You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/data-share/concepts-roles-permissions.md
+42-31Lines changed: 42 additions & 31 deletions
Original file line number
Diff line number
Diff line change
@@ -1,6 +1,6 @@
1
1
---
2
2
title: Roles and requirements for Azure Data Share
3
-
description: Learn about the access control roles and requirements for data providers and data consumers to share data in Azure Data Share.
3
+
description: Learn about the permissions required to share and receive data using Azure Data Share.
4
4
author: joannapea
5
5
ms.author: joanpo
6
6
ms.service: data-share
@@ -10,72 +10,83 @@ ms.date: 07/10/2019
10
10
11
11
# Roles and requirements for Azure Data Share
12
12
13
-
This article describes the roles required to share data using Azure Data Share, as well as to accept and receive data using Azure Data Share.
13
+
This article describes roles and permissions required to share and receive data using Azure Data Share service.
14
14
15
15
## Roles and requirements
16
16
17
-
Azure Data Share uses Managed Identities for Azure Services (previously known as MSIs) to authenticate to underlying storage accounts in order to be able to read data to be shared by a data provider, as well as receive data shared as a data consumer. As a result, there is no exchange of credentials between the data provider and the data consumer.
17
+
With Azure Data Share service, you can share data without exchanging credentials between data provider and consumer. Azure Data Share service uses Managed Identities (previously known as MSIs) to authenticate to Azure data store.
18
18
19
-
The Managed Service Identity needs to be granted access to the underlying storage account or SQL database. The Azure Data Share service uses the Azure Data Share resource's Managed Service Identity to read and write data. The user of Azure Data Share needs the ability to create a role assignment for the Managed Service Identity to the storage account or SQL database that they are sharing data from/to.
19
+
Azure Data Share resource's managed identity needs to be granted access to Azure data store. Azure Data Share service then uses this managed identity to read and write data for snapshot-based sharing, and to establish symbolic link for in-place sharing.
20
20
21
-
In the case of storage, Permission to create role assignments exists in the **owner** role, User Access Administrator role, or a custom role with Microsoft.Authorization/role assignments/write permission assigned.
21
+
To share or receive data from an Azure data store, user needs at least the following permissions. Additional permissions are required for SQL-based sharing.
22
+
* Permission to write to the Azure data store. Typically, this permission exists in the **Contributor** role.
23
+
* Permission to create role assignment in the Azure data store. Typically, permission to create role assignments exists in the **Owner** role, User Access Administrator role, or a custom role with Microsoft.Authorization/role assignments/write permission assigned. This permission is not required if the data share resource's managed identity is already granted access to the Azure data store. See table below for required role.
22
24
23
-
If you are not an owner of the storage account in question, and you are unable to create a role assignment for the Azure Data Share resource's Managed Identity yourself, you can request an Azure Administrator to create a role assignment on your behalf.
24
-
25
-
Below is a summary of the roles assigned to Data Share resource-Managed Identity:
25
+
Below is a summary of the roles assigned to Data Share resource's managed identity:
|**Data Store Type**|**Data Provider Source Data Store**|**Data Consumer Target Data Store**|
30
30
|Azure Blob Storage| Storage Blob Data Reader | Storage Blob Data Contributor
31
31
|Azure Data Lake Gen1 | Owner | Not Supported
32
32
|Azure Data Lake Gen2 | Storage Blob Data Reader | Storage Blob Data Contributor
33
-
|Azure SQL | dbo | dbo
33
+
|Azure SQL Server | SQL DB Contributor | SQL DB Contributor
34
+
|Azure Data Explorer Cluster | Contributor | Contributor
34
35
|
35
36
36
-
### Data providers
37
-
To add a dataset to an Azure Data Share, the data providers data share resource-managed identity needs to be added to the Storage Blob Data Reader role. This is done automatically by the Azure Data Share service if the user is adding datasets via Azure and is an owner of the storage account, or is a member of a custom role that has the Microsoft.Authorization/role assignments/write permission assigned.
37
+
For SQL-based sharing, a SQL user needs to be created from an external provider in the SQL database with the same name as the Azure Data Share resource. Below is a summary of the permission required by the SQL user.
38
+
39
+
||||
40
+
|---|---|---|
41
+
|**SQL Database Type**|**Data Provider SQL User Permission**|**Data Consumer SQL User Permission**|
To add a dataset in Azure Data Share, provider data share resource's managed identity needs to be granted access to the source Azure data store. For example, in the case of storage account, the data share resource's managed identity is granted the Storage Blob Data Reader role.
38
49
39
-
Alternatively, the user can have an Azure Administrator add the data share resource-managed identity to the Storage Blob Data Reader role manually. Creating this role assignment manually by the Administrator will void having to be an owner of the Storage account or have a custom role assignment. This applies to data being shared from Azure Storage or Azure Data Lake Gen2.
50
+
This is done automatically by the Azure Data Share service when user is adding dataset via Azure portal and the user has the proper permission. For example, user is an owner of the Azure data store, or is a member of a custom role that has the Microsoft.Authorization/role assignments/write permission assigned.
40
51
41
-
If sharing data from Azure Data Lake Gen1, the role assignment must be made to the Owner role.
52
+
Alternatively, user can have owner of the Azure data store add the data share resource's managed identity to the Azure data store manually. This action only needs to be performed once per data share resource.
