messages in Azure Storage queues.
RBAC Control Plane Permissions:
These are RBAC permissions which do not include any DataActions and can give a security principal rights only on the Azure resource level. This means if you give your user “Reader” role (which is a Contorl Plane permission role) on a Stroage Account, your user is still not able to access the data inside the Storage Account. For that he/she additionally needs either ACLs or RBAC Data Plane permissions with the mentioned disadvantage/limit.
Access Control List:
ACLs are applied on the file and folder level. The key thing to remember is that you are always going to need RBAC Control Plane permissions in combination with ACLs. Best practice is to assign your security principals RBAC Reader role on the Storage Account/Container level and continue with more restrictive ACLs on the file and folder level.
There are two types of ACLs:
– Access ACLs: They control access to an object. An object can be a file or a folder.
– Default ACLs: These are ACLs assigned on the folder level only which get inherited as Access ACLs by the child file or folder.
For more information, please read this article here.