| services | storage |
|---|---|
| author | normesta |
| ms.service | storage |
| ms.topic | include |
| ms.date | 09/29/2020 |
| ms.author | normesta |
| ms.custom | include file |
Always use Microsoft Entra security groups as the assigned principal in an ACL entry. Resist the opportunity to directly assign individual users or service principals. Using this structure will allow you to add and remove users or service principals without the need to reapply ACLs to an entire directory structure. Instead, you can just add or remove users and service principals from the appropriate Microsoft Entra security group.
There are many different ways to set up groups. For example, imagine that you have a directory named /LogData which holds log data that is generated by your server. Azure Data Factory (ADF) ingests data into that folder. Specific users from the service engineering team will upload logs and manage other users of this folder, and various Databricks clusters will analyze logs from that folder.
To enable these activities, you could create a LogsWriter group and a LogsReader group. Then, you could assign permissions as follows:
- Add the
LogsWritergroup to the ACL of the /LogData directory withrwxpermissions. - Add the
LogsReadergroup to the ACL of the /LogData directory withr-xpermissions. - Add the service principal object or Managed Service Identity (MSI) for ADF to the
LogsWritersgroup. - Add users in the service engineering team to the
LogsWritergroup. - Add the service principal object or MSI for Databricks to the
LogsReadergroup.
If a user in the service engineering team leaves the company, you could just remove them from the LogsWriter group. If you did not add that user to a group, but instead, you added a dedicated ACL entry for that user, you would have to remove that ACL entry from the /LogData directory. You would also have to remove the entry from all subdirectories and files in the entire directory hierarchy of the /LogData directory.
To create a group and add members, see Create a basic group and add members using Microsoft Entra ID.
Important
Azure Data Lake Storage Gen2 depends on Microsoft Entra ID to manage security groups. Microsoft Entra ID recommends that you limit group membership for a given security principal to less than 200. This recommendation is due to a limitation of JSON Web Tokens (JWT) that provide a security principal's group membership information within Microsoft Entra applications. Exceeding this limit might lead to unexpected performance issues with Data Lake Storage Gen2. To learn more, see Configure group claims for applications by using Microsoft Entra ID.