42
53
43
-
To create a role assignment for the Data Share resource's Managed Identity, follow the below steps:
54
+
To create a role assignment for the data share resource's managed identity, follow the below steps:
44
55
45
-
1. Navigate to the Storage account.
56
+
1. Navigate to the Azure data store.
46
57
1. Select **Access Control (IAM)**.
47
58
1. Select **Add a role assignment**.
48
-
1. Under *Role*, select *Storage Blob Data Reader*.
49
-
1. Under *Select*, type in the name of your Azure Data Share account.
59
+
1. Under *Role*, select the role in the role assignment table above (for example, for storage account, select *Storage Blob Data Reader*).
60
+
1. Under *Select*, type in the name of your Azure Data Share resource.
50
61
1. Click *Save*.
51
62
52
-
For SQL-based sources, a user needs to be created from an external provider in the SQL database that data is being shared from with the same name as the Azure Data Share account. A sample script along with other prerequisites for SQL-based sharing can be found in the [share your data](share-your-data.md) tutorial.
63
+
For SQL-based sources, in addition to the above steps, a SQL user needs to be created from an external provider in the SQL database with the same name as the Azure Data Share resource. This user needs to be granted db_owner permission. A sample script along with other prerequisites for SQL-based sharing can be found in the [share your data](share-your-data.md) tutorial.
53
64
54
-
### Data consumers
55
-
To receive data, the data consumers data share resource-managed identity needs to be added to the Storage Blob Data Contributor role and/or dbo role of a SQL database if receiving data into a SQL database.
65
+
### Data consumer
66
+
To receive data, consumer data share resource's managed identity needs to be granted access to the target Azure data store. For example, in the case of storage account, the data share resource's managed identity is granted the Storage Blob Data Contributor role.
56
67
57
-
In the case of storage, this is done automatically by the Azure Data Share service if the user is adding datasets via Azure and is an owner of the storage account, or is a member of a custom role which has the Microsoft.Authorization/role assignments/write permission assigned.
68
+
This is done automatically by the Azure Data Share service if the user specifies a target data store via Azure portal and the user has proper permission. For example, user is an owner of the Azure data store, or is a member of a custom role which has the Microsoft.Authorization/role assignments/write permission assigned.
58
69
59
-
Alternatively, the user can have an Azure Administrator add the data share resource-managed identity to the Storage Blob Data Contributor role manually. Creating this role assignment manually by the Administrator will void having to be an owner of the Storage account or have a custom role assignment. Note that this applies to data being shared to Azure Storage or Azure Data Lake Gen2. Receiving data to Azure Data Lake Gen1 is not supported.
70
+
Alternatively, user can have owner of the Azure data store add the data share resource's managed identity to the Azure data store manually. This action only needs to be performed once per data share resource.
60
71
61
-
To create a role assignment for the Data Share resource's Managed Identity manually, follow the below steps:
72
+
To create a role assignment for the data share resource's managed identity manually, follow the below steps:
62
73
63
-
1. Navigate to the Storage account.
74
+
1. Navigate to the Azure data store.
64
75
1. Select **Access Control (IAM)**.
65
76
1. Select **Add a role assignment**.
66
-
1. Under *Role*, select *Storage Blob Data Contributor*.
67
-
1. Under *Select*, type in the name of your Azure Data Share account.
77
+
1. Under *Role*, select the role in the role assignment table above (for example, for storage account, select *Storage Blob Data Reader*).
78
+
1. Under *Select*, type in the name of your Azure Data Share resource.
68
79
1. Click *Save*.
69
80
70
-
If you are sharing data using our REST APIs, you will need to create these role assignments manually by adding the data share account in to the appropriate roles.
81
+
For SQL-based target, in addition to the above steps, a SQL user needs to be created from an external provider in the SQL database with the same name as the Azure Data Share resource. This user needs to be granted db_owner permission. A sample script along with other prerequisites for SQL-based sharing can be found in the [accept and receive data](subscribe-to-data-share.md) tutorial.
71
82
72
-
If you are receiving data into a SQL-based source, ensure that a new user is created from an external provider with the same name as your Azure Data Share account. See prerequisites in [accept and receive data](subscribe-to-data-share.md) tutorial.
83
+
If you are sharing data using REST APIs, you need to create these role assignments manually.
73
84
74
-
To learn more about how to add a role assignment, refer to [this documentation,](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal#add-a-role-assignment) which outlines how to add a role assignment to an Azure resource.
85
+
To learn more about how to add a role assignment, refer to [this documentation,](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal#add-a-role-assignment).
75
86
76
87
## Resource provider registration
77
88
78
-
When accepting an Azure Data Share invitation, you will need to manually register the Microsoft.DataShare resource provider in to your subscription. Follow these steps to register the Microsoft.DataShare resource provider into your Azure Subscription.
89
+
To view Azure Data Share invitation for the first time in your Azure tenant, you may need to manually register the Microsoft.DataShare resource provider into your Azure subscription. Follow these steps to register the Microsoft.DataShare resource provider into your Azure Subscription.
