Skip to content

Commit 7a42f16

Browse files
author
David Desberg
authored
Fix missing data actions in 7.2-stable, 7.3-preview (#15254)
1 parent 29ca2b6 commit 7a42f16

File tree

2 files changed

+295
-17
lines changed
  • specification/keyvault/data-plane/Microsoft.KeyVault

2 files changed

+295
-17
lines changed

specification/keyvault/data-plane/Microsoft.KeyVault/preview/7.3-preview/rbac.json

Lines changed: 283 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -443,8 +443,7 @@
443443
"RoleAssignmentPropertiesWithScope": {
444444
"properties": {
445445
"scope": {
446-
"type": "string",
447-
"description": "The role assignment scope."
446+
"$ref": "#/definitions/RoleScope"
448447
},
449448
"roleDefinitionId": {
450449
"type": "string",
@@ -524,7 +523,7 @@
524523
"required": [
525524
"properties"
526525
],
527-
"description": "Role definition creation parameters."
526+
"description": "Role definition create parameters."
528527
},
529528
"RoleAssignmentCreateParameters": {
530529
"properties": {
@@ -536,7 +535,7 @@
536535
"required": [
537536
"properties"
538537
],
539-
"description": "Role assignment creation parameters."
538+
"description": "Role assignment create parameters."
540539
},
541540
"RoleDefinitionFilter": {
542541
"properties": {
@@ -551,31 +550,32 @@
551550
"properties": {
552551
"actions": {
553552
"type": "array",
553+
"description": "Action permissions that are granted.",
554554
"items": {
555555
"type": "string"
556-
},
557-
"description": "Allowed actions."
556+
}
558557
},
559558
"notActions": {
560559
"type": "array",
560+
"description": "Action permissions that are excluded but not denied. They may be granted by other role definitions assigned to a principal.",
561561
"items": {
562-
"type": "string"
563-
},
564-
"description": "Denied actions."
562+
"type": "string",
563+
"description": "Not actions."
564+
}
565565
},
566566
"dataActions": {
567567
"type": "array",
568+
"description": "Data action permissions that are granted.",
568569
"items": {
569-
"type": "string"
570-
},
571-
"description": "Allowed Data actions."
570+
"$ref": "#/definitions/DataAction"
571+
}
572572
},
573573
"notDataActions": {
574574
"type": "array",
575+
"description": "Data action permissions that are excluded but not denied. They may be granted by other role definitions assigned to a principal.",
575576
"items": {
576-
"type": "string"
577-
},
578-
"description": "Denied Data actions."
577+
"$ref": "#/definitions/DataAction"
578+
}
579579
}
580580
},
581581
"description": "Role definition permissions."
@@ -593,6 +593,25 @@
593593
"type": {
594594
"type": "string",
595595
"description": "The role type.",
596+
"enum": [
597+
"AKVBuiltInRole",
598+
"CustomRole"
599+
],
600+
"x-ms-enum": {
601+
"name": "RoleType",
602+
"modelAsString": true,
603+
"values": [
604+
{
605+
"name": "BuiltInRole",
606+
"value": "AKVBuiltInRole",
607+
"description": "Built in role."
608+
},
609+
{
610+
"value": "CustomRole",
611+
"description": "Custom role."
612+
}
613+
]
614+
},
596615
"x-ms-client-name": "roleType"
597616
},
598617
"permissions": {
@@ -605,7 +624,7 @@
605624
"assignableScopes": {
606625
"type": "array",
607626
"items": {
608-
"type": "string"
627+
"$ref": "#/definitions/RoleScope"
609628
},
610629
"description": "Role definition assignable scopes."
611630
}
@@ -626,8 +645,15 @@
626645
},
627646
"type": {
628647
"type": "string",
648+
"description": "The role definition type.",
629649
"readOnly": true,
630-
"description": "The role definition type."
650+
"enum": [
651+
"Microsoft.Authorization/roleDefinitions"
652+
],
653+
"x-ms-enum": {
654+
"name": "RoleDefinitionType",
655+
"modelAsString": true
656+
}
631657
},
632658
"properties": {
633659
"x-ms-client-flatten": true,
@@ -652,6 +678,246 @@
652678
}
653679
},
654680
"description": "Role definition list operation result."
681+
},
682+
"RoleScope": {
683+
"type": "string",
684+
"description": "The role scope.",
685+
"enum": [
686+
"/",
687+
"/keys"
688+
],
689+
"x-ms-enum": {
690+
"name": "RoleScope",
691+
"modelAsString": true,
692+
"values": [
693+
{
694+
"name": "Global",
