How to browse Azure Data lake gen 2 using GUI tool

Question

First some background: I want to facilitate access to the different groups of data scientists in Azure Data Lake gen 2. However, we don’t want provide access to them to the entire data lake because they are not supposed to see all the data for security reasons. They must be able to see only some limited files/folders. We are doing that by adding the data scientists’ AAD groups to the ACL of the data lake folders. You can refer to the following links to get more insights and to know what I am talking about: https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control

Now the problem: Since the data scientists are granted access to a very specific/limited area, they are able to access/browse those folders/files using Azure databricks (python commands/code etc.). However, they are not able to browse using Azure Storage Explorer. So is there some way so that they can browse the datalake using Azure storage explorer or some other GUI tool. Or is it possible to create some custom role for such a scenario and grant that role to the data scientists AAD groups so that they may just have access to the specific area (i.e. a custom role that may be created that would only have “execute” access on the ADLS gen 2 file-systems.)

Answer 1

As far as I knew, we had no way to use RBAC role to control access on some folders in the file system(container). Because when we assign role to AAD group, we need to define a scope. The smallest scope in Azure data lake gen2 is file system(container). If you just want to control access on it, you do not need to create custom role and you can directly use the build-in role Storage Blob Data Reader. If one user has the role, he can read all files in the file system. For more details, please refer to the document

Answer 2

Using ACLS with no RBAC DOES work as of this date (August 2023)...I can't speak for whether it didn't before.

Context:

• Public access turned off for storage account.
• Enabled - Enabled from selected virtual networks and IP addresses
• Enabled - Allow Azure services on the trusted services list to access this storage account
• Microsoft network routing selected
• Added existing virtual network of vnets/subnets where customer Vnets are located

At first I didn't think it did as it's rather finicky about how you do it but it just requires the following:

1. Add EXECUTE ACL with default to the container AND all subfolders down to folder level where customer will access. (Make sure you're adding either a group of type = security or the individual AAD user!).
2. Add whatever ACL is needed at the folder where you want your customers to do file management (I granted read/execute/write and same for default).
3. Have customer connect to the container URL using storage explorer from an Azure device that has network routing to the storage account vnet
4. Have them do Open Connect Dialog - pick ADLS Gen2 container or directory - Sign in using OAuth (which is actually AAD which is preferred method for end user access)
5. Pick their account and create the saved connection info. Use URL down to the specific folder name! You can use just the container but without read access to upper levels of folders they won't see subfolders so they'd have to manually put in subfolders at the end of the URL).

Answer 3

It is not possible to access data via Storage Explorer only with ACL permissions assigned. Unfortunately, you need to use ACLs in combination with RBAC role assigned on the Storage Account level (e.g. Reader), to be able to see Storage Account itself from the Storage Explorer. Then you can introduce granular permissions using ACL on specific containers/folders/files, however with Reader still they will be able to see the names of all the containers in the Storage Account (but cannot see the containers content until specified via ACL or Data RBAC assignment on container level). As you noticed, the only option to access specific folder/file using only ACL permissions is via code e.g. Powershell or Python.