locked
Adls gen 2 ACL permissions powershell multiple entries RRS feed

  • Question

  • Hello

    I am trying to give ACL permissions to ADLS Gen 2 via Powershell.

    I am successful if I grant one AD group an access at the directory level. If I try to give access to another AD group via the same script, this new AD group is now visible, and not the first one. 

    Please advise on how I can add ACLs for the two AD groups to the same directory via powershell

    $id = (Get-AzADGroup -DisplayName $adgroup).Id
    $acl = (Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path).ACL
    $acl = New-AzDataLakeGen2ItemAclObject -AccessControlType Group -EntityId $id -Permission $permission -InputObject $acl
                
    Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path -Acl $acl[$acl.Count-1] 

    Thanks

    Monday, May 11, 2020 4:56 AM

Answers

  • Hello KamaleshKannan1 and thank you for your question.  Thank you for the steps to reproduce the issue.  Very helpful.

    Here are my findings:

    When I used 
    Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path -Acl $acl[$acl.Count-1] 
    All of the existing acls were replaced, instead of added to.  Only the new item appeared when I looked using
    (Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path).ACL

    When I used
    Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path -Acl $acl
    The pre-existing and new item group both appeared.  I saw both the old acls and the new group when I looked using
    (Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path).ACL

    This means Update-AzDataLakeGen2Item  is an overwrite, not an append, to the acl's.

    To add multiple groups, the process would look like this:

    #Get existing acl's on item

    $acl = (Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path).ACL

    #Get the first group's ID

    $id = (Get-AzADGroup -DisplayName $adgroup1).Id

    #Add the first group to the acl object

    $acl = New-AzDataLakeGen2ItemAclObject -AccessControlType Group -EntityId $id -Permission $permission -InputObject $acl

    #Get the second group's ID

    $id = (Get-AzADGroup -DisplayName $adgroup2).Id

    #Add the second group to the acl object

    $acl = New-AzDataLakeGen2ItemAclObject -AccessControlType Group -EntityId $id -Permission $permission -InputObject $acl

    #update the item using the new acl entry which contains both group updates

    Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path -Acl $acl


    Does this make sense?

    Monday, May 11, 2020 10:11 PM

All replies

  • Hello KamaleshKannan1 and thank you for your question.  Thank you for the steps to reproduce the issue.  Very helpful.

    Here are my findings:

    When I used 
    Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path -Acl $acl[$acl.Count-1] 
    All of the existing acls were replaced, instead of added to.  Only the new item appeared when I looked using
    (Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path).ACL

    When I used
    Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path -Acl $acl
    The pre-existing and new item group both appeared.  I saw both the old acls and the new group when I looked using
    (Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path).ACL

    This means Update-AzDataLakeGen2Item  is an overwrite, not an append, to the acl's.

    To add multiple groups, the process would look like this:

    #Get existing acl's on item

    $acl = (Get-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path).ACL

    #Get the first group's ID

    $id = (Get-AzADGroup -DisplayName $adgroup1).Id

    #Add the first group to the acl object

    $acl = New-AzDataLakeGen2ItemAclObject -AccessControlType Group -EntityId $id -Permission $permission -InputObject $acl

    #Get the second group's ID

    $id = (Get-AzADGroup -DisplayName $adgroup2).Id

    #Add the second group to the acl object

    $acl = New-AzDataLakeGen2ItemAclObject -AccessControlType Group -EntityId $id -Permission $permission -InputObject $acl

    #update the item using the new acl entry which contains both group updates

    Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path -Acl $acl


    Does this make sense?

    Monday, May 11, 2020 10:11 PM
  • That's really nice. I tried various methods but didn't think of this as an overwrite instead of append.

    Update-AzDataLakeGen2Item -Context $ctx -FileSystem $filesystem -Path $path -Acl $acl

    Tuesday, May 12, 2020 6:26 AM