MicrosoftDocs
diff --git a/‎articles/ai-studio/concepts/rbac-ai-studio.md
Lines changed: 42 additions & 16 deletions b/‎articles/ai-studio/concepts/rbac-ai-studio.md
Lines changed: 42 additions & 16 deletions
diff --git a/‎articles/ai-studio/media/concepts/add-resource-users.png
23.1 KB b/‎articles/ai-studio/media/concepts/add-resource-users.png
23.1 KB
diff --git a/‎articles/ai-studio/media/concepts/hub-overview-add-user.png
176 KB b/‎articles/ai-studio/media/concepts/hub-overview-add-user.png
176 KB
@@ -43,33 +43,36 @@ Here's a table of the built-in roles and their permissions for the hub:
 | Azure AI Inference Deployment Operator | Perform all actions required to create a resource deployment within a resource group. |
 | Reader |     Read only access to the hub. This role is automatically assigned to all project members within the hub. |
 
-
 The key difference between Contributor and Azure AI Developer is the ability to make new hubs. If you don't want users to make new hubs (due to quota, cost, or just managing how many hubs you have), assign the Azure AI Developer role.
 
 Only the Owner and Contributor roles allow you to make a hub. At this time, custom roles can't grant you permission to make hubs.
 
+### Azure AI Developer role
+
 The full set of permissions for the new "Azure AI Developer" role are as follows:
 
 ```json
 {
     "Permissions": [ 
         { 
-        "Actions": [ 
-    
-            "Microsoft.MachineLearningServices/workspaces/*/read", 
-            "Microsoft.MachineLearningServices/workspaces/*/action", 
-            "Microsoft.MachineLearningServices/workspaces/*/delete", 
-            "Microsoft.MachineLearningServices/workspaces/*/write" 
-        ], 
+        "Actions": [
+            "Microsoft.MachineLearningServices/workspaces/*/read",
+            "Microsoft.MachineLearningServices/workspaces/*/action",
+            "Microsoft.MachineLearningServices/workspaces/*/delete",
+            "Microsoft.MachineLearningServices/workspaces/*/write",
+            "Microsoft.MachineLearningServices/locations/*/read",
+            "Microsoft.Authorization/*/read",
+            "Microsoft.Resources/deployments/*"
+        ],
 
-        "NotActions": [ 
-            "Microsoft.MachineLearningServices/workspaces/delete", 
-            "Microsoft.MachineLearningServices/workspaces/write", 
-            "Microsoft.MachineLearningServices/workspaces/listKeys/action", 
-            "Microsoft.MachineLearningServices/workspaces/hubs/write", 
-            "Microsoft.MachineLearningServices/workspaces/hubs/delete", 
-            "Microsoft.MachineLearningServices/workspaces/featurestores/write", 
-            "Microsoft.MachineLearningServices/workspaces/featurestores/delete" 
+        "NotActions": [
+            "Microsoft.MachineLearningServices/workspaces/delete",
+            "Microsoft.MachineLearningServices/workspaces/write",
+            "Microsoft.MachineLearningServices/workspaces/listKeys/action",
+            "Microsoft.MachineLearningServices/workspaces/hubs/write",
+            "Microsoft.MachineLearningServices/workspaces/hubs/delete",
+            "Microsoft.MachineLearningServices/workspaces/featurestores/write",
+            "Microsoft.MachineLearningServices/workspaces/featurestores/delete"
         ], 
         "DataActions": [ 
             "Microsoft.CognitiveServices/accounts/OpenAI/*", 
@@ -83,6 +86,9 @@ The full set of permissions for the new "Azure AI Developer" role are as follows
     ] 
 }
 ```
+
+If the built-in Azure AI Developer role doesn't meet your needs, you can create a [custom role](#create-custom-roles).
+
 ## Default roles for projects 
 
 Projects in AI Studio have built-in roles that are available by default. 
@@ -197,6 +203,26 @@ The following JSON example defines a custom AI Studio developer role at the subs
 }
 ```
 
+For steps on creating a custom role, use one of the following articles:
+- [Azure portal](/azure/role-based-access-control/custom-roles-portal)
+- [Azure CLI](/azure/role-based-access-control/custom-roles-cli)
+- [Azure PowerShell](/azure/role-based-access-control/custom-roles-powershell)
+
+For more information on creating custom roles in general, visit the [Azure custom roles](/azure/role-based-access-control/custom-roles) article.
+
+## Assigning roles in AI Studio
+
+You can add users and assign roles directly from Azure AI Studio at either the hub or project level. From a hub or project overview page, select **New user** to add a user. 
+
+> [!NOTE]
+> You are limited to selecting built-in roles. If you need to assign custom roles, you must use the [Azure portal](/azure/role-based-access-control/role-assignments-portal), [Azure CLI](/azure/role-based-access-control/role-assignments-cli), or [Azure PowerShell](/azure/role-based-access-control/role-assignments-powershell).
+
+:::image type="content" source="../media/concepts/hub-overview-add-user.png" lightbox="../media/concepts/hub-overview-add-user.png" alt-text="Screenshot of the Azure AI Studio hub overview with the new user button highlighted.":::
+
+You are then prompted to enter the user information and select a built-in role.
+
+:::image type="content" source="../media/concepts/add-resource-users.png" lightbox="../media/concepts/add-resource-users.png" alt-text="Screenshot of the add users prompt with the role set to Azure AI Developer.":::
+
 ## Scenario: Use a customer-managed key
 
 When configuring a hub to use a customer-managed key (CMK), an Azure Key Vault is used to store the key. The user or service principal used to create the workspace must have owner or contributor access to the key vault.