Skip to main content

Why does the app registration for the ODX need owner permissions on the resource? I would think that read/write permissions would be sufficient.

 

Why does TimeXtender need the “extra” rights?

Hi @Benny 

It is due to Security rights.

In theory you could get away with having the Storage Blob Contributor right.

However using this option will give the following error when executing the Transfer task.

So therefore it will need the Storage Blob Owner or Owner right to apply those.


Thank you @Thomas Lind.

 

Could you please elaborate a bit on what it is trying to do that is denied without owner rights?

Specifically what is/are the action(s) that it wants to perform that it can't as contributor?

 

From a security perspective we want to answer the question(s): “Why do you need these rights? Which specific security settings is the ODX trying to apply on the data lake?”


Hi @Benny the parent directory must have Write + Execute permissions, and the owner role is required to create new files in blob storage as this role has execute permissions on the root folder, whereas the contributor role does not have execute permissions on the root folder.
 
For more information on security, please see: https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control


Reply