Update – a fix is coming soon so that you do not need to use this workaround. Hope we can get Data Factory Contributors to be the minimum permissions to create a Data Factory from the Azure portal.
Azure built-in RBAC roles are pretty new and do not cover all the bases yet, so I needed to customize a role of our own to enable users to create data factories, without having to be co-admin of the subscription.
The Problem
The built-in role Data Factory Contributor does not include the necessary rights for a given user to create a New Data Factory. Role members can manage data factories, but CREATE is not listed for the data factory itself. See also: Data Factory Contributor https://azure.microsoft.com/en-us/documentation/articles/role-based-access-built-in-roles/
I didn’t want to grant everyone access to be a co-admin on the subscription so they could create new ones, so we opted for a custom role to achieve the goal. Reading the description of the role, this role does not mention that the user can create data factories, and I find it is true through testing.
When I try to use a non-admin account to create a Data Factory in the Azure portal at https://portal.azure.com I get this error:
“You don’t have the required permissions (Microsoft.DataFactory/register/action) to create resources under the selected subscription.”
The Workaround Solution
Instead of giving my users co-admin on the subscription, I prefer a lesser impact approach.
The Azure portal website does not yet let you create custom roles (probably coming one day soon in the website), so instead we will use PowerShell to do so.
1. Install PowerShell for Azure
Installed the Azure SDK for PowerShell and run PowerShell ISE from the start menu. https://azure.microsoft.com/en-us/downloads/
Note, in Windows versions before Windows 10, you may need to Run as Administrator on this icon to get the Azure scripts to work.
2. Code my custom role
Using the code below, I created a custom role named Data Factory Creator by copying the existing role, and clearing out all the info. Inspiration came from these two reference https://msdn.microsoft.com/en-us/library/mt678996.aspx
The # Green lines with pound signs are comments for you to read, and are not run by PowerShell interpreter.
I recommend using PowerShell ISE because it lets you highlight each code block in the script window in the top half, and run that selection (F8) which is nice for piecemeal troubleshooting. The output from running the code is shown in the blue background section beneath the code.
You need to substitute in your actual subscription ID in the place of the zeros. 0000000-0000-0000-0000-00000000000
==============================
# Login prompt to authenticate your admin account to use Azure
Login-AzureRmAccount
# Copy existing Data Factory Contributor, clear actions and scopes, and add REGISTER action to the new role
$role = Get-AzureRmRoleDefinition “Data Factory Contributor”
$role.Id = $null
$role.Name =“Data Factory Creator”
$role.Description = “Can create data factories.”
$role.Actions.Clear()
$role.Actions.Add(“Microsoft.DataFactory/register/action”)
$role.AssignableScopes.Clear()
# type your own subscription ID here
$role.AssignableScopes.Add(“/subscriptions/0000000-0000-0000-0000-00000000000“)
New-AzureRmRoleDefinition -Role $role
# List Custom Roles to see if the Data Factory Creator Role worked
Get-AzureRmRoleDefinition | FT Name, IsCustom
# List the details of the new role to make sure it matches expectations
Get-AzureRmRoleDefinition “Data Factory Creator”
(Get-AzureRmRoleDefinition “Data Factory Creator”).Actions
# Delete the custom role if needed
# Get-AzureRmRoleDefinition “Data Factory Creator/Contributor”| Remove-AzureRmRoleDefinition
==============================
3. Locate the subscription and add the users into the new custom role.
Add the required users to our new custom Data Factory Creator role at the subscription level.
Note, it is not sufficient to do this at the Resource Group level, since the action to create an object happens in the subscription level first.
Visit the Azure portal > Subscriptions > select the subscription > Settings (All settings) > Users > Roles > Data Factory Creator
Add the user > type their name to search the directories, then select the user in the list to add them.
4. Add users to the built-in Data Factory Contributor role as well
Add the required users to the built-in Data Factory Contributor at the Resource Group level if you want them to manage the Data Factories for a given resource group. If you want them to manage the data factories across the whole subscription, you can grant them role membership at the subscription level, but the resource group is required as well to create new data factories.
This screenshot is for the Resource Group level. You could do the same as #3 for the Data Factory Contributor role.
Resource groups > Pick the scope of Resource Group you want > Access Control (IAM) > Roles
Roles > Data Factory Contributor > Add > type the users name to search the directories, and select the user from the list.
5. Have the users test
Make sure any users F5 (refresh) their browser to get the latest security ACLs in the Azure Portal, and try to create a Data Factory now with limited access using the 2 role memberships mentioned above.
