Empower Access Details

User Access Requirements

Infrastructure Engineer

Owner access on each Empower subscription is preferred. While Owner access is not required, if the infrastructure engineer has Contributor access only, the customer side's admin team will need to manage these requests.

  • Enabling subscription resource providers. This only needs to be done once at the start of the project. In the rare case a new Azure resource is added to the product the appropriate Azure provider will also need to be enabled.
  • Managing quota amounts for Azure VMs. These are managed at the subscription level and are necessary for databricks functionality. This may need to be done infrequently.
  • Managing access for Hitachi Employees with guest or member accounts in Empower related subscriptions. This may need to be done infrequently.

Implementation Team

This team should be restricted to Contributor access on the Empower resource groups. They may also need Storage Blob Data Contributor access on each storage account.

Empower-Service Requirements

Access Details

Why does the Empower-Service require these permissions? Is it secure?

PermissionWhat it doesWhy it's needed
Application.ReadWrite.OwnedByThis allows the Empower Service to deploy and manage its own service principals, but not to access or modify any other organization principals.Empower manages service principals to operate the data estate. This includes principals that allow access from services like Databricks to connect to other Azure components. This access is required because we regularly deploy components that require separate SPs for best security. Administrators can remove all SPs created by the Empower Service with a simple query (or we can do the same).
User.Read.All, Directory.Read.All, Group.Read.AllThis allows the Empower Service to know which users, groups, and services are in your tenant.These permissions allow the system to understand who is in the tenant so users can grant access to others, and such that the system can validate who has access to our APIs.

Child Service Principals

The Empower-Service service principal will need to create and managed the following child service principals.

NameQuantityPurpose
Empower-MonitorAgent1Used by the Managed Services team to monitor the Empower project
Empower-{company name}-{environment name}-PowerBI1 per environmentAllows Power BI to pull data from the empower databricks workspace
Empower-{company name}-{environment name}-Api1 per environmentAllows the Empower API to interact with Empower resources such as keyvaults and datafactories
Empower-{company name}-{environment name}-Databricks1 per environmentAllows the databricks workspace to read/write to the storage account

Service Principal Access Assignments

The following roles will be applied to service principals and managed identities upon Empower deployment.

RBAC

Service PrincipalRolesScopePurpose
Empower Datafactory Managed IdentityDatafactory ContributorEmpower DatafactoryAllows the empower datafactory to call its own pipelines.
Empower Datafactory Managed IdentityStorage Blob Data ContributorEmpower DatalakeAllows the empower datafactory to access the datalake
Client Datafactory Managed IdentityStorage Blob Data ContributorEmpower DatalakeAllows the client datafactory to access the datalake
Empower-{company name}-{environment name}-ApiDatafactory ContributorEmpower DatafactoryAllows the API to call datafactory pipelines.
Empower-{company name}-{environment name}-ApiReaderEmpower Resource GroupAllows the API to see the resources in the environment.
Empower-{company name}-{environment name}-DatabricksStorage Blob Data ContributorEmpower DatalakeAllows databricks access to the datalake
Empower-{company name}-{environment name}-DatabricksReaderEmpower KeyvaultAllows Databricks to see the keyvault.
Empower-MonitorAgentReaderEmpower Resource GroupAllows the logging agent the ability to read Empower resources.
Access Connector Managed IdentityStorage Blob Data ContributorEmpower DatalakeAllows the databricks workspace to read from the catalog using the associated storage credential.

KVAP

Service PrincipalRolesScopePurpose
Empower Datafactory Managed IdentityGet, Set, ListSecrets for the Empower keyvaultAllows the empower datafactory to read and create secrets in the keyvault
Empower-{company name}-{environment name}-ApiGet, Set, List, Delete, RecoverSecrets for the Empower keyvaultAllows the empower API to manage secrets in the keyvault
Empower-ServiceGet, Set, List, Delete, RecoverSecrets for the Empower keyvaultAllows the deployment service principal to manage the keyvault