azureazure-data-factory

ADF difference in rights /sandbox/action /sandbox/create/action /sandbox/run/action


Microsoft lists the following similar looking rights (https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/analytics):

Action Description
Microsoft.DataFactory/factories/pipelines/sandbox/action Creates a debug run environment for the Pipeline.
Microsoft.DataFactory/factories/pipelines/sandbox/create/action Creates a debug run environment for the Pipeline.
Microsoft.DataFactory/factories/pipelines/sandbox/run/action Creates a debug run for the Pipeline.

Does anybody know the difference or where I can find this sort of information?


Solution

    1. Microsoft.DataFactory/factories/pipelines/sandbox/action: This permission allows you to create a debug run environment for the pipeline. It's a general permission for setting up a sandbox environment where you can test and debug your pipeline.

    2. Microsoft.DataFactory/factories/pipelines/sandbox/create/action: This permission specifically allows you to create a debug run environment for the pipeline.

    3. Microsoft.DataFactory/factories/pipelines/sandbox/run/action: This permission allows you to create a debug run for the pipeline. It focuses on actually running the pipeline in the sandbox environment, rather than just setting it up.

    As your requirement is to allow to start a debug run only. In that case, you should use the permission Microsoft.DataFactory/factories/pipelines/sandbox/run/action. This permission allows you to create a debug run for the pipeline, focusing specifically on running the pipeline in the sandbox environment, without granting unnecessary rights to set up or create the debug environment.