Permission required for Azure Data Lake Storage
NetBackup protection workflows - such as asset discovery, backup, and restore - for Azure Data Lake Storage (ADLS) can be authenticated using Azure user managed or system managed identities. To use a managed identity for ADLS, you must:
Assign the 'Storage Blob Data Owner' role to the managed identity to enable ACL restoration.
Assign a role to the managed identity that includes the following permissions:
{ "id": "/subscriptions/<subscription id>/providers/Microsoft.Authorization/roleDefinitions/<role id>", "properties": { "roleName": "cosp_minimal", "description": "minimal permission required for cos protection.", "assignableScopes": [ "/subscriptions/<subscription id>" ], "permissions": [ { "actions": [ "Microsoft.Storage/storageAccounts/blobServices/read", "Microsoft.Storage/storageAccounts/blobServices/containers/read", "Microsoft.Storage/storageAccounts/blobServices/containers/write", "Microsoft.ApiManagement/service/*", "Microsoft.Authorization/*/read", "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Storage/storageAccounts/read", "Microsoft.Storage/storageAccounts/blobServices/containers/setAcl/action" ], "notActions": [], "dataActions": [ "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/filter/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action", "Microsoft.Storage/storageAccounts/blobServices/containers/blobs /immutableStorage/runAsSuperUser/action" ], "notDataActions": [] } ] } }