We have a azure storage where we have multiple containers created. We have two groups Dev and Test. I want to implement this scenario: One of the container is 'data_zone'. Inside this container we have two folders, Dev and QA. Now I want to implement such a rule that the Dev group of users should only get the access to this Dev folder. They should not either enter or view the contents of the QA folder. Likewise same for the QA group to be followed. I have tried the below things to achieve this but it's somehow not working:
- Gave RBAC role of 'Reader' and 'Storage BLOB reader' to these two groups (i.e DEV group and QA group)
- In the ACL options, I added a principal and attached the group 'DEV' and gave no access (i.e neither READ, nor LIST and nor EXECUTE) in order to restrict this group to enter the QA folder. Same operation I have done for the QA group with opposite to the previous one.
Now the problem after this is, the DEV group users are still able to view/list the folders like DEV and QA when they enter the container. After being able to view, they can successfully enter the QA folder as well, and they are able to read the text file (one of the objects uploaded). It's jsut that they are not able to edit it. They are not able to upload any blob or download any. But we want to achieve the below conditions: Group DEV must not be able to enter/or view the contents of the QA folder and vice versa for QA group.
I have tried
- RBAC roles
- ACL settings
Can you all know what is to be done to achieve this level of granularity of the access?
One of the container is 'data_zone'. Inside this container we have two folders, Dev and QA. Now I want to implement such a rule that the Dev group of users should only get the access to this Dev folder. They should not either enter or view the contents of the QA folder. Likewise same for the QA group to be followed. I have tried the below things to achieve this but it's somehow not working:
- Gave RBAC role of 'Reader' and 'Storage BLOB reader' to these two groups (i.e DEV group and QA group)
- In the ACL options, I added a principal and attached the group 'DEV' and gave no access (i.e neither READ, nor LIST and nor EXECUTE) in order to restrict this group to enter the QA folder. Same operation I have done for the QA group with opposite to the previous one.
Now the problem after this is, the DEV group users are still able to view/list the folders like DEV and QA when they enter the container. After being able to view, they can successfully enter the QA folder as well, and they are able to read the text file (one of the objects uploaded). It's jsut that they are not able to edit it. They are not able to upload any blob or download any. But we want to achieve the below conditions: Group DEV must not be able to enter/or view the contents of the QA folder and vice versa for QA group.
I have tried
- RBAC roles
- ACL settings
On top of the
Storage Blob Data Readerdata plane role you can provide a role assignment condition. If you specify the RBAC controls using the portal it will ask it right after selecting the blob reader role. Using those conditions you can apply a rule to allow access to a specific path with which you can include the specific folders for DEV and QA.Below is an example from the Microsoft documentation: