You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/ai-foundry/concepts/disable-preview-features-with-rbac.md
+1-20Lines changed: 1 addition & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -81,26 +81,7 @@ definition are the following
81
81
- …/`Analyze Protected Material`
82
82
- …/`Unified Analyze`
83
83
84
-
## Preview feature RBAC action matrix
85
-
86
-
Use this matrix to determine which data actions to include (enable) or exclude (disable) in a custom role for each preview feature. To disable a feature for a principal, ensure none of the listed enable actions are granted by any assigned role (or put them in NotActions).
87
-
88
-
| Feature | To ENABLE (include all these dataActions) | To DISABLE (ensure none of these are granted) |
| Agents (Foundry agent service) |`Microsoft.CognitiveServices/accounts/AIServices/agents/read`<br>`Microsoft.CognitiveServices/accounts/AIServices/agents/write`<br>`Microsoft.CognitiveServices/accounts/AIServices/agents/delete`| Exclude all three agent actions (or add the wildcard `Microsoft.CognitiveServices/accounts/AIServices/agents/*` to NotActions). |
91
-
| Content Understanding (Multi-Modal Intelligence) |`Microsoft.CognitiveServices/accounts/MultiModalIntelligence/analyzers/read`<br> `.../analyzers/write`<br> `.../analyzers/delete`<br>`Microsoft.CognitiveServices/accounts/MultiModalIntelligence/classifiers/read`<br> `.../classifiers/write`<br> `.../classifiers/delete`<br>`Microsoft.CognitiveServices/accounts/MultiModalIntelligence/batchAnalysisJobs/*`<br>Optional: any `/labelingProjects` trees your teams use*| Exclude every action beginning `Microsoft.CognitiveServices/accounts/MultiModalIntelligence/`|
| Fine-tuning |`Microsoft.CognitiveServices/accounts/OpenAI/fine-tunes/read`<br> `.../fine-tunes/write`<br> `.../fine-tunes/delete`<br>Optional (RLHF): `Microsoft.CognitiveServices/accounts/OpenAI/1p-jobs/*`<br>`Microsoft.CognitiveServices/accounts/OpenAI/fine-tunes/files/*`<br>`.../fine-tunes/uploads/*`<br> `.../fine-tunes/stored-completions/*`<br> `.../fine-tunes/evals/*`<br> `.../fine-tunes/models/*`| Remove all `Microsoft.CognitiveServices/accounts/OpenAI/fine-tunes/*` (and any `.../1p-jobs/*` if present). |
94
-
| Tracing / Telemetry (Azure Monitor reads) |`Microsoft.Insights/alertRules/read`<br>`Microsoft.Insights/diagnosticSettings/read`<br>`Microsoft.Insights/logDefinitions/read`<br>`Microsoft.Insights/metricdefinitions/read`<br>`Microsoft.Insights/metrics/read`| Omit the Azure Monitor read actions (or list them in NotActions). |
95
-
| Risk + Alerts (Content Safety) |`Microsoft.CognitiveServices/accounts/ContentSafety/*` - at minimum:<br> `.../Analyze Text`<br> `.../Analyze Image`<br> `.../Analyze Protected Material`<br> `.../Unified Analyze`| Exclude every action starting `Microsoft.CognitiveServices/accounts/ContentSafety/` and avoid assigning any role on the Content Safety resource. |
96
-
| Governance (Foundry management center) |`Microsoft.CognitiveServices/accounts/write`<br>`Microsoft.CognitiveServices/accounts/delete`<br>Plus any required VNet / Private Endpoint / Key Vault reference writes you govern. | Grant only `Microsoft.CognitiveServices/accounts/read` and remove any write/delete actions on the account resource. |
97
-
98
-
*Optional labeling projects: include only if teams label documents inside Foundry.
99
-
100
-
> [!NOTE]
101
-
> When disabling a feature, verify no other assigned role grants a broader wildcard (for example `Microsoft.CognitiveServices/accounts/*`) that would implicitly re-enable it.
102
-
103
84
## Related content
104
85
105
-
-[Role-based access control for Azure AI Foundry](rbac-azure-ai-foundry.md)
86
+
[Role-based access control for Azure AI Foundry](rbac-azure-ai-foundry.md)
0 commit comments