Retrieve Azure Synapse role-based access control (RBAC) Information using PowerShell

Role

Permissions

Scopes

Synapse Administrator

Full Synapse access to SQL pools, Data Explorer pools, Apache Spark pools, and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts. Includes Compute Operator, Linked Data Manager, and Credential User permissions on the workspace system identity credential. Includes assigning Synapse RBAC roles. In addition to Synapse Administrator, Azure Owners can also assign Synapse RBAC roles. Azure permissions are required to create, delete, and manage compute resources.

Can read and write artifacts

Can do all actions on Spark activities.

Can view Spark pool logs

Can view saved notebook and pipeline output

Can use the secrets stored by linked services or credentials

Can assign and revoke Synapse RBAC roles at current scope

Workspace

Spark pool

Integration runtime

Linked service

Credential

Synapse Apache Spark Administrator

Full Synapse access to Apache Spark Pools. Create, read, update, and delete access to published Spark job definitions, notebooks and their outputs, and to libraries, linked services, and credentials.  Includes read access to all other published code artifacts. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access.

Can do all actions on Spark artifacts

Can do all actions on Spark activities

Workspace

Spark pool

Synapse SQL Administrator

Full Synapse access to serverless SQL pools. Create, read, update, and delete access to published SQL scripts, credentials, and linked services.  Includes read access to all other published code artifacts.  Doesn't include permission to use credentials and run pipelines. Doesn't include granting access.

Can do all actions on SQL scripts

Can connect to SQL serverless endpoints with SQL db_datareader, db_datawriter, connect, and grant permissions

Workspace

Synapse Contributor

Full Synapse access to Apache Spark pools and Integration runtimes. Includes create, read, update, and delete access to all published code artifacts and their outputs, including credentials and linked services.  Includes compute operator permissions. Doesn't include permission to use credentials and run pipelines. Doesn't include granting access.

Can read and write artifacts

Can view saved notebook and pipeline output

Can do all actions on Spark activities

Can view Spark pool logs

Workspace

Spark pool

Integration runtime

Synapse Artifact Publisher

Create, read, update, and delete access to published code artifacts and their outputs. Doesn't include permission to run code or pipelines, or to grant access.

Can read published artifacts and publish artifacts

Can view saved notebook, Spark job, and pipeline output

Workspace

Synapse Artifact User

Read access to published code artifacts and their outputs. Can create new artifacts but can't publish changes or run code without additional permissions.

Workspace

Synapse Compute Operator

Submit Spark jobs and notebooks and view logs.  Includes canceling Spark jobs submitted by any user. Requires additional use credential permissions on the workspace system identity to run pipelines, view pipeline runs and outputs.

Can submit and cancel jobs, including jobs submitted by others

Can view Spark pool logs

Workspace

Spark pool

Integration runtime

Synapse Monitoring Operator

Read published code artifacts, including logs and outputs for notebooks and pipeline runs. Includes ability to list and view details of serverless SQL pools, Apache Spark pools, Data Explorer pools, and Integration runtimes. Requires additional permissions to run/cancel pipelines, Spark notebooks, and Spark jobs.

Workspace

Synapse Credential User

Runtime and configuration-time use of secrets within credentials and linked services in activities like pipeline runs. To run pipelines, this role is required, scoped to the workspace system identity.

Scoped to a credential, permits access to data via a linked service that is protected by the credential (also requires compute use permission)

Allows execution of pipelines protected by the workspace system identity credential(with additional compute use permission)

Workspace

Linked Service

Credential

Synapse Linked Data Manager

Creation and management of managed private endpoints, linked services, and credentials. Can create managed private endpoints that use linked services protected by credentials

Workspace

Synapse User

List and view details of SQL pools, Apache Spark pools, Integration runtimes, and published linked services and credentials. Doesn't include other published code artifacts.  Can create new artifacts but can't run or publish without additional permissions.

Can list and read Spark pools, Integration runtimes.

Workspace, Spark pool

Linked service

Credential