Examples showing ACL being respected

[nickbeagley2]

The best practices for data lake rightly state that you should use ACLs with Azure AD domain groups. There's not one example or tutorial in any of the related documentation here (that I could find) on using any tools/service to access the data lake that does not require resource level groups such as Storage Blob Data Contributor or requires connecting to the data lake using the storage account keys or is dependent on a SAS Token, all of which bypass the ACL security controls. Even the tutorial on using Powerbi client to connect to data lake requires resource group level permission Storage Blob Data Reader at a minimum, bypassing all ACL security.

There's not a single example here I can follow to show a client tool/service respecting the ACL controls put in place on folders within a container and returning only the data a user was meant to be permitted to view.

---

Document Details

⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.

• ID: 4b36958c-2337-8140-760f-094c47bf754c
• Version Independent ID: ab8913f5-eb96-67b1-c0c4-348851585c71
• Content: Best practices for using Azure Data Lake Storage Gen2
• Content Source: articles/storage/blobs/data-lake-storage-best-practices.md
• Service: storage
• Sub-service: data-lake-storage-gen2
• GitHub Login: @normesta
• Microsoft Alias: normesta

[JamesTran-MSFT]

@nickbeagley2 Thanks for your feedback! We will investigate and update as appropriate.

[normesta]

Thank you for the feedback. Yes ACL-only is very much supported. You're correct that this capability is not broadly presented in various tutorials on tooling HDI, Databricks which connects with a Gen2 endpoint. See this article for permissions guidance - https://docs.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control-model. ACL only (no RBAC) should be respected as long as ACLs have been configured correctly. That article presents some examples of ACL-only configurations. Many tutorials still use access keys or SAS tokens just to get a reader up and running quickly and successful with the scenario presented. This may likely continue as configuring ACL only for the purpose of a quickstart can add alot of length to the content. Your feedback suggests that writers should at least mention that RBAC, Key, or SAS are not the only paths and that ACL-only is perfectly valid. Thank you for offering that input.

[normesta]

Updated best practices article to drive visibility into the access control model article. #please-close