79
90
80
91
1. In the Azure portal, navigate to **Subscriptions**.
81
92
1. Select the subscription that you're using for Azure Data Share.
Copy file name to clipboardExpand all lines: articles/data-share/data-share-troubleshoot.md
+45-26Lines changed: 45 additions & 26 deletions
Original file line number
Diff line number
Diff line change
@@ -19,53 +19,72 @@ In some cases, when a new user clicks **Accept Invitation** from the e-mail invi
19
19
20
20

21
21
22
-
The above error is a known issue with the service and is currently being addressed. As a workaround, follow the below steps.
22
+
This could be due to the following reasons:
23
23
24
-
1. In the Azure portal, navigate to **Subscriptions**
25
-
1. Select the subscription that you're using for Azure Data Share
26
-
1. Click on **Resource Providers**
27
-
1. Search for Microsoft.DataShare
28
-
1. Click **Register**
24
+
**1. Azure Data Share service is not registered as a resource provider of any Azure subscription in the Azure tenant.** You will experience this issue if there is no Data Share resource in your Azure tenant. When you create an Azure Data Share resource, it automatically registers the resource provider in your Azure subscription. You can also manually register the Data Share service following these steps. You'll need to have the Azure Contributor role to complete these steps.
25
+
26
+
* In the Azure portal, navigate to **Subscriptions**
27
+
* Select the subscription you want to use to create Azure Data Share resource
28
+
* Click on **Resource Providers**
29
+
* Search for **Microsoft.DataShare**
30
+
* Click **Register**
29
31
30
32
You'll need to have the [Azure Contributor RBAC role](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#contributor) to complete these steps.
31
33
32
-
If you still are unable to see a data share invitation, contact your data provider and ensure that they have sent the invitation to your Azure login e-mail address and *not* your e-mail alias.
34
+
**2. Invitation is sent to your email alias instead of your Azure login email.** If you have registered the Azure Data Share service or have already created a Data Share resource in the Azure tenant, but still cannot see the invitation, it maybe because the provider has entered your email alias as recipient instead of your Azure login email address. Contact your data provider and ensure that they have sent the invitation to your Azure login e-mail address and not your e-mail alias.
35
+
36
+
**3. Invitation has already been accepted.** The link in the email takes you to the Data Share Invitation page in Azure Portal, which only lists pending invitations. If you have already accepted the invitation, it will no longer show up in the Data Share Invitation page. Proceed to your Data Share resource which you used to accept the invitation into to view received shares and configure your target Azure Data Explorer cluster setting.
37
+
38
+
## Error when creating or receiving a new share
33
39
34
-
> [!IMPORTANT]
35
-
> If you have already accepted an Azure Data Share invitation and exited the service prior to configuring storage, follow the instructions detailed in the [configure a dataset mapping](how-to-configure-mapping.md) how-to guide to learn how to finish configuring your received data share and start receiving data.
40
+
"Failed to add datasets"
36
41
37
-
## Error when creating or receiving a new Data Share
42
+
"Failed to map datasets"
38
43
39
-
"Error: Operation returned an invalid status code 'BadRequest'"
44
+
"Unable to grant Data Share resource x access to y"
40
45
41
-
"Error: AuthorizationFailed"
46
+
"You do not have proper permissions to x"
42
47
43
-
"Error: role assignment to storage account"
48
+
"We could not add write permissions for Azure Data Share account to one or more of your selected resources"
If you receive any of the above errors when creating a new share or mapping datasets, it could be due to insufficient permissions to the Azure data store. See [Roles and requirements](concepts-roles-permissions.md) for required permissions.
46
51
47
-
If you receive any of the above errors when creating a new data share or receiving a new data share, it is because there are insufficient permissions to the storage account. The permission required is *Microsoft.Authorization/role assignments/write*, which exists in the storage owner role or can be assigned to a custom role. Even if you created the Storage account, it does NOT automatically make you the owner of the storage account. Follow these steps to grant yourself owner of the storage account. Alternatively, a custom role can be created with this permission that you can add yourself in to.
52
+
You need write permission to share or receive data from an Azure data store, which typically exists in the Contributor role.
48
53
49
-
1. Navigate to Storage account in Azure portal
50
-
1. Select **Access control (IAM)**
51
-
1. Click **Add**
52
-
1. Add yourself in as owner.
54
+
If this is the first time you are sharing or receiving data from the Azure data store, you also need *Microsoft.Authorization/role assignments/write* permission, which typically exists in the Owner role. Even if you created the Azure data store resource, it does NOT automatically make you the owner of the resource. With proper permission, Azure Data Share service automatically grants the data share resource's managed identity access to the data store. This process could take a few minutes to take effect. If you experience failure due to this delay, try again in a few minutes.
55
+
56
+
SQL-based sharing requires additional permissions. See Troubleshooting SQL-based sharing for details.
53
57
54
58
## Troubleshooting SQL-based sharing
55
59
56
-
"Error: x datasets were not added because you do not have the required permissions to share."
60
+
"User x does not exist in SQL database"
57
61
58
-
If you receive this error when adding a dataset from a SQL-based source, it may be because you did not create a user for the Azure Data Share MSI on your SQL Server. To resolve this issue, run the following script:
62
+
If you receive this error when adding a dataset from a SQL-based source, it may be because you did not create a user for the Azure Data Share managed identity on your SQL Server. To resolve this issue, run the following script:
59
63
60
64
```sql
61
-
create user <share_acct_name>from external provider;
Note that the *<share_acc_name>* is the name of your Data Share Account. If you have not created a Data Share account as yet, you can come back to this pre-requisite later.
68
+
If you receive this error when mapping dataset to a SQL-based target, it may be because you did not create a user for the Azure Data Share managed identity on your SQL Server. To resolve this issue, run the following script:
65
69
66
-
Ensure that you have followed all prerequisites listed in [Share your data](share-your-data.md) tutorial.
70
+
```sql
71
+
create user "<share_acc_name>"from external provider;
Note that the *<share_acc_name>* is the name of your Data Share resource.
77
+
78
+
Ensure that you have followed all prerequisites listed in [Share your data](share-your-data.md) and [accept and receive data](subscribe-to-data-share.md) tutorial.
79
+
80
+
## Snapshot failed
81
+
Snapshot could fail due to a variety of reasons. You can find detailed error message by clicking on the start time of the snapshot and then the status of each dataset.
82
+
83
+
If the error message is related to permission, verify Data Share service has the required permission. See [Roles and requirements](concepts-roles-permissions.md) for details. If this is the first time you are taking a snapshot, it could take a few minutes for Data Share resource to be granted access to the Azure data store. Wait for a few minutes and try again.
67
84
68
85
## Next steps
69
86
70
-
To learn how to start sharing data, continue to the [share your data](share-your-data.md) tutorial.
87
+
To learn how to start sharing data, continue to the [share your data](share-your-data.md) tutorial.
88
+
89
+
To learn how to receive data, continue to the [accept and receive data](subscribe-to-data-share.md) tutorial.
Copy file name to clipboardExpand all lines: articles/data-share/how-to-configure-mapping.md
+3-3Lines changed: 3 additions & 3 deletions
Original file line number
Diff line number
Diff line change
@@ -9,7 +9,7 @@ ms.date: 07/10/2019
9
9
---
10
10
# How to configure a dataset mapping for a received share in Azure Data Share
11
11
12
-
This article explains how to configure a dataset mapping for a Received Share using Azure Data Share. You'll want to do this if you accepted a data share invitation but opted to "Accept and configure later". You may want to configure a dataset mapping if you need to change the destination for data being shared with you, or if you want to receive data into a SQL Server.
12
+
This article explains how to configure a dataset mapping for a Received Share using Azure Data Share. You'll want to do this if you accepted a data share invitation but opted to "Accept and configure later", or if data is shared in-place. You may want to configure a dataset mapping if you need to change the destination for data being shared with you, or if you want to receive data into a SQL Server.
13
13
14
14
## Navigate to a received data share
15
15
@@ -21,9 +21,9 @@ Check the box next to the dataset you'd like to assign a destination to. Select
21
21
22
22

23
23
24
-
## Select a new destination store
24
+
## Select a new target store
25
25
26
-
Select a target data type that you'd like the data to land in. Note that any data that already exists in any previously mapped storage accounts will not be automatically moved to the new destination.
26
+
Select a target data type that you'd like the data to land in. For snapshot-based sharing, any data that already exists in any previously mapped storage accounts will not be automatically moved to the new target store. For in-place sharing, select a data store in the Location specified. The Location is the Azure data center where data provider's source data store is located at.
Copy file name to clipboardExpand all lines: articles/data-share/overview.md
+10-8Lines changed: 10 additions & 8 deletions
Original file line number
Diff line number
Diff line change
@@ -31,7 +31,7 @@ Another use case for Azure Data Share is establishing a data consortium. For exa
31
31
32
32
## How it works
33
33
34
-
Azure Data Share currently offers snapshot-based sharing and in-place sharing (in limited preview).
34
+
Azure Data Share currently offers snapshot-based sharing and in-place sharing.
35
35
36
36
In snapshot-based sharing, data moves from the data provider's Azure subscription and lands in the data consumer's Azure subscription. As a data provider, you provision a data share and invite recipients to the data share. Data consumers receive an invitation to your data share via e-mail. Once a data consumer accepts the invitation, they can trigger a full snapshot of the data shared with them. This data is received into the data consumers storage account. Data consumers can receive regular, incremental updates to the data shared with them so that they always have the latest version of the data.
37
37
@@ -41,7 +41,7 @@ Data providers can offer their data consumers incremental updates to the data sh
41
41
42
42
When a data consumer accepts a data share, they are able to receive the data in a data store of their choice. For example, if the data provider shares data using Azure Blob Storage, the data consumer can receive this data in Azure Data Lake Store. Similarly, if the data provider shares data from an Azure SQL Data Warehouse, the data consumer can choose whether they want to receive the data into an Azure Data Lake Store, an Azure SQL Database or an Azure SQL Data Warehouse. In the case of sharing from SQL-based sources, the data consumer can also choose whether they receive data in parquet or csv.
43
43
44
-
In-place sharing is currently in limited preview for Azure Data Explorer. Data providers are able to share data where it resides, with no data movement via a symbolic link. Sign up for the limited preview of Azure Data Explorer in-place sharing [here](https://aka.ms/azuredatasharepreviewsignup).
44
+
With in-place sharing, data providers can share data where it resides without copying the data. After sharing relationship is established through the invitation flow, a symbolic link is created between the data provider's source data store and the data consumer's target data store. Data consumer can read and query the data in real time using its own data store. Changes to the source data store is available to the data consumer immediately. In-place sharing is currently in preview for Azure Data Explorer.
