az storage account show --name <storage-account> --resource-group <resource-group> --query "{name:name,hns:isHnsEnabled,location:location,dfs:primaryEndpoints.dfs,blob:primaryEndpoints.blob}"Data Lake path ACL
A Data Lake path ACL is the access control list applied to a file or directory path in Azure Data Lake Storage Gen2 for fine-grained permissions.
Source: Microsoft Learn - Access control lists in Azure Data Lake Storage Reviewed 2026-05-13
- Exam trap
- Treating Data Lake path ACL as a generic label instead of checking the exact storage account, file system, path, owner, identity, network route, and recent evidence.
- Production check
- Confirm the active tenant, subscription, resource group, storage account, file system, path, and environment before interpreting command output.
Article details and learning context
- Aliases
- ADLS path ACL, Data Lake path access control, path access control list, data-lake-path-ac
- Difficulty
- intermediate
- CLI mappings
- 5
- Last verified
- 2026-05-13
Understand the concept
In plain English
Data Lake path ACL is the fine-grained access control list applied to an ADLS Gen2 path. In practice, it helps teams grant or restrict read, write, and execute permissions on specific files or directories without relying only on broad account-level roles. It is more than a storage label because it affects access, reliability, cost, monitoring, and the way incidents are explained. When teams see data lake path acl, they should confirm where it is configured, who owns it, which identities or network paths are involved, and what evidence proves the current design is safe for production.
Why it matters
Data Lake path ACL matters because lake platform work fails in production when teams cannot connect design language to live Azure behavior. The concrete risk is that a harmless-looking change can expose data, slow a pipeline, increase storage or compute spend, break a downstream dashboard, or make an incident impossible to replay. For learners, the term explains how Azure Data Lake Storage pieces fit together. For operators, it gives a checklist for ownership, permissions, networking, telemetry, rollback, and cost evidence. The practical response is to identify the storage account, file system, path, endpoint, identity, and recent activity before changing anything safely during production support.
Official wording and source
A Data Lake path ACL is the access control list applied to a file or directory path in Azure Data Lake Storage Gen2 for fine-grained permissions. Microsoft Learn places it in Access control lists in Azure Data Lake Storage; operators confirm scope, configuration, dependencies, and production impact.
Technical context
Technically, Data Lake path ACL is configured or observed in file and directory properties, ACL editor, az storage fs access commands, SDK path permissions, Storage Explorer, audit evidence, and security runbooks. It works with Data Lake Storage Gen2, and Azure RBAC. Engineers use access ACL, default ACL, and user entry. Key live state includes effective permissions, ACL entries, and default inheritance. Behavior depends on RBAC baseline access, hierarchical namespace, and identity object IDs. Portal settings show intent, while CLI output, run history, and monitoring show production behavior.
Exam context
Compare with
Where it is used
Where you see it
- In directory properties, it appears as user, group, mask, other, and default ACL entries that determine path-level access during routine operations review when support teams verify evidence.
- In permission-denied incidents, it appears when RBAC looks correct but the user or managed identity lacks execute permission on a parent directory during routine operations review.
- In onboarding workflows, it appears when a new analytics group receives access to one dataset path without receiving broad storage account privileges during routine operations review.
- In audit evidence, it appears as captured ACL output proving who could read, write, or traverse a regulated data path during routine operations review when support teams verify evidence.
Common situations
- grant or restrict read, write, and execute permissions on specific files or directories without relying only on broad account-level roles
- Validate configuration and production behavior before release.
- Create supportable evidence for audits, incidents, and cost reviews.
Illustrative Azure scenarios
These examples show how the concept can affect design and operations. They are illustrative scenarios, not customer claims.
Scenario 01 Data Lake path ACL in action for financial services Scenario, objectives, solution, measured impact, and takeaway.
Riverbend Credit Union, a financial services organization, needed to let fraud analysts read investigation data without exposing broader customer storage. The data platform team used Data Lake path ACL to apply path ACLs to a restricted fraud analytics directory while keeping governance and operations evidence clear.
- Grant analysts read-only access to one path
- Prevent traversal into unrelated customer folders
- Document access for compliance review
- Reduce emergency permission requests
The team designed the solution around Data Lake path ACL instead of treating it as a background detail. Engineers connected it with Data Lake Storage Gen2, Azure RBAC, Azure CLI, Storage Explorer, and Data Factory, documented the Azure scope, owner, identity path, network route, monitoring signals, cost assumptions, and rollback steps, then tested the behavior with production-shaped data. They used read-only CLI evidence and portal configuration to confirm the live state before approval. Security reviewers checked access boundaries, data classification, and exception handling. Operators added dashboard signals for freshness, path activity, file counts, failures, and owner handoff, so incidents could be traced from business symptom to Azure evidence. The release plan included a safe rerun path, validation checks, and a cleanup task for nonproduction resources or stale data left by testing.
