| title | Use the Azure portal to manage ACLs in Azure Data Lake Storage |
|---|---|
| titleSuffix | Azure Storage |
| description | Use the Azure portal to manage access control lists (ACLs) in storage accounts that have a hierarchical namespace (HNS) enabled. |
| author | normesta |
| ms.service | azure-data-lake-storage |
| ms.topic | how-to |
| ms.date | 11/26/2024 |
| ms.author | normesta |
This article shows you how to use Azure portal to manage the access control list (ACL) of a directory or blob in storage accounts that have the hierarchical namespace featured enabled on them.
For information about the structure of the ACL, see Access control lists (ACLs) in Azure Data Lake Storage.
To learn about how to use ACLs and Azure roles together, see Access control model in Azure Data Lake Storage.
-
An Azure subscription. See Get Azure free trial.
-
A storage account that has the hierarchical namespace featured enabled on it. Follow these instructions to create one.
-
You must have one of the following security permissions:
-
Your user identity has been assigned the Storage Blob Data Owner role in the scope of either the target container, storage account, parent resource group or subscription.
-
You're the owning user of the target container, directory, or blob to which you plan to apply ACL settings.
-
-
Sign in to the Azure portal to get started.
-
Locate your storage account and display the account overview.
-
Select Containers under Data storage.
The containers in the storage account appear.
[!div class="mx-imgBorder"]
-
Navigate to any container, directory, or blob. Right-click the object, and then select Manage ACL.
[!div class="mx-imgBorder"]
The Access permissions tab of the Manage ACL page appears. Use the controls in this tab to manage access to the object.
[!div class="mx-imgBorder"]
-
To add a security principal to the ACL, select the Add principal button.
[!TIP] A security principal is an object that represents a user, group, service principal, or managed identity that is defined in Microsoft Entra ID.
Find the security principal by using the search box, and then select the Select button.
[!div class="mx-imgBorder"]
[!NOTE] We recommend that you create a security group in Microsoft Entra ID, and then maintain permissions on the group rather than for individual users. For details on this recommendation, as well as other best practices, see Access control model in Azure Data Lake Storage.
-
To manage the default ACL, select the default permissions tab, and then select the Configure default permissions checkbox.
[!TIP] A default ACL is a template of an ACL that determines the access ACLs for any child items that are created under a directory. A blob doesn't have a default ACL, so this tab appears only for directories.
[!div class="mx-imgBorder"]
You can apply ACL entries recursively on the existing child items of a parent directory without having to make these changes individually for each child item. However, you can't apply ACL entries recursively by using the Azure portal.
To apply ACLs recursively, use Azure Storage Explorer, PowerShell, or the Azure CLI. If you prefer to write code, you can also use the .NET, Java, Python, or Node.js APIs.
You can find the complete list of guides here: How to set ACLs.
Learn about the Data Lake Storage permission model.
[!div class="nextstepaction"] Access control model in Azure Data Lake Storage