45
45
46
46
## Key capabilities
47
47
@@ -51,6 +51,8 @@ Azure Data Share enables data providers to:
51
51
52
52
* Keep track of who you have shared your data with
53
53
54
+
* Choice of snapshot or in-place sharing
55
+
54
56
* How frequently your data consumers are receiving updates to your data
55
57
56
58
* Allow your customers to pull the latest version of your data as needed, or allow them to automatically receive incremental changes to your data at an interval defined by you
@@ -63,13 +65,13 @@ Azure Data Share enables data consumers to:
63
65
64
66
* Accept or reject an Azure Data Share invitation
65
67
66
-
*Trigger a full or incremental snapshot of a Data Share that an organization has shared with you
68
+
*Accept data shared with you into a [supported data store](supported-data-stores.md).
67
69
68
-
*Subscribe to a Data Share to receive the latest copy of the data through incremental snapshot copy
70
+
*Trigger a full or incremental snapshot of a Data Share that an organization has shared with you
69
71
70
-
*Accept data shared with you into a [supported data store](supported-data-stores.md).
72
+
*Subscribe to a data share to receive the latest copy of the data through incremental snapshot
71
73
72
-
All key capabilities listed above are supported through the Azure or via REST APIs. For more details on using Azure Data Share through REST APIs, check out our reference documentation.
74
+
All key capabilities listed above are supported through the Azure portal or via REST APIs. For more details on using Azure Data Share through REST APIs, check out our reference documentation.
73
75
74
76
## Security
75
77
@@ -82,9 +84,9 @@ Azure Data Share leverages Managed Identities for Azure Resources (previously kn
82
84
83
85
## Supported regions
84
86
85
-
For a list of Azure regions that make Azure Data Share available, please refer to the [products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=data-share/) page and search for Azure Data Share.
87
+
For a list of Azure regions that make Azure Data Share available, please refer to the [products available by region](https://azure.microsoft.com/global-infrastructure/services/?products=data-share) page and search for Azure Data Share.
86
88
87
-
Azure Data Share does not store any data itself. The data is stored in the underlying data store that is being shared. For example, if a data producer stores their data in an Azure Data Lake Store account located in West US, that is where the data is stored. If they are sharing data with an Azure Storage account located in West Europe, the data is transferred directly to the Azure Storage account located in West Europe.
89
+
Azure Data Share does not store a copy of the data itself. The data is stored in the underlying data store that is being shared. For example, if a data producer stores their data in an Azure Data Lake Store account located in West US, that is where the data is stored. If they are sharing data with an Azure Storage account located in West Europe via snapshot, typically the data is transferred directly to the Azure Storage account located in West Europe.
88
90
89
91
The Azure Data Share service does not have to be available in your region to leverage the service. For example, if you have data stored in an Azure Storage account located in a region where Azure Data Share is not yet available, you can still leverage the service to share your data.
Copy file name to clipboardExpand all lines: articles/data-share/share-your-data.md
+23-14Lines changed: 23 additions & 14 deletions
Original file line number
Diff line number
Diff line change
@@ -16,7 +16,7 @@ In this tutorial, you'll learn how to:
16
16
> [!div class="checklist"]
17
17
> * Create a Data Share.
18
18
> * Add datasets to your Data Share.
19
-
> * Enable a synchronization schedule for your Data Share.
19
+
> * Enable a snapshot schedule for your Data Share.
20
20
> * Add recipients to your Data Share.
21
21
22
22
## Prerequisites
@@ -27,27 +27,36 @@ In this tutorial, you'll learn how to:
27
27
### Share from a storage account:
28
28
29
29
* An Azure Storage account: If you don't already have one, you can create an [Azure Storage account](https://docs.microsoft.com/azure/storage/common/storage-quickstart-create-account)
30
-
* Permission to add role assignment to the storage account, which is present in the *Microsoft.Authorization/role assignments/write* permission. This permission exists in the owner role.
30
+
* Permission to write to the storage account, which is present in *Microsoft.Storage/storageAccounts/write*. This permission exists in the Contributor role.
31
+
* Permission to add role assignment to the storage account, which is present in *Microsoft.Authorization/role assignments/write*. This permission exists in the Owner role.
32
+
31
33
32
34
### Share from a SQL-based source:
33
35
34
-
* An Azure SQL Database or Azure SQL Data Warehouse with tables and views that you want to share.
36
+
* An Azure SQL Database or Azure Synapse Analytics (formerly Azure SQL Data Warehouse) with tables and views that you want to share.
37
+
* Permission to write to the databases on SQL server, which is present in *Microsoft.Sql/servers/databases/write*. This permission exists in the Contributor role.
35
38
* Permission for the data share to access the data warehouse. This can be done through the following steps:
36
39
1. Set yourself as the Azure Active Directory Admin for the server.
37
40
1. Connect to the Azure SQL Database/Data Warehouse using Azure Active Directory.
38
-
1. Use Query Editor (preview) to execute the following script to add the Data Share MSI as a db_owner. You must connect using Active Directory and not SQL Server authentication.
41
+
1. Use Query Editor (preview) to execute the following script to add the Data Share resource Managed Identity as a db_datareader. You must connect using Active Directory and not SQL Server authentication.