- Analysts accessed only the approved fraud directory
- Parent execute permissions were set without exposing sibling data
- Compliance evidence included ACL command output
- Emergency requests dropped 64 percent
Data Lake path ACL is valuable when teams connect the Azure concept to ownership, measurable outcomes, safe access, and repeatable operational proof.
Scenario 02 Data Lake path ACL in action for healthcare operations Scenario, objectives, solution, measured impact, and takeaway.
Mercury Health Network, a healthcare operations organization, needed to separate patient quality data from general operations datasets inside the same lake. The data platform team used Data Lake path ACL to use default ACLs on regulated directories for new files while keeping governance and operations evidence clear.
- Protect patient quality records
- Allow pipeline managed identity writes
- Prevent accidental analyst access
- Make inherited permissions predictable
The team designed the solution around Data Lake path ACL instead of treating it as a background detail. Engineers connected it with Data Lake Storage Gen2, Azure RBAC, Azure CLI, Storage Explorer, and Data Factory, documented the Azure scope, owner, identity path, network route, monitoring signals, cost assumptions, and rollback steps, then tested the behavior with production-shaped data. They used read-only CLI evidence and portal configuration to confirm the live state before approval. Security reviewers checked access boundaries, data classification, and exception handling. Operators added dashboard signals for freshness, path activity, file counts, failures, and owner handoff, so incidents could be traced from business symptom to Azure evidence. The release plan included a safe rerun path, validation checks, and a cleanup task for nonproduction resources or stale data left by testing.
- Quality records remained restricted to approved groups
- Pipeline writes succeeded with managed identity permissions
- Analyst access violations fell to zero
- New child files inherited the expected ACL pattern
Data Lake path ACL is valuable when teams connect the Azure concept to ownership, measurable outcomes, safe access, and repeatable operational proof.
Scenario 03 Data Lake path ACL in action for industrial quality Scenario, objectives, solution, measured impact, and takeaway.
Copperline Manufacturing, a industrial quality organization, needed to grant plant engineers access to only their site-specific defect data. The data platform team used Data Lake path ACL to combine RBAC with path ACLs for site directories while keeping governance and operations evidence clear.
- Limit engineers to assigned plant paths
- Support cross-plant auditors separately
- Reduce failed notebook reads
- Simplify quarterly access reviews
The team designed the solution around Data Lake path ACL instead of treating it as a background detail. Engineers connected it with Data Lake Storage Gen2, Azure RBAC, Azure CLI, Storage Explorer, and Data Factory, documented the Azure scope, owner, identity path, network route, monitoring signals, cost assumptions, and rollback steps, then tested the behavior with production-shaped data. They used read-only CLI evidence and portal configuration to confirm the live state before approval. Security reviewers checked access boundaries, data classification, and exception handling. Operators added dashboard signals for freshness, path activity, file counts, failures, and owner handoff, so incidents could be traced from business symptom to Azure evidence. The release plan included a safe rerun path, validation checks, and a cleanup task for nonproduction resources or stale data left by testing.
- Engineers saw only their assigned plant directories
- Auditors received separate read access across paths
- Failed notebook reads dropped 43 percent
- Access reviews used one ACL export per site
Data Lake path ACL is valuable when teams connect the Azure concept to ownership, measurable outcomes, safe access, and repeatable operational proof.
Azure CLI
Use Azure CLI for Data Lake path ACL when you need repeatable evidence from live Azure Storage resources instead of a one-off portal screenshot. Start with read-only checks, compare output with source-controlled intent, and attach the result to the change or incident record.
Useful for
- Confirm that Data Lake path ACL exists in the expected storage account, file system, endpoint, or path scope.
- Export read-only evidence for audits, incidents, release reviews, migration planning, or cost investigations.
- Compare dev, test, and production storage configuration without depending only on screenshots or memory.
Before you run a command
- Run az account show and confirm the tenant, subscription, and signed-in identity before trusting any result.
- Verify the resource group, storage account, file system, path, and time window match the environment you intend to inspect.
- Start with read-only commands; require change approval before creating, deleting, moving, tiering, or changing access to anything.
