If you've landed on this blog, you're probably seeing this error:
That is, the error which states "You need permission to access workspace XYZ. Contact the workspace owner or administrators for access."
What is this error? Your first thought will probably be "It must be to do with permissions". Well, probably. Let's recap one what the permission model is for Azure Synapse Analytics.
As per this article on setting up access control in Synapse Studio, there are four different roles/permissions that must be applied to certain resources/object for things to work smoothly. They are (to quote the docs):
- Azure roles (such as the built-in ones like Owner, Contributor, etc.)
- Synapse roles – these roles are unique to Synapse and aren't based on Azure roles. There are three of these roles:
- Synapse workspace admin
- Synapse SQL admin
- Apache Spark for Azure Synapse Analytics admin
- Access control for data in Azure Data Lake Storage Gen 2 (ADLS Gen2).
- Access control for Synapse SQL and Spark databases
If you're getting the error shown above, you're most likely missing a "Synapse role" - that is, either the Workspace Admin role, the SQL Admin role, or the Spark Admin role. Those are the only three roles for Synapse Studio (currently), and being assigned to one of those roles will give you access. Maybe there'll be more granular roles to come in the future - who knows.
There's actually an existing issue which seems to address the same "You need permission to access this workspace" error. The resolution in that case was to alter the firewall rules and ensure you give the Managed Identity of the Synapse workspace access to the Data Lake Store. Read the above post for more details on that.
What if you've checked and both those things are correctly configured? What if you're also assigned a role yourself on the ADLS Gen2 account/container, and you have contributor/owner access to the Synapse resource, but you still can't access Synapse Studio? What other permissions must you need? Well, as mentioned above, you're probably missing a role in Synapse Studio.
The easiest fix here is to contact an existing Workspace Admin (probably the person who created the resource in the first place) and ask them to add you to one of the aforementioned roles (see this link describing the associated permissions with each Synapse Studio role for exactly which role fits your needs).
However, should the current Workspace Admin not be available - what can you do? Well, if you're an owner or a contributor on the Azure Synapse Analytics resource (which you can easily check through the portal), then you can actually use the Azure CLI to assign yourself to one of the Synapse Studio roles.
This is something I've written about in my blog How to use the Azure CLI to manage access to Synapse Studio, so I'll defer any further detail to that blog.
Hope this has helped!
Want to get started with Synapse but not sure where to start?
If you'd like to know more about Azure Synapse, we offer a free 1 hour, 1-2-1 Azure Data Strategy Briefing aimed at CxO's. Please book a call and then we'll confirm the time and send you a meeting invite.
We also have created number of talks about Azure Synapse:
- Serverless data prep using SQL on demand and Synapse Pipelines
- Azure Synapse - On-Demand Serverless Compute and Querying
- Detecting Anomalies in IoT Telemetry with Azure Synapse Analytics
- Custom C# Spark Jobs in Azure Synapse
- Custom Scala Spark Jobs in Azure Synapse
Finally, if you are interested in more content about Azure Synapse, we have a dedicated editions page which collates all our blog posts.