Shared workspaces and isolation

In a shared Azure Machine Learning workspace, achieving isolation of user access to datastores involves implementing a combination of access control mechanisms. This helps ensure that each user can only access the specific datastores they are authorized to use. Here are the key steps to achieve isolation of user access to datastores in a shared Azure Machine Learning workspace:

1.      Role-based Access Control (RBAC): Azure Machine Learning supports RBAC, which allows us to assign roles to users or groups at various levels of the workspace hierarchy. By properly configuring RBAC, we can control access to datastores and other resources within the workspace. For example:

Built-in role: AzureML Data Scientist Role

Custom-role: AzureML Data Scientist Datastore access role:

    Actions:

-        Microsoft.MachineLearningServices/workspaces/datastores/listsecrets/actions

-        Microsoft.MachineLearningServices/workspaces/datastores/read

                 Data_actions:

-        Microsoft.MachineLearningServices/workspaces/datastores/write

-        Microsoft.MachineLearningServices/workspaces/datastores/delete:

                 not_actions:
                 not_data_actions:

2.      Azure Data Lake Storage (ADLS) Data Access Control: If we're using Azure Data Lake Storage Gen2 as a datastore, we can utilize its built-in access control mechanisms. This includes setting access control lists (ACLs) on directories and files, as well as defining access permissions for users and groups.

3.      Shared Access Signatures (SAS): Azure Blob Storage, another commonly used datastore, supports SAS. SAS allows us to generate a time-limited token that grants temporary access to specific containers or blobs. By using SAS, we can control access to data within the datastore on a per-user or per-session basis.

4.      Virtual Network Service Endpoints: To further isolate access to datastores, we can leverage Azure Virtual Network (VNet) Service Endpoints. By configuring service endpoints, we can ensure that datastores are accessible only from specific VNets, thereby restricting access from outside the network.

5.      Workspace-level Datastore Configuration: Within the Azure Machine Learning workspace, we can define multiple datastores and associate them with specific storage accounts or services. By carefully configuring each datastore's access control settings, we can enforce granular access controls and limit user access to specific datastores.

6.      Monitoring and Auditing: It's important to monitor and audit user access to datastores within the shared Azure Machine Learning workspace. Azure provides various monitoring and auditing tools, such as Azure Monitor and Azure Sentinel, which can help we track and analyze access patterns and detect any potential security threats or unauthorized access attempts.

By following these steps and implementing a combination of RBAC, access control mechanisms within datastores, and network-level isolation, we can achieve effective isolation of user access to datastores in a shared Azure Machine Learning workspace

 

Previous articles: IaCResolutionsPart81.docx