Table of Contents
Can You Grant Fine-Grained Permissions in Data Lake Using Azure AD Users and Groups?
Master Azure Data Lake security for AZ-500 exam. Learn how Azure Data Lake Gen2 uses Azure AD identities (users, groups, service principals) in Access Control Lists (ACLs) to provide POSIX-like, fine-grained permissions on individual files and folders.
Question
Azure Data Lake supports Azure AD identities in data ACLs.
A. FALSE
B. TRUE
Answer
B. TRUE
Explanation
Azure Data Lake does support Azure AD identities in data ACLs.
The correct answer is B. TRUE. A foundational security feature of Azure Data Lake Storage (ADLS) Gen2 is its support for using Azure Active Directory (Azure AD) identities directly within Access Control Lists (ACLs) to manage permissions at the file and folder level.
Fine-Grained Access Control with ACLs
Azure Data Lake Storage Gen2 is built on Azure Blob Storage but adds a hierarchical namespace, which allows it to function like a traditional file system. This structure enables the use of POSIX-like ACLs for highly granular access control, which is essential for big data and analytics workloads.
How ADLS Gen2 Combines RBAC and ACLs
Access control in ADLS Gen2 is evaluated in a specific order, combining two different mechanisms:
- Azure RBAC (Role-Based Access Control): This is the first layer of authorization. RBAC roles like Storage Blob Data Owner, Contributor, or Reader are assigned at the storage account or container level. These roles grant broad permissions. A user must first have an appropriate RBAC role to even attempt to access the data.
- Access Control Lists (ACLs): This is the second layer. ACLs provide fine-grained permissions on specific directories and files. If a user passes the RBAC check, their permissions are then further evaluated by the ACLs on the specific file or folder they are trying to access.
Using Azure AD Identities in ACLs
The power of this model is that you can assign ACL permissions directly to Azure AD security principals:
- Users: Grant a specific data scientist read/write access to a project folder.
- Groups: Grant an entire analytics team’s Azure AD group read-only access to a curated dataset. This is a best practice for manageability.
- Service Principals & Managed Identities: Allow an Azure Synapse Analytics workspace or Azure Databricks cluster to read and write data in specific directories using its managed identity.
Each ACL entry specifies a security principal, the permissions granted (Read, Write, Execute), and the type of entry (Access or Default). This dual-layer model allows administrators to grant broad access at the container level using RBAC while giving data owners precise, POSIX-style control over their specific files and folders using ACLs based on Azure AD identities.
Microsoft Certified Azure Security Engineer Associate AZ-500 certification exam assessment practice question and answer (Q&A) dump including multiple choice questions (MCQ) and objective type questions, with detail explanation and reference available free, helpful to pass the Microsoft Certified Azure Security Engineer Associate AZ-500 exam and earn Microsoft Certified Azure Security Engineer Associate AZ-500 certification.