0

I have set up a Data Lake with 1 container and 2 directories, dirA and dirB. User X has ACL's rwx set on directory dirA, user Y has ACL's rwx set on directory dirB. The goal is to give User X full access to dir dirA but no access to dir dirB. Similarly User Y gets full access to dirB and no access to dirA. From RBAC perspective, I've given users X and Y 'Reader' role on the Storage account. Everything seems fine. Users can upload, download and delete files in their respective folders. However, after deleting a file user is unable to see the deleted file under 'Active and Soft Deleted Blobs'.

If I give 'Contributor' role then the user is able to see deleted blobs but it breaks other permissioning rule, i.e. user X can now view dirB as well. What would be the minimum permission set up so that users can work within their own directories and be able to view deleted files as well.

I am using Azure Storage Explorer for testing. Let me know if any further info is required. Thanks.

Improve this question

1 Answer 1

Reset to default
0

Users can upload, download, and delete files in their respective folders. However, after deleting a file, a user is unable to see the deleted file under 'Active and Soft Deleted Blobs'.

According to this MS-Document:

  • To allow users to view deleted files without breaking other permission rules, you can remove the "Reader" role from the users and assign the Storage Blob Data Reader or Storage Blob Data Contributor role.

You can refer to this MS-Document to assign a Storage Blob Data Reader role at the container level with path.

  • The above role allows users to read and list Azure Storage containers and blobs, including deleted blobs.

Portal:

enter image description here

enter image description here

The above condition will allow access to a specific folder with specific permission for the particular user like (X user will access dirA and Y user will access dirB). With this setup, users can work within their own directories and view deleted files.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.