For Azure Data Factory, is there a way to allow a security principal (such as an AAD group for Level 1 Help Desk staff) to manually trigger pipelines (or resume failed pipelines), but not edit anything in the data factory workspace e.g. pipelines / datasets / linked services / data flows / IRs / etc.
The scenario is when there's an issue (e.g. in an external destination sink) that results in a failed pipeline run, an alert will get triggered by our 'alerting and incident management' system. Our level 1 help desk will be able to review the pipeline/activity logs and ideally (for certain types of failures) they can just resume or re-execute a failed pipeline... We don't want L1 help desk to be able to edit anything in the data factory workspace - they should only be able to manually trigger pipelines (or resume failed pipelines). Note: if the issue is a bug in the pipeline, or something on our side, L1 would assign this to L2 support, but for simple things that can be easily resolved, they should be able to do it.
I can't see any built-in roles that would do what I want. I think Contributor and/or Data Factory Contributor will allow assignees to run pipelines, but these will also allow then to edit stuff in the ADF workspace...
You would have to create a custom role with the below permissions :
/ Microsoft.DataFactory/factories/pipelines/createrun/action
/ Microsoft.DataFactory/factories/cancelpipelinerun/action
/ Microsoft.DataFactory/factories/pipelineruns/cancel/action
which would all only pipeline run and/or pipeline run cancellation and no other changes.
My below blog provides details on some details but it is at more granularity at a specific pipeline level (which is not your use case)