How to restrict permission to a user to access a folder in the Data Lake if the RBAC permission allows AD Group level access?

Question

I have an AAD Group that is allowed to access the Data Lake Gen 2 via RBAC. However, there are some people in the AAD Group that should not be allowed to see some of the files/folders. How can it be done?

I saw ACLs, but from what I've read ACLs are not evaluated if RBAC provides access already. --> https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control-model#how-permissions-are-evaluated

score 0 · Accepted Answer · answered Feb 01 '21 at 08:11

No, you can't.

If the AAD group already has the RBAC role Storage Blob Data Owner/Storage Blob Data Contributor/Storage Blob Data Reader at your storage account scope(include higher-level scope), there is no way to restrict the members to access a folder/file inside.

How to restrict permission to a user to access a folder in the Data Lake if the RBAC permission allows AD Group level access?

1 Answers1