39
42
40
43
```sql
41
-
create user <share_acct_name>from external provider;
Note that the *<share_acc_name>* is the name of your Data Share Account. If you have not created a Data Share account as yet, you can come back to this pre-requisite later.
47
+
Note that the *<share_acc_name>* is the name of your Data Share resource. If you have not created a Data Share resource as yet, you can come back to this pre-requisite later.
48
+
49
+
* An [Azure SQL Database User with 'db_datareader' access](https://docs.microsoft.com/azure/sql-database/sql-database-manage-logins#non-administrator-users) to navigate and select the tables and/or views you wish to share.
45
50
46
-
* An [Azure SQL Database User with `db_owner` access](https://docs.microsoft.com/azure/sql-database/sql-database-manage-logins#non-administrator-users) to navigate and select the tables and/or views you wish to share.
51
+
* Client IP SQL Server Firewall access. This can be done through the following steps:
52
+
1. In SQL server in Azure portal, navigate to *Firewalls and virtual networks*
53
+
1. Click the **on** toggle to allow access to Azure Services.
54
+
1. Click **+Add client IP** and click **Save**. Client IP address is subject to change. You can also add an IP range.
47
55
48
-
* Client IP SQL Server Firewall access: This can be done through the following steps:
49
-
1. Navigate to *Firewalls and Virtual Networks*
50
-
1. Click the **on** toggle to allow access to Azure Services.
56
+
### Share from Azure Data Explorer
57
+
* An Azure Data Explorer cluster with databases you want to share.
58
+
* Permission to write to Azure Data Explorer cluster, which is present in *Microsoft.Kusto/clusters/write*. This permission exists in the Contributor role.
59
+
* Permission to add role assignment to the Azure Data Explorer cluster, which is present in *Microsoft.Authorization/role assignments/write*. This permission exists in the Owner role.
51
60
52
61
## Sign in to the Azure portal
53
62
@@ -87,7 +96,7 @@ Create an Azure Data Share resource in an Azure resource group.
87
96
88
97
1. Select **Create**.
89
98
90
-
1. Fill out the details for your Data Share. Specify a name, description of share contents, and terms of use (optional).
99
+
1. Fill out the details for your Data Share. Specify a name, share type, description of share contents, and terms of use (optional).
@@ -97,7 +106,7 @@ Create an Azure Data Share resource in an Azure resource group.
97
106
98
107

99
108
100
-
1. Select the dataset type that you would like to add. If sharing from an Azure SQL Database or Azure SQL Datawarehouse, you will be prompted for some SQL credentials. Authenticate using the user you created as part of the prerequisites.
109
+
1. Select the dataset type that you would like to add. You will see a different list of dataset types depending on the share type (snapshot or in-place) you have selected in the previous step. If sharing from an Azure SQL Database or Azure SQL Data Warehouse, you will be prompted for some SQL credentials. Authenticate using the user you created as part of the prerequisites.
Copy file name to clipboardExpand all lines: articles/data-share/subscribe-to-data-share.md
+49-36Lines changed: 49 additions & 36 deletions
Original file line number
Diff line number
Diff line change
@@ -28,94 +28,107 @@ Ensure that all pre-requisites are complete before accepting a data share invita
28
28
### Receive data into a storage account:
29
29
30
30
* An Azure Storage account: If you don't already have one, you can create an [Azure Storage account](https://docs.microsoft.com/azure/storage/common/storage-quickstart-create-account).
31
-
* Permission to add role assignment to the storage account, which is present in the *Microsoft.Authorization/role assignments/write* permission. This permission exists in the owner role.
31
+
* Permission to write to the storage account, which is present in *Microsoft.Storage/storageAccounts/write*. This permission exists in the Contributor role.
32
+
* Permission to add role assignment to the storage account, which is present in *Microsoft.Authorization/role assignments/write*. This permission exists in the Owner role.
32
33
* Resource Provider registration for Microsoft.DataShare. See the [Azure Resource Providers](https://docs.microsoft.com/azure/azure-resource-manager/resource-manager-supported-services) documentation for information on how to do this.
33
34
34
35
> [!IMPORTANT]
35
36
> To accept and receive an Azure Data Share, you must first register the Microsoft.DataShare resource provider and you must be an owner of the storage account that you accept data into. Follow the instructions documented in [Troubleshoot Azure Data Share](data-share-troubleshoot.md) to register the data share resource provider as well as add yourself as an owner of the storage account.
36
37
37
38
### Receive data into a SQL-based source:
38
39
39
-
* Permission for the data share MSI to access the Azure SQL Database or Azure SQL Data Warehouse. This can be done through the following steps:
40
+
* Permission to write to databases on the SQL server, which is present in *Microsoft.Sql/servers/databases/write*. This permission exists in the Contributor role.
41
+
* Permission for the data share resource's managed identity to access the Azure SQL Database or Azure SQL Data Warehouse. This can be done through the following steps:
40
42
1. Set yourself as the Azure Active Directory Admin for the server.
41
43
1. Connect to the Azure SQL Database/Data Warehouse using Azure Active Directory.
42
-
1. Use Query Editor (preview) to execute the following script to add the Data Share MSI as a db_owner. You must connect using Active Directory and not SQL Server authentication.
44
+
1. Use Query Editor (preview) to execute the following script to add the Data Share Managed Identity as a db_owner. You must connect using Active Directory and not SQL Server authentication.
