Unable to add additional local sftp user to a child folder within SFTP/Blob container

Dear Ramkumar,

Thank you for your question. May I have an clarifycation your requirement to grant access to all three SFTP users (test1, test2, and test3) for the same child folder (testdirectory1child1). I understand the current limitation where only one local user can be set as owner is impacting your workflow. am I right?

rgds,

Alex

Hello Ramkumar

I understand that you are utilizing Azure Data Lake Storage Gen2 (ADLS Gen2) with SFTP functionality activated, and you need to configure permissions for multiple SFTP users on a directory hierarchy However, you have observed that the documentation appears to permit only the designation of an owner, while you require the ability to assign varying access levels (read and read/write) to different users.

Please be informed that when SFTP is activated on ADLS Gen2, Azure employs POSIX-style permissions to manage access to files and directories. This system includes the configuration of read, write, and execute permissions for the owner, group, and other users. For more fine-grained control, ADLS Gen2 uses Access Control Lists (ACLs). ACLs allow you to set permissions for specific users or groups, which is exactly what you need in your scenario.

• For each of your SFTP users (test1, test2, and test3), you need to identify their corresponding Azure AD user principals. When you create local SFTP users in ADLS Gen2, they are associated with Azure AD users. You'll need the Object ID of these Azure AD users. You can find the Object IDs in the Azure portal (Azure Active Directory > Users) or using the Azure CLI.

Set UP ACL:

1. Set the ACL for test1 (Read Access): You must provide the user test1 with read permissions for the folder testdirectory1child1. This can be accomplished by configuring the Access Control List (ACL) for the user. Utilize the following command, assuming you are operating within Azure CLI or a comparable tool: az storage fs access set-acl --acl "user:test1:r-x" --path "testdirectory1/testdirectory1child1" --file-system "testfolder"
2. Set the ACL for test2 and test3 (Read and Write Access): For test2 and test3, you will provide both read and write permissions. This can be accomplished using the commands below: az storage fs access set-acl --acl "user:test2:rw-" --path "testdirectory1/testdirectory1child1" --file-system "testfolder" az storage fs access set-acl --acl "user:test3:rw-" --path "testdirectory1/testdirectory1child1" --file-system "testfolder"
3. After setting the ACLs, you can verify that the permissions have been set correctly by running: az storage fs access get-acl --path "testdirectory1/testdirectory1child1" --file-system "testfolder"This command will show you the current ACLs for the specified path, and you should see entries for test1, test2, and test3 with the appropriate permissions.

Please be informed that by default, files created within testdirectory1child1 will inherit the ACLs of the directory. If you want more granular control over individual files, you can set ACLs on those files as well. You can also set default ACLs on a directory. Default ACLs determine the ACLs for any new files or subdirectories created under that directory. This can help you ensure that new files and subdirectories automatically inherit the correct permissions.

NOTE: Ownership is generally employed to determine who has authority over a resource, whereas Access Control Lists (ACLs) are utilized to regulate access permissions. In your case using ACLs is the right approach since you have multiple users with different access levels. The permissions are specified in the format user:<username>:<permissions>, where <permissions> can be r (read), w (write), and x (execute).

References: https://techcommunity.microsoft.com/blog/azurepaasblog/how-to-configure-directory-level-permission-for-sftp-local-user/4373620

Hope the above answer helps! Please let us know do you have any further queries.

Please do not forget to “up-vote” wherever the information provided helps you, this can be beneficial to other community members. 

Hello Ramkumar

Just checking in to see if the provided answer helped. If this answers your query, do click "Up-Vote” for the same, which might be beneficial to other community members reading this thread. And, if you have any further queries do let us know.

Hi Alex Burlachenko, The issue was that I am not able to assign access to multiple local users for single child folder (not at the container level).

Hi Nandamuri Pranay Teja, I will review and respond after trying the approach you suggested.