accessing gen2 folders with storage explorer/azure portal - ACL user RRS feed

  • Question

  • Hi

    I have setup a Gen2 account with 2 containers (Test1, Test2).  I have created folders in both the containers.  Now i have created AAD group (Group1) and granting access as below - 

    Test1 - Read access via ACL for folder1, Test2 - Read and Write access for folder2

    I gave Group1 Read, execute on folder1

    I gave Group1 Read, Write and execute on folder2

    Users of Group1 does not have any RBAC role assigned on Gen2 account.  

    Users cannot see gen2 account in portal and not in Storage explorer, can you tell me what is the reason.  


    Tuesday, January 7, 2020 11:18 PM

All replies

  • For better understanding: You have Created 2 Containers Test1 and Test2 under same storage account . Can you elaborate more on your query?

    May I know what kind of role you have given to both the user, If the users has assigned contributor he can access. The Storage blob reader doesn't work. Create a New subscription and try to give the access.

     Assign Reader Role at account level. à ACLs on the folder level

    To use Storage Explorer to access their data and allow permissions at the folder level they will need to:

    - Allow built-in Reader RBAC role at the Storage account scope

    - Assign ACL permissions at the folder level (RBAC is only scoped down to the container level)

    NOTE: They must give execute permissions at  the parent folder and all subfolders along the path to the folder where they provide the read/write permissions

    -If you  does not want the user to read other accounts and see other setting on the account, We are  working on a feature that will allow you to connect directly to a filesystem and that will remove the reader requirement but currently we do not have any ETA.

    - Reader Role at the account level, Blob data reader role but then user could not upload file to the directory that has proper ACL access.  Essentially ACL is getting ignored because RBAC says blob reader.

    You could produce a SAS for a blob container or for individual blobs

    You may also refer to the suggestion mentioned in this MSDN thread, It provide some ideas for your query 

    Hope this helps!

    Kindly let us know if the above helps or you need further assistance on this issue. 

    Please take a moment to "Mark as Answer" and/or "Vote as Helpful" wherever applicable.


    Wednesday, January 8, 2020 7:52 AM
  • Thanks for quick response.

    I  have not given users any role on the storage account as i dont want users to see any other files in the storage account.  They should read/write only to the folder which they have permission given by ACL.

    I want permission govern by ACL and not by RBAC.  If i understand your comment correctly to access files from storage explorer/azure portal they will need at least storage reader on the account level currently.  Please confirm. 

    Also will I need to give reader permission on the Resource Group as well so that they can see the resource?

    Also SAS will not work at folder level right?  I can generate SAS token only at Blob level, what if i have multiple Blob and want to restrict access for individual blobs

    I went through the ref article, but it uses AZcopy not storage explorer or portal.



    • Edited by Raxit_soni Wednesday, January 8, 2020 7:55 PM
    Wednesday, January 8, 2020 1:54 PM