43
45
44
46
```sql
45
-
create user <share_acct_name>from external provider;
Note that the *<share_acc_name>* is the name of your Data Share Account. If you have not created a Data Share account as yet, you can come back to this pre-requisite later.
52
+
Note that the *<share_acc_name>* is the name of your Data Share resource. If you have not created a Data Share resource as yet, you can come back to this pre-requisite later.
49
53
50
-
* Client IP SQL Server Firewall access: This can be done through the following steps:
51
-
1. Navigate to *Firewalls and Virtual Networks*
52
-
1. Click the **on** toggle to allow access to Azure Services.
54
+
* Client IP SQL Server Firewall access. This can be done through the following steps:
55
+
1. In SQL server in Azure portal, navigate to *Firewalls and virtual networks*
56
+
1. Click the **on** toggle to allow access to Azure Services.
57
+
1. Click **+Add client IP** and click **Save**. Client IP address is subject to change. This process might need to be repeated the next time you are sharing SQL data from Azure portal. You can also add an IP range.
53
58
54
-
Once these pre-requisites are complete, you are ready to receive data into your SQL Server.
59
+
60
+
### Receive data into an Azure Data Explorer cluster:
61
+
62
+
* An Azure Data Explorer cluster in the same Azure data center as the data provider's Data Explorer cluster: If you don't already have one, you can create an [Azure Data Explorer cluster](https://docs.microsoft.com/azure/data-explorer/create-cluster-database-portal). If you don't know the Azure data center of the data provider's cluster, you can create the cluster later in the process.
63
+
* Permission to write to the Azure Data Explorer cluster, which is present in *Microsoft.Kusto/clusters/write*. This permission exists in the Contributor role.
64
+
* Permission to add role assignment to the Azure Data Explorer cluster, which is present in *Microsoft.Authorization/role assignments/write*. This permission exists in the Owner role.
55
65
56
66
## Sign in to the Azure portal
57
67
58
68
Sign in to the [Azure portal](https://portal.azure.com/).
59
69
60
70
## Open invitation
61
71
62
-
Check your inbox for an invitation from your data provider. The invitation is from Microsoft Azure, titled **Azure Data Share invitation from <yourdataprovider@domain.com>**. Take note of the share name to ensure you're accepting the correct share if there are multiple invitations.
72
+
1.Check your inbox for an invitation from your data provider. The invitation is from Microsoft Azure, titled **Azure Data Share invitation from <yourdataprovider@domain.com>**. Take note of the share name to ensure you're accepting the correct share if there are multiple invitations.
63
73
64
-
Select on **View invitation** to see your invitation in Azure. This takes you to your Received Shares view.
74
+
1.Select on **View invitation** to see your invitation in Azure. This takes you to your Received Shares view.
65
75
66
-

76
+

67
77
68
78
Select the share you would like to view.
69
79
70
80
## Accept invitation
71
-
Make sure all fields are reviewed, including the **Terms of Use**. If you agree to the terms of use, you'll be required to check the box to indicate you agree.
81
+
1. Make sure all fields are reviewed, including the **Terms of Use**. If you agree to the terms of use, you'll be required to check the box to indicate you agree.
82
+
83
+

72
84
73
-

85
+
1. Under *Target Data Share Account*, select the Subscription and Resource Group that you'll be deploying your Data Share into.
74
86
75
-
Under *Target Data Share Account*, select the Subscription and Resource Group that you'll be deploying your Data Share into.
87
+
For the **Data Share Account** field, select **Create new** if you don't have an existing Data Share account. Otherwise, select an existing Data Share account that you'd like to accept your data share into.
76
88
77
-
For the **Data Share Account** field, select **Create new** if you don't have an existing Data Share account. Otherwise, select an existing Data Share account that you'd like to accept your data share into.
89
+
For the **Received Share Name** field, you may leave the default specified by the data provide, or specify a new name for the received share.
78
90
79
-
For the *Received Share Name* field, you may leave the default specified by the Data Provide, or specify a new name for the received share.
91
+

80
92
81
-

93
+
1. Once you've agreed to the terms of use and specified a location for your share, Select on *Accept and Configure*. A share subscription will be created.
82
94
83
-
Once you've agreed to the terms of use and specified a location for your share, Select on *Accept and Configure*. If you chose this option, a share subscription will be created and the next screen will ask you to select a target storage account for your data to be copied into.
95
+
For snapshot-based sharing, the next screen will ask you to select a target storage account for your data to be copied into.
If you prefer to accept the invitation now but configure your storage at a later time, Select *Accept and Configure later*. This option allows you to configure your target storage account later. To continue configuring your storage later, see [how to configure your storage account](how-to-configure-mapping.md) page for detailed steps on how to resume your data share configuration.
99
+
If you prefer to accept the invitation now but configure your target data store at a later time, Select *Accept and Configure later*. To continue configuring your storage later, see [configure dataset mappings](how-to-configure-mapping.md) page for detailed steps on how to resume your data share configuration.
88
100
89
-
If you don't want to accept the invitation, Select *Reject*.
101
+
For in-place sharing, see [configure dataset mappings](how-to-configure-mapping.md) page for detailed steps on how to resume your data share configuration.
102
+
103
+
If you don't want to accept the invitation, Select *Reject*.
