You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
> +[Provide connection information to developers](#provide-connection-information-to-developers)
27
27
28
28
## Configure role-based access
29
29
@@ -36,14 +36,11 @@ Each search service comes with [API keys](search-security-api-keys.md) and uses
36
36
37
37
When you switch from key-based authentication to keyless authentication, service administrators must assign themselves data plane roles for full access to objects and data. These roles include Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader.
38
38
39
-
To configure RBAC:
39
+
To configure role-based access:
40
40
41
-
1.[Enable roles](search-security-enable-roles.md) on your search service. We recommend the roles-only option.
41
+
1.[Enable roles](search-security-enable-roles.md) on your search service. We recommend using both API keys and roles.
42
42
43
-
1.[Assign data plane roles](search-security-rbac.md) to replace the functionality lost when you disable API keys. You need the following roles:
44
-
+ Search Service Contributor
45
-
+ Search Index Data Contributor
46
-
+ Search Index Data Reader
43
+
1.[Assign data plane roles](search-security-rbac.md) to replace the functionality lost when you disable API keys. An owner only needs Search Index Data Reader, but developers need [more roles](search-security-rbac#assign-roles).
47
44
48
45
Role assignments can take several minutes to take effect. Until then, portal pages used for data plane operations display the following message:
49
46
@@ -68,8 +65,8 @@ Before you move on to network security, consider testing all points of connectio
68
65
69
66
By default, a search service accepts authenticated and authorized requests over public internet connections. You have two options for enhancing network security:
70
67
71
-
1.[Configure firewall rules](service-configure-firewall.md) to restrict network access by IP address.
72
-
2.[Configure a private endpoint](service-create-private-endpoint.md) to only allow traffic from Azure virtual networks.
68
+
+[Configure firewall rules](service-configure-firewall.md) to restrict network access by IP address.
69
+
+[Configure a private endpoint](service-create-private-endpoint.md) to only allow traffic from Azure virtual networks. Note that when you turn off the public endpoint, the import wizards won't run.
73
70
74
71
To learn about inbound and outbound calls in Azure AI Search, see [Security in Azure AI Search](search-security-overview.md).
75
72
@@ -97,10 +94,10 @@ To enable semantic ranker in the portal, select **Settings** > **Semantic ranker
97
94
98
95
## Provide connection information to developers
99
96
100
-
Developers need the following information to connect to Azure AI Search:
97
+
To connect to Azure AI Search, developers need:
101
98
102
99
+ An endpoint or URL from the **Overview** page.
103
-
+ An API key from the **Keys** page or a role assignment (we recommend contributor).
100
+
+ An API key from the **Keys** page or a role assignment. We recommend Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader.
104
101
105
102
We recommend portal access for the [**Import data** wizard](search-get-started-portal.md), the [**Import and vectorize data** wizard](search-get-started-portal-import-vectors.md), and [Search explorer](search-explorer.md). You must be a contributor or higher to run the wizards.
0 commit comments