sdk/synapse/Azure.Analytics.Synapse.AccessControl/README.md
This directory contains the open source subset of the .NET SDK. For documentation of the complete Azure SDK, please see the Microsoft Azure .NET Developer Center.
The Azure Synapse Analytics access control client library enables programmatically managing role assignments.
Azure Synapse is a limitless analytics service that brings together enterprise data warehousing and Big Data analytics. It gives you the freedom to query data on your terms, using either serverless on-demand or provisioned resources—at scale. Azure Synapse brings these two worlds together with a unified experience to ingest, prepare, manage, and serve data for immediate BI and machine learning needs.
The complete Microsoft Azure SDK can be downloaded from the Microsoft Azure Downloads Page and ships with support for building deployment packages, integrating with tooling, rich command line tooling, and more.
For the best development experience, developers should use the official Microsoft NuGet packages for libraries. NuGet packages are regularly updated with new functionality and hotfixes.
Install the Azure Synapse Analytics access control client library for .NET with NuGet:
dotnet add package Azure.Analytics.Synapse.AccessControl --prerelease
If you use the Azure CLI, the command looks like below:
az synapse workspace create \
--name <your-workspace-name> \
--resource-group <your-resource-group-name> \
--storage-account <your-storage-account-name> \
--file-system <your-storage-file-system-name> \
--sql-admin-login-user <your-sql-admin-user-name> \
--sql-admin-login-password <your-sql-admin-user-password> \
--location <your-workspace-location>
In order to interact with the Azure Synapse Analytics service, you'll need to create an instance of a RoleAssignmentsClient and/or a RoleDefinitionsClient class.
You will also need a workspace endpoint, which you may see as "Development endpoint" in the portal, and client secret credentials (client id, client secret, tenant id) to instantiate a client object.
Client secret credential authentication is being used in this getting started section but you can find more ways to authenticate with Azure identity. To use the DefaultAzureCredential provider shown below, or other credential providers provided with the Azure SDK, you should install the Azure.Identity package:
dotnet add package Azure.Identity
With a RoleAssignmentsClient you can create, update, and delete role assignments. With a RoleDefinitionsClient you can get role assignments from the workspace.
The way you control access to Synapse resources is to create role assignments. A role assignment is the process of attaching a role definition to a user, group, service principal, or managed identity at a particular scope for the purpose of granting access. Access is granted by creating a role assignment, and access is revoked by removing a role assignment.
We guarantee that all client instance methods are thread-safe and independent of each other (guideline). This ensures that the recommendation of reusing client instances is always safe, even across threads.
Client options | Accessing the response | Long-running operations | Handling failures | Diagnostics | Mocking | Client lifetime
<!-- CLIENT COMMON BAR -->The Azure.Analytics.Synapse.AccessControl package supports synchronous and asynchronous APIs. The following section covers some of the most common Azure Synapse Analytics access control related tasks:
To interact with Azure Synapse, you need to instantiate a RoleAssignmentsClient and a RoleDefinitionsClient. It requires an endpoint URL and a TokenCredential.
// Replace the string below with your actual endpoint url.
string endpoint = "<my-endpoint-url>";
RoleAssignmentsClient roleAssignmentsClient = new RoleAssignmentsClient(new Uri(endpoint), new DefaultAzureCredential());
RoleDefinitionsClient definitionsClient = new RoleDefinitionsClient(new Uri(endpoint), new DefaultAzureCredential());
First, you need to the determine the ID of the role you wish to assign, along with the ID of the principal you wish to assign that role.
Response roleDefinitionsResponse = definitionsClient.GetRoleDefinitions(true, null, new());
BinaryData roleDefinitionsContent = roleDefinitionsResponse.Content;
using JsonDocument roleDefinitionsJson = JsonDocument.Parse(roleDefinitionsContent.ToMemory());
JsonElement adminRoleJson = roleDefinitionsJson.RootElement.EnumerateArray().
Single(role => role.GetProperty("name").ToString() == "Synapse Administrator");
Guid adminRoleId = new Guid(adminRoleJson.GetProperty("id").ToString());
string assignedScope = "workspaces/<my-workspace-name>";
// Replace the string below with the ID you'd like to assign the role.
Guid principalId = /*<my-principal-id>"*/ Guid.NewGuid();
// Replace the string below with the ID of the assignment you'd like to use.
string assignmentId = "<my-assignment-id>";
Then call CreateRoleAssignment with the options to create the role assignment.
var roleAssignmentDetails = new
{
roleId = adminRoleId,
principalId = Guid.NewGuid(),
scope = assignedScope
};
Response addedRoleAssignmentResponse = roleAssignmentsClient.CreateRoleAssignment(assignmentId, RequestContent.Create(roleAssignmentDetails), ContentType.ApplicationJson);
BinaryData addedRoleAssignmentContent = addedRoleAssignmentResponse.Content;
using JsonDocument addedRoleAssignmentJson = JsonDocument.Parse(addedRoleAssignmentContent.ToMemory());
string addedRoleAssignmentId = addedRoleAssignmentJson.RootElement.GetProperty("id").ToString();
You can retrieve the details of a role assignment by calling GetRoleAssignmentById, passing in the assignment ID.
Response roleAssignmentResponse = roleAssignmentsClient.GetRoleAssignmentById(addedRoleAssignmentId, new());
BinaryData roleAssignmentContent = roleAssignmentResponse.Content;
using JsonDocument roleAssignmentJson = JsonDocument.Parse(roleAssignmentContent.ToMemory());
string roleAssignmentRoleDefinitionId = roleAssignmentJson.RootElement.GetProperty("roleDefinitionId").ToString();
string roleAssignmentPrincipalId = roleAssignmentJson.RootElement.GetProperty("principalId").ToString();
Console.WriteLine($"Role {roleAssignmentRoleDefinitionId} is assigned to {roleAssignmentPrincipalId}.");
To enumerate all role assignments in the Synapse workspace you can call ListRoleAssignments.
Response roleAssignmentsResponse = roleAssignmentsClient.GetRoleAssignments(null, null, null, null, new());
BinaryData roleAssignmentsContent = roleAssignmentsResponse.Content;
using JsonDocument roleAssignmentsJson = JsonDocument.Parse(roleAssignmentsContent.ToMemory());
foreach (JsonElement assignmentJson in roleAssignmentsJson.RootElement.GetProperty("value").EnumerateArray())
{
Console.WriteLine(assignmentJson.GetProperty("id").ToString());
}
To delete a role assignment no longer needed you can call DeleteRoleAssignmentById, passing in the assignment ID.
roleAssignmentsClient.DeleteRoleAssignmentById(addedRoleAssignmentId);
For information on building the Azure Synapse client library, please see Building the Microsoft Azure SDK for .NET
For information about the target frameworks of the Azure Synapse client library, please refer to the Target Frameworks of the Microsoft Azure SDK for .NET.
Please open issue in github.
The next step is adding more examples
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.