695+
"value": "/",
696+
"description": "Global scope"
697+
},
698+
{
699+
"name": "Keys",
700+
"value": "/keys",
701+
"description": "Keys scope"
702+
}
703+
]
704+
}
705+
},
706+
"DataAction": {
707+
"type": "string",
708+
"description": "Supported permissions for data actions.",
709+
"enum": [
710+
"Microsoft.KeyVault/managedHsm/keys/read/action",
711+
"Microsoft.KeyVault/managedHsm/keys/write/action",
712+
"Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action",
713+
"Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
714+
"Microsoft.KeyVault/managedHsm/keys/backup/action",
715+
"Microsoft.KeyVault/managedHsm/keys/restore/action",
716+
"Microsoft.KeyVault/managedHsm/roleAssignments/delete/action",
717+
"Microsoft.KeyVault/managedHsm/roleAssignments/read/action",
718+
"Microsoft.KeyVault/managedHsm/roleAssignments/write/action",
719+
"Microsoft.KeyVault/managedHsm/roleDefinitions/read/action",
720+
"Microsoft.KeyVault/managedHsm/roleDefinitions/write/action",
721+
"Microsoft.KeyVault/managedHsm/roleDefinitions/delete/action",
722+
"Microsoft.KeyVault/managedHsm/keys/encrypt/action",
723+
"Microsoft.KeyVault/managedHsm/keys/decrypt/action",
724+
"Microsoft.KeyVault/managedHsm/keys/wrap/action",
725+
"Microsoft.KeyVault/managedHsm/keys/unwrap/action",
726+
"Microsoft.KeyVault/managedHsm/keys/sign/action",
727+
"Microsoft.KeyVault/managedHsm/keys/verify/action",
728+
"Microsoft.KeyVault/managedHsm/keys/create",
729+
"Microsoft.KeyVault/managedHsm/keys/delete",
730+
"Microsoft.KeyVault/managedHsm/keys/export/action",
731+
"Microsoft.KeyVault/managedHsm/keys/release/action",
732+
"Microsoft.KeyVault/managedHsm/keys/import/action",
733+
"Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete",
734+
"Microsoft.KeyVault/managedHsm/securitydomain/download/action",
735+
"Microsoft.KeyVault/managedHsm/securitydomain/download/read",
736+
"Microsoft.KeyVault/managedHsm/securitydomain/upload/action",
737+
"Microsoft.KeyVault/managedHsm/securitydomain/upload/read",
738+
"Microsoft.KeyVault/managedHsm/securitydomain/transferkey/read",
739+
"Microsoft.KeyVault/managedHsm/backup/start/action",
740+
"Microsoft.KeyVault/managedHsm/restore/start/action",
741+
"Microsoft.KeyVault/managedHsm/backup/status/action",
742+
"Microsoft.KeyVault/managedHsm/restore/status/action",
743+
"Microsoft.KeyVault/managedHsm/rng/action"
744+
],
745+
"x-ms-enum": {
746+
"name": "DataAction",
747+
"modelAsString": true,
748+
"values": [
749+
{
750+
"name": "ReadHsmKey",
751+
"value": "Microsoft.KeyVault/managedHsm/keys/read/action",
752+
"description": "Read HSM key metadata."
753+
},
754+
{
755+
"name": "WriteHsmKey",
756+
"value": "Microsoft.KeyVault/managedHsm/keys/write/action",
757+
"description": "Update an HSM key."
758+
},
759+
{
760+
"name": "ReadDeletedHsmKey",
761+
"value": "Microsoft.KeyVault/managedHsm/keys/deletedKeys/read/action",
762+
"description": "Read deleted HSM key."
763+
},
764+
{
765+
"name": "RecoverDeletedHsmKey",
766+
"value": "Microsoft.KeyVault/managedHsm/keys/deletedKeys/recover/action",
767+
"description": "Recover deleted HSM key."
768+
},
769+
{
770+
"name": "BackupHsmKeys",
771+
"value": "Microsoft.KeyVault/managedHsm/keys/backup/action",
772+
"description": "Backup HSM keys."
773+
},
774+
{
775+
"name": "RestoreHsmKeys",
776+
"value": "Microsoft.KeyVault/managedHsm/keys/restore/action",
777+
"description": "Restore HSM keys."
778+
},
779+
{
780+
"name": "DeleteRoleAssignment",
781+
"value": "Microsoft.KeyVault/managedHsm/roleAssignments/delete/action",
782+
"description": "Delete role assignment."
783+
},
784+
{
785+
"name": "GetRoleAssignment",
786+
"value": "Microsoft.KeyVault/managedHsm/roleAssignments/read/action",
787+
"description": "Get role assignment."
788+
},
789+
{
790+
"name": "WriteRoleAssignment",
791+
"value": "Microsoft.KeyVault/managedHsm/roleAssignments/write/action",
792+
"description": "Create or update role assignment."
793+
},
794+
{
795+
"name": "ReadRoleDefinition",
796+
"value": "Microsoft.KeyVault/managedHsm/roleDefinitions/read/action",
797+
"description": "Get role definition."
798+
},
