What permissions are needed to run an Azure Data Factory (ADF) debug session?

0
votes

What are the Least Privilege permissions that are needed to run a debug session? We have removed Data Factory Contributor because we want to disallow publishing to the dev instance by all developers, as is mentioned in the Best Practices.

Only a select set of people should be allowed to publish to the factory. To do so, they must have the Data Factory contributor role on the resource group the factory is in.

However, this page does not say what permissions are required to run Debug and we are getting the following error when trying to Debug a pipeline: enter image description here

Related Documentation Issue: https://github.com/MicrosoftDocs/azure-docs/issues/58517

1
azure-data-factoryazure-data-factory-2azure-data-factory-pipeline
what's the current role of your account? - Leon Yue
That is a moot point. I can run Debug. I'm looking for Least Privilege Access config for developers on my team. - successhawk

1 Answers

0
votes

To create and manage child resources for Data Factory - including datasets, linked services, pipelines, triggers, and integration runtimes - the following requirements are applicable:

  • To create and manage child resources in the Azure portal, you must belong to the Data Factory Contributor role at the resource group level or above.
  • To create and manage child resources with PowerShell or the SDK, the contributor role at the resource level or above is sufficient.

Debug actually runs the pipeline, it also means manage the pipeline runs. As I understand, we need the Data Factory Contributor or contributor permission.

Ref: Roles and requirements

As the Best Practices document said:

  • "Only a select set of people should be allowed to publish to the factory. To do so, they must have the Data Factory contributor role on the resource group the factory is in."

If you want to control the data factory permission of the developers, you could follow bellow steps:

  1. Create AAD user group, and add the selected developers to the group.

  2. Add the Data Factory Contributor or contributor role to the group. Then all the users in the group will have the permission.

    enter image description here

Ref: Create a basic group and add members using Azure Active Directory

Hope this helps.