Merge pull request #1932 from HeidiSteen/heidist-dec

prmerger-automator[bot] · web-flow · commit d097cde8b068 · 2024-12-11T15:56:46.000Z
[azure search] role permission correction, search index data contributor has read permissions on index
diff --git a/articles/search/keyless-connections.md b/articles/search/keyless-connections.md
@@ -223,8 +223,7 @@ Local development using roles includes these steps:
 As a local developer, your Azure identity needs full control over data plane operations. These are the suggested roles:
 
 - Search Service Contributor, create and manage objects
-- Search Index Data Contributor, load an index
-- Search Index Data Reader, query an index
+- Search Index Data Contributor, load and query an index
 
 Find your personal identity with one of the following tools. Use that identity as the `<identity-id>` value.
 
diff --git a/articles/search/search-get-started-rag.md b/articles/search/search-get-started-rag.md
@@ -63,7 +63,6 @@ Azure OpenAI is receiving the (query) "Can you recommend a few hotels" from your
 
     1. On Azure AI Search, make sure you have permissions to create, load, and query a search index:
 
-       - **Search Index Data Reader**
        - **Search Index Data Contributor**
        - **Search Service Contributor**
 
diff --git a/articles/search/search-get-started-rbac.md b/articles/search/search-get-started-rbac.md
@@ -72,11 +72,11 @@ You need this step if you have more than one subscription or tenant.
 
    1. Select **+ Add** > **Add role assignment**.
 
-   1. Choose a role (Search Service Contributor, Search Index Data Contributor, Search Index Data Reader) and assign it to your Microsoft Entra user or group identity.
+   1. Choose a role (**Search Service Contributor**, **Search Index Data Contributor**, **Search Index Data Reader**) and assign it to your Microsoft Entra user or group identity.
 
       Repeat for each role.
 
-      You need all three roles for creating, loading, and querying objects on Azure AI Search. For more information, see [Connect using roles](search-security-rbac.md).
+      You need **Search Service Contributor** plus **Search Index Data Contributor** to create, load, and query objects on Azure AI Search. For more information, see [Connect using roles](search-security-rbac.md).
 
 > [!TIP]
 > Later, if you get authentication failure errors, recheck the settings in this section. There could be policies at the subscription or resource group level that override any API settings you specify.
diff --git a/articles/search/search-security-enable-roles.md b/articles/search/search-security-enable-roles.md
@@ -51,7 +51,7 @@ The default failure mode for unauthorized requests is `http401WithBearerChalleng
    | Role-based access control | Requires membership in a role assignment to complete the task. It also requires an authorization header on the request. |
    | Both | Requests are valid using either an API key or role-based access control, but if you provide both in the same request, the API key is used. |
 
-1. As an administrator, if you choose a roles-only approach, [assign data plane roles](search-security-rbac.md) to your user account to restore full administrative access over data plane operations in the Azure portal. Roles include Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader. You need all three roles if you want equivalent access.
+1. As an administrator, if you choose a roles-only approach, [assign data plane roles](search-security-rbac.md) to your user account to restore full administrative access over data plane operations in the Azure portal. Roles include Search Service Contributor, Search Index Data Contributor, and Search Index Data Reader. You need the first two roles if you want equivalent access.
 
    Sometimes it can take five to ten minutes for role assignments to take effect. Until that happens, the following message appears in the Azure portal pages used for data plane operations.
 
diff --git a/articles/search/search-security-rbac.md b/articles/search/search-security-rbac.md
@@ -87,7 +87,7 @@ Combine these roles to get sufficient permissions for your use case.
 |View resource properties/metrics/endpoint |❌|❌|✅|✅|✅|
 |List all objects on the resource |❌|❌|✅|✅|✅|
 |Access quotas and service statistics |❌|❌|✅|✅|❌|
-|Read/query an index |✅|❌|❌|❌|❌|
+|Read/query an index |✅|✅|❌|❌|❌|
 |Upload data for indexing |❌|✅|❌|❌|❌|
 |Create or edit indexes/aliases |❌|❌|✅|✅|❌|
 |Create, edit and run indexers/data sources/skillsets |❌|❌|✅|✅|❌|
diff --git a/articles/search/service-configure-firewall.md b/articles/search/service-configure-firewall.md
@@ -160,7 +160,7 @@ The trusted services are used for vectorization workloads: generating vectors fr
 1. On the **Roles** page:
 
    + Select **Search Index Data Contributor** to load a search index with vectors generated by an embedding model. Choose this role if you intend to use integrated vectorization during indexing.
-   + Or, select **Search Index Data Reader** to provide queries with a vector generated by an embedding model. The embedding used in a query isn't written to an index, so no write permissions are required.
+   + Or, select **Search Index Data Reader** to provide queries containing a vector generated by an embedding model at query time. The embedding used in a query isn't written to an index, so no write permissions are required.
 
 1. Select **Next**.
 1. On the **Members** page, select **Managed identity** and **Select members**.