90
104
91
105
## Configure storage
92
-
Under *Target Storage Settings*, select the Subscription, Resource group, and storage account that you'd like to receive your data into.
106
+
1.Under *Target Storage Settings*, select the Subscription, Resource group, and storage account that you'd like to receive your data into.
To receive regular refreshes of your data, make sure you enable the snapshot settings. Note that you will only see a snapshot setting schedule if your data provider has included it in the data share.
110
+
1.To receive regular update of your data, make sure you enable the snapshot settings. Note that you will only see a snapshot setting schedule if your data provider has included it in the data share.
> If you are receiving SQL-based data and would like to receive that data into a SQL-based source, visit our [configure a dataset mapping](how-to-configure-mapping.md) how-to guide to learn how to configure a SQL Server as the destination for your dataset.
117
+
> If you are receiving SQL-based data and would like to receive that data into a SQL-based source, visit [configure a dataset mapping](how-to-configure-mapping.md) how-to guide to learn how to configure a SQL Server as the destination for your dataset.
104
118
105
119
## Trigger a snapshot
120
+
These steps only apply to snapshot-based sharing.
106
121
107
-
You can trigger a snapshot in the Received Shares -> Details tab by selecting **Trigger snapshot**. Here, you can trigger a full or incremental snapshot of your data. If it is your first time receiving data from your data provider, select full copy.
1. You can trigger a snapshot in the Received Shares -> Details tab by selecting **Trigger snapshot**. Here, you can trigger a full or incremental snapshot of your data. If it is your first time receiving data from your data provider, select full copy.
110
123
111
-
When the last run status is *successful*, open the storage account to view the received data.
To check which storage account you used, Select on **Datasets**.
126
+
1. When the last run status is *successful*, go to target data store to view the received data. Select **Datasets**, and click on the link in the Target Path.
To view a history of your snapshots, navigate to Received Shares -> History. Here you'll find a history of all snapshots that were generated for the past 60 days.
119
132
120
133
## Next steps
121
-
In this tutorial, you learnt how to accept and receive an Azure Data Share. To learn more about Azure Data Share concepts, continue to [Concepts: Azure Data Share Terminology](terminology.md).
134
+
In this tutorial, you learned how to accept and receive an Azure Data Share. To learn more about Azure Data Share concepts, continue to [Concepts: Azure Data Share Terminology](terminology.md).
| Azure Data Explorer ||[Limited preview](https://aka.ms/azuredatasharepreviewsignup)|
27
+
| Azure Data Explorer ||Public Preview|
28
28
29
29
## Data store support matrix
30
30
31
31
Azure Data Share offers data consumers flexibility when deciding on a data store to accept data in to. For example, data being shared from Azure SQL Database can be received into Azure Data Lake Store Gen2, Azure SQL Database or Azure Synapse Analytics. Customers can choose which format to receive data in when configuring a received data share.
32
32
33
33
The below table details different combinations and choices that data consumers have when accepting and configuring their data share. For more information on how to configure dataset mappings, see [how to configure dataset mappings](how-to-configure-mapping.md).
34
34
35
-
| | Azure Blob Storage | Azure SQL Data Lake Gen1 | Azure SQL Data Lake Gen2 | Azure SQL Database | Azure Synapse Analytics
35
+
| | Azure Blob Storage | Azure Data Lake Storage Gen1 | Azure Data Lake Storage Gen2 | Azure SQL Database | Azure Synapse Analytics
Azure Data Share supports sharing of files, folders and file systems from Azure Data Lake Gen1 and Azure Data Lake Gen2. It also supports sharing of blobs, folders and containers from Azure Blob Storage. When folders are shared in snapshot-based sharing, data consumer can can choose to make a full copy of the share data, or leverage incremental snapshot capability to copy only new or updated files. Existing files with the same name will be overwritten.
45
+
46
+
## Share from a SQL-based source
47
+
Azure Data Share supports sharing of tables or views from Azure SQL Database and Azure Synapse Analytics (formerly Azure SQL DW). Data consumer can choose to accept the data into Azure Data Lake Storage Gen2 or Azure Blob Storage as csv or parquet file. Full snapshot overwrites the content of the target file. Alternatively, data consumer can accept the data into a SQL table. If the target SQL table is not available on the data consumer side, Azure Data Share creates the SQL table with the source schema. Full snapshot appends content of the source table to the target SQL table. Incremental snapshot is currently not supported.
48
+
49
+
## Share from Azure Data Explorer
50
+
Azure Data Share supports the ability to share databases in-place from Azure Data Explorer clusters. Data provider can share at the database or cluster level. When shared at database level, data consumer will only be able to access the specific database(s) shared by the data provider. When shared at cluster level, data consumer can access all the databases from the provider's cluster, including any future databases created by the data provider.
51
+
52
+
To access shared databases, data consumer needs to have its own Azure Data Explorer cluster. Data consumer's Azure Data Explorer cluster needs to locate in the same Azure data center as the data provider's Azure Data Explorer cluster. When sharing relationship is established, Azure Data Share creates a symbolic link between the provider and consumer's Azure Data Explorer clusters.
53
+
54
+
Azure Data Explorer supports two modes of data ingestion: batch and streaming. Data received from batch in the shared database will appear between a few seconds to a few minutes on the data consumer side. Data received from streaming could take up to 24 hours to appear on the data consumer side.
0 commit comments