Skip to content

RBAC (Role Based Access Control) vs ACL (Access Control List)πŸ”—

πŸ”Ή RBAC (Role-Based Access Control)πŸ”—

  • Scope: At the Azure Resource level (Subscription β†’ Resource Group β†’ Storage Account β†’ Container/File System).
  • Purpose: Controls management and broad access to resources.
  • Assigned via: Azure Active Directory (Azure AD).

  • Examples of RBAC roles:

  • Storage Blob Data Reader β†’ can read blobs/files.

  • Storage Blob Data Contributor β†’ can read/write/delete.
  • Storage Blob Data Owner β†’ full control.

βœ… Strengths:

  • Centralized (assign once at container level, applies to all).
  • Great for coarse-grained permissions.
  • Easy to manage across thousands of users.

❌ Limitations:

  • Not file/folder level β†’ If you grant access to a file system, users see everything inside.
  • Cannot express β€œUser A can only read /raw/sales/2025 but not /raw/hr.”

πŸ”Ή ACL (Access Control Lists)πŸ”—

  • Scope: At the data level (directory and file).
  • Purpose: Provides fine-grained, POSIX-like permissions within the hierarchical namespace.
  • Assigned via: Set on directories/files using ADLS Gen2 APIs, CLI, or Databricks/Spark.

  • ACLs have three types:

  • Read (r) – view file contents, list directory.

  • Write (w) – modify contents.
  • Execute (x) – traverse directory / access child objects.

βœ… Strengths:

  • Very granular (control at file/folder level).
  • Mimics traditional file systems (POSIX model).
  • Perfect for multi-team data lakes where each team should only see their zone.

❌ Limitations:

  • Can get complex to manage if you have thousands of folders.
  • Inheritance isn’t automatic unless you set default ACLs.

πŸ”Ή How RBAC and ACL Work Together in ADLS Gen2πŸ”—

πŸ‘‰ Think of it as two layers of security:

  1. RBAC decides: Can this user access this storage account / file system at all?
  2. ACLs decide: Within that file system, what directories and files can they actually read/write?

πŸ”‘ Rule: RBAC grants the door key, ACLs decide which rooms inside you can enter.

πŸ”Ή ExampleπŸ”—

Scenario:πŸ”—

  • Storage account: datalakeprod
  • File system: finance
  • Directory: /finance/reports/2025/

User: Alice (Finance Analyst)πŸ”—

  1. RBAC: Assign Storage Blob Data Reader at the finance file system level β†’ Alice can access the file system.

  2. ACL:

  3. /finance/reports/2025/ β†’ grant Alice read + execute

  4. /finance/raw/ β†’ deny access

πŸ‘‰ Result: Alice can see and read reports from 2025, but she cannot even list or open files in the raw folder.

πŸ”Ή SummaryπŸ”—

Feature RBAC ACL
Scope Azure resource level File system (directory/file)
Granularity Broad Fine-grained
Assigned via Azure AD POSIX-like model
Use case β€œWho can access this storage account or container?” β€œWithin the container, what files/folders can they access?”
Best for Coarse access control Detailed data lake permissions

πŸ‘‰ In short:

  • RBAC = Door access to the building.
  • ACL = Which rooms and drawers inside you can open.

Practical : How to setup RBAC and ACLs?πŸ”—

az role assignment create \
  --assignee <userObjectIdOrEmail> \
  --role "Storage Blob Data Reader" \
  --scope /subscriptions/<subId>/resourceGroups/<rgName>/providers/Microsoft.Storage/storageAccounts/<storageAccountName>

az storage fs access set \
  --account-name <storageAccountName> \
  --file-system <containerName> \
  --path <folderName> \
  --acl "user:<userObjectId>:r-x"