ADF Shared SHIR permissions

0
votes

I'm trying to configure an ADF self-hosted integration runtime to be shared with another ADF in the same RG. I'm getting the following error:

(I removed the id specifics)

Error occurred when grant permission to [Object-ID]. Error: {"error":{"code":"AuthorizationFailed","message":"The client [My-Username] with object id [object-id] does not have authorization to perform action 'Microsoft.Authorization/roleAssignments/write' over scope '/subscriptions/[object-id]/resourcegroups/DataEngineering-RG/providers/Microsoft.DataFactory/factories/[Data Factory Name]/integrationRuntimes/[IR-Name]/providers/Microsoft.Authorization/roleAssignments/[Role Object ID]' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

Question- what role is required for me to be able to perform this action and at what level does that access need to be granted (eg. Subscription Level, RG level, ADF Level)?

Note: I have Azure Data Factory Contributor level access currently.

Thanks in advance

1
azurepermissionsazure-data-factory

1 Answers

2
votes

what role is required for me to be able to perform this action

You need the Owner or User Access Administrator role (maybe other roles, just check this doc, see the json file of each role, if the actions include Microsoft.Authorization/roleAssignments/write , it will be able to do the operation.) You can also create a custom role which has Microsoft.Authorization/roleAssignments/write in its actions, it depends on your requirements.

and at what level does that access need to be granted (eg. Subscription Level, RG level, ADF Level)?

The three levels are all correct. The RBAC role in Azure is inherited, e.g. if you assign the Owner role to your user account in the subscription, the account will also have the Owner role in all the resource groups/resources of the subscription. But if you just assign the user account in the ADF level, it will not be able to access other resources in the subscriptions.

So to fix the issue, just navigate to the ADF mentioned in the error message/RG/Subscription in the portal -> Access control (IAM) -> Add -> add your user account as an e.g Owner role, then it will work fine.