799+
{
800+
"name": "WriteRoleDefinition",
801+
"value": "Microsoft.KeyVault/managedHsm/roleDefinitions/write/action",
802+
"description": "Create or update role definition."
803+
},
804+
{
805+
"name": "DeleteRoleDefinition",
806+
"value": "Microsoft.KeyVault/managedHsm/roleDefinitions/delete/action",
807+
"description": "Delete role definition."
808+
},
809+
{
810+
"name": "EncryptHsmKey",
811+
"value": "Microsoft.KeyVault/managedHsm/keys/encrypt/action",
812+
"description": "Encrypt using an HSM key."
813+
},
814+
{
815+
"name": "DecryptHsmKey",
816+
"value": "Microsoft.KeyVault/managedHsm/keys/decrypt/action",
817+
"description": "Decrypt using an HSM key."
818+
},
819+
{
820+
"name": "WrapHsmKey",
821+
"value": "Microsoft.KeyVault/managedHsm/keys/wrap/action",
822+
"description": "Wrap using an HSM key."
823+
},
824+
{
825+
"name": "UnwrapHsmKey",
826+
"value": "Microsoft.KeyVault/managedHsm/keys/unwrap/action",
827+
"description": "Unwrap using an HSM key."
828+
},
829+
{
830+
"name": "SignHsmKey",
831+
"value": "Microsoft.KeyVault/managedHsm/keys/sign/action",
832+
"description": "Sign using an HSM key."
833+
},
834+
{
835+
"name": "VerifyHsmKey",
836+
"value": "Microsoft.KeyVault/managedHsm/keys/verify/action",
837+
"description": "Verify using an HSM key."
838+
},
839+
{
840+
"name": "CreateHsmKey",
841+
"value": "Microsoft.KeyVault/managedHsm/keys/create",
842+
"description": "Create an HSM key."
843+
},
844+
{
845+
"name": "DeleteHsmKey",
846+
"value": "Microsoft.KeyVault/managedHsm/keys/delete",
847+
"description": "Delete an HSM key."
848+
},
849+
{
850+
"name": "ExportHsmKey",
851+
"value": "Microsoft.KeyVault/managedHsm/keys/export/action",
852+
"description": "Export an HSM key."
853+
},
854+
{
855+
"name": "ReleaseKey",
856+
"value": "Microsoft.KeyVault/managedHsm/keys/release/action",
857+
"description": "Release an HSM key using Secure Key Release."
858+
},
859+
{
860+
"name": "ImportHsmKey",
861+
"value": "Microsoft.KeyVault/managedHsm/keys/import/action",
862+
"description": "Import an HSM key."
863+
},
864+
{
865+
"name": "PurgeDeletedHsmKey",
866+
"value": "Microsoft.KeyVault/managedHsm/keys/deletedKeys/delete",
867+
"description": "Purge a deleted HSM key."
868+
},
869+
{
870+
"name": "DownloadHsmSecurityDomain",
871+
"value": "Microsoft.KeyVault/managedHsm/securitydomain/download/action",
872+
"description": "Download an HSM security domain."
873+
},
874+
{
875+
"name": "DownloadHsmSecurityDomainStatus",
876+
"value": "Microsoft.KeyVault/managedHsm/securitydomain/download/read",
877+
"description": "Check status of HSM security domain download."
878+
},
879+
{
880+
"name": "UploadHsmSecurityDomain",
881+
"value": "Microsoft.KeyVault/managedHsm/securitydomain/upload/action",
882+
"description": "Upload an HSM security domain."
883+
},
884+
{
885+
"name": "ReadHsmSecurityDomainStatus",
886+
"value": "Microsoft.KeyVault/managedHsm/securitydomain/upload/read",
887+
"description": "Check the status of the HSM security domain exchange file."
888+
},
889+
{
890+
"name": "ReadHsmSecurityDomainTransferKey",
891+
"value": "Microsoft.KeyVault/managedHsm/securitydomain/transferkey/read",
892+
"description": "Download an HSM security domain transfer key."
893+
},
894+
{
895+
"name": "StartHsmBackup",
896+
"value": "Microsoft.KeyVault/managedHsm/backup/start/action",
897+
"description": "Start an HSM backup."
898+
},
899+
{
900+
"name": "StartHsmRestore",
901+
"value": "Microsoft.KeyVault/managedHsm/restore/start/action",
902+
"description": "Start an HSM restore."
903+
},
904+
{
905+
"name": "ReadHsmBackupStatus",
906+
"value": "Microsoft.KeyVault/managedHsm/backup/status/action",
907+
"description": "Read an HSM backup status."
908+
},
909+
{
910+
"name": "ReadHsmRestoreStatus",
911+
"value": "Microsoft.KeyVault/managedHsm/restore/status/action",
912+
"description": "Read an HSM restore status."
913+
},
914+
{
915+
"name": "RandomNumbersGenerate",
916+
"value": "Microsoft.KeyVault/managedHsm/rng/action",
917+
"description": "Generate random numbers."
918+
}
919+
]
920+
}
655921
}
656922
},
657923
"parameters": {