What the output tells you
- It shows whether Data Lake path ACL is present in the expected Azure scope and whether the live state matches the documented design.
- It exposes account, endpoint, file system, directory, path, ACL, owner, region, and existence evidence that helps separate configuration issues from data issues.
- It gives support teams a reproducible record they can attach to a ticket, audit sample, incident review, or deployment decision.
Mapped commands
Data Lake path ACL operational checks
directaz storage fs list --account-name <storage-account> --auth-mode loginaz storage fs directory list --file-system <filesystem> --account-name <storage-account> --auth-mode loginaz storage fs access show --file-system <filesystem> --path <path> --account-name <storage-account> --auth-mode loginaz storage fs file list --file-system <filesystem> --path <path> --account-name <storage-account> --auth-mode loginArchitecture context
Data Lake path ACL belongs in architecture diagrams with its owning service, identity boundary, network route, monitoring signal, cost driver, and dependent data path.
- Security
- Security for Data Lake path ACL starts with knowing who can configure it, who can see its data, and which identities, secrets, network paths, or storage locations it depends on. Focus on least privilege, default ACL inheritance, RBAC plus ACL evaluation, group-based entries, avoid broad masks, and sensitive directory boundaries. Use managed identities where possible, private or approved network paths, least privilege, and diagnostic evidence that reviewers can inspect. Do not let broad ACLs, shared keys, copied test data, or unclear folder ownership become an unofficial bypass around production controls. Before release, document the owner, approved users, data classification, exception process, and emergency contact. During incidents, prove whether access, policy, identity, data, or network settings changed recently.
- Cost
- Cost for Data Lake path ACL is usually created by stored bytes, repeated scans, transactions, monitoring retention, private networking, and the behavior of surrounding analytics services rather than by the label itself. Watch recursive ACL operations, support tickets, failed pipeline retries, manual access reviews, diagnostic logs, and overly broad remediations. Small choices can multiply across environments, developers, schedules, and regions. Use tags, budgets, storage metrics, lifecycle policies, and owner reports to separate valuable usage from avoidable waste. Before expanding scope, estimate data volume, retention, run frequency, and support effort. After deployment, compare expected cost with actual usage and create cleanup tasks for duplicate data, noisy diagnostics, unused test paths, or stale curated output.
- Reliability
- Reliability for Data Lake path ACL means the lake still behaves predictably when sources are late, paths change, permissions drift, dependencies fail, or operators need to rerun work. Plan around consistent inherited permissions, recursive update safety, permission propagation expectations, break-glass access, access test coverage, and runbook clarity. The runbook should explain what signal matters first, which dependency owner to contact, and how to retry without corrupting downstream data. Monitor both Azure resource health and the user-visible result, because the first warning may be missing files, unexpected row counts, denied access, or a dashboard refresh failure. Test permission loss, stale configuration, partial files, and regional service events before the design becomes business critical.
- Performance
- Performance for Data Lake path ACL depends on how quickly trustworthy data moves from source to usable output without overloading storage, networks, compute, or downstream consumers. Pay attention to large recursive updates, path traversal checks, client retry storms, access-test speed, directory depth, and group membership evaluation. Measure the operator-visible result, not only whether a resource exists. Baseline list time, file counts, path depth, run duration, row counts, source latency, and sink throughput before a production change. Tune in small steps because aggressive parallelism, broad scans, tiny files, deep folders, endpoint mistakes, or poorly chosen partitions can create throttling and hide the real bottleneck. Retest after schema, network, engine, source, or sink changes are released.
- Operations
- Operations for Data Lake path ACL should be repeatable enough that another engineer can verify the same answer from the portal, CLI, deployment records, and monitoring. Keep naming, tags, runbooks, data ownership, dashboards, and incident tickets aligned. The runbook should include the Azure scope, expected resource names, normal signals, first troubleshooting commands, escalation path, and rollback or cleanup step. Use read-only commands first, then require approval for mutating actions such as creating paths, changing ACLs, publishing pipelines, deleting data, or moving files. After rollout, compare live state with the approved design and attach evidence to the change record every time consistently.
Common mistakes
- Treating Data Lake path ACL as a generic label instead of checking the exact storage account, file system, path, owner, identity, network route, and recent evidence.
- Changing production storage, paths, or permissions from the portal without source control, approval, rollback notes, or captured before-and-after evidence.
- Trusting a successful development test even though parameters, sample data, private endpoints, ACLs, or downstream consumers differ from production.