Empower Access Details
User Access Requirements
Infrastructure Engineer
Owner access on each Empower subscription is preferred. While Owner access is not required, if the infrastructure engineer has Contributor access only, the customer side's admin team will need to manage these requests.
- Enabling subscription resource providers. This only needs to be done once at the start of the project. In the rare case a new Azure resource is added to the product the appropriate Azure provider will also need to be enabled.
- Managing quota amounts for Azure VMs. These are managed at the subscription level and are necessary for databricks functionality. This may need to be done infrequently.
- Managing access for Hitachi Employees with guest or member accounts in Empower related subscriptions. This may need to be done infrequently.
Implementation Team
This team should be restricted to Contributor access on the Empower resource groups. They may also need Storage Blob Data Contributor access on each storage account.
Empower-Service Requirements
Access Details
Why does the Empower-Service require these permissions? Is it secure?
| Permission | What it does | Why it's needed |
|---|---|---|
| Application.ReadWrite.OwnedBy | This allows the Empower Service to deploy and manage its own service principals, but not to access or modify any other organization principals. | Empower manages service principals to operate the data estate. This includes principals that allow access from services like Databricks to connect to other Azure components. This access is required because we regularly deploy components that require separate SPs for best security. Administrators can remove all SPs created by the Empower Service with a simple query (or we can do the same). |
| User.Read.All, Directory.Read.All, Group.Read.All | This allows the Empower Service to know which users, groups, and services are in your tenant. | These permissions allow the system to understand who is in the tenant so users can grant access to others, and such that the system can validate who has access to our APIs. |
Child Service Principals
The Empower-Service service principal will need to create and managed the following child service principals.
| Name | Quantity | Purpose |
|---|---|---|
| Empower-MonitorAgent | 1 | Used by the Managed Services team to monitor the Empower project |
| Empower-{company name}-{environment name}-PowerBI | 1 per environment | Allows Power BI to pull data from the empower databricks workspace |
| Empower-{company name}-{environment name}-Api | 1 per environment | Allows the Empower API to interact with Empower resources such as keyvaults and datafactories |
| Empower-{company name}-{environment name}-Databricks | 1 per environment | Allows the databricks workspace to read/write to the storage account |
Service Principal Access Assignments
The following roles will be applied to service principals and managed identities upon Empower deployment.
RBAC
| Service Principal | Roles | Scope | Purpose |
|---|---|---|---|
| Empower Datafactory Managed Identity | Datafactory Contributor | Empower Datafactory | Allows the empower datafactory to call its own pipelines. |
| Empower Datafactory Managed Identity | Storage Blob Data Contributor | Empower Datalake | Allows the empower datafactory to access the datalake |
| Client Datafactory Managed Identity | Storage Blob Data Contributor | Empower Datalake | Allows the client datafactory to access the datalake |
| Empower-{company name}-{environment name}-Api | Datafactory Contributor | Empower Datafactory | Allows the API to call datafactory pipelines. |
| Empower-{company name}-{environment name}-Api | Reader | Empower Resource Group | Allows the API to see the resources in the environment |
| Empower-{company name}-{environment name}-Databricks | Storage Blob Data Contributor | Empower Datalake | Allows databricks access to the datalake |
| Empower-{company name}-{environment name}-Databricks | Reader | Empower Keyvault | Allows Databricks to see the keyvault |
| Empower-MonitorAgent | Reader | Empower Resource Group | Allows the logging agent the ability to read Empower resources |
KVAP
| Service Principal | Roles | Scope | Purpose |
|---|---|---|---|
| Empower Datafactory Managed Identity | Get, Set, List | Secrets for the Empower keyvault | Allows the empower datafactory to read and create secrets in the keyvault |
| Empower-{company name}-{environment name}-Api | Get, Set, List, Delete, Recover | Secrets for the Empower keyvault | Allows the empower API to manage secrets in the keyvault |
| Empower-Service | Get, Set, List, Delete, Recover | Secrets for the Empower keyvault | Allows the deployment service principal to manage the keyvault |
Updated about 2 months ago