specification/keyvault/data-plane/Microsoft.KeyVault/stable/7.2/rbac.json

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -717,6 +717,8 @@
717717
"Microsoft.KeyVault/managedHsm/roleAssignments/read/action",
718718
"Microsoft.KeyVault/managedHsm/roleAssignments/write/action",
719719
"Microsoft.KeyVault/managedHsm/roleDefinitions/read/action",
720+
"Microsoft.KeyVault/managedHsm/roleDefinitions/write/action",
721+
"Microsoft.KeyVault/managedHsm/roleDefinitions/delete/action",
720722
"Microsoft.KeyVault/managedHsm/keys/encrypt/action",
721723
"Microsoft.KeyVault/managedHsm/keys/decrypt/action",
722724
"Microsoft.KeyVault/managedHsm/keys/wrap/action",
@@ -791,6 +793,16 @@
791793
"value": "Microsoft.KeyVault/managedHsm/roleDefinitions/read/action",
792794
"description": "Get role definition."
793795
},
796+
{
797+
"name": "WriteRoleDefinition",
798+
"value": "Microsoft.KeyVault/managedHsm/roleDefinitions/write/action",
799+
"description": "Create or update role definition."
800+
},
801+
{
802+
"name": "DeleteRoleDefinition",
803+
"value": "Microsoft.KeyVault/managedHsm/roleDefinitions/delete/action",
804+
"description": "Delete role definition."
805+
},
794806
{
795807
"name": "EncryptHsmKey",
796808
"value": "Microsoft.KeyVault/managedHsm/keys/encrypt/action",

0 commit comments

Comments
 (0)