You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
| IT admin | Subscription Owner | The IT admin can ensure the hub is set up to their enterprise standards. They can assign managers the **Azure AI Account Owner** role on the resource if they want to enable managers to make new Foundry accounts. They can assign managers the Azure AI Project Manager role on the resource to allow for project creation within an account. |
207
-
| Managers | Azure AI Account Owner on Foundry resource | Managers can manage the hub, audit compute resources, audit connections, and create shared connections. They can't begin building within the projects, but can assign the Azure AI User role to themselves and others to start building. |
206
+
| IT admin | Subscription Owner | The IT admin can ensure the foundry is set up to their enterprise standards. They can assign managers the **Azure AI Account Owner** role on the resource if they want to enable managers to make new Foundry accounts. They can assign managers the Azure AI Project Manager role on the resource to allow for project creation within an account. |
207
+
| Managers | Azure AI Account Owner on Foundry resource | Managers can manage the foundry, deploy models, audit compute resources, audit connections, and create shared connections. They can't begin building within the projects, but can assign the Azure AI User role to themselves and others to start building. |
208
208
| Team lead/Lead developer | Azure AI Project Manager on Foundry resource | Lead developers can create projects for their team and start building in the projects. After project creation, project owners can invite other members and assign the Azure AI User role. |
209
-
| Team members/developers | Azure AI User on Foundry resource | Developers can build and deploy AI models within a project and build Agents. |
209
+
| Team members/developers | Azure AI User on Foundry resource | Developers can build agents within a project. |
210
+
211
+
> [!IMPORTANT]
212
+
> Users with the Contributor role can deploy models in Azure AI Foundry.
210
213
211
214
## Access to resources created outside of AI Foundry
212
215
@@ -215,12 +218,12 @@ When you create a Foundry resource, the built-in role-based access control permi
215
218
- The resource you're trying to use has permissions set up to allow you to access it.
216
219
- Your Foundry account resource is allowed to access it.
217
220
218
-
For example, if you're trying to consume a new Blob storage, you need to ensure that the Foundry account resource's managed identity is added to the Blob Storage Reader role for the Blob. If you're trying to use a new Azure AI Search source, you might need to add the hub to the Azure AI Search's role assignments.
221
+
For example, if you're trying to consume a new Blob storage, you need to ensure that the Foundry account resource's managed identity is added to the Blob Storage Reader role for the Blob. If you're trying to use a new Azure AI Search source, you might need to add the foundry to the Azure AI Search's role assignments.
219
222
220
223
221
224
## Manage access with roles
222
225
223
-
If you're an owner of a Foundry account resource, you can add and remove roles for Azure AI Foundry. From the **Home** page in [Azure AI Foundry](https://ai.azure.com/?cid=learnDocs), select your Foundry resource. Then select **Users** to add and remove users for the hub. You can also manage permissions from the [Azure portal](https://portal.azure.com) under **Access Control (IAM)** or through the Azure CLI.
226
+
If you're an owner of a Foundry account resource, you can add and remove roles for Azure AI Foundry. From the **Home** page in [Azure AI Foundry](https://ai.azure.com/?cid=learnDocs), select your Foundry resource. Then select **Users** to add and remove users for the foundry. You can also manage permissions from the [Azure portal](https://portal.azure.com) under **Access Control (IAM)** or through the Azure CLI.
224
227
225
228
For example, the following command assigns Azure AI User role to `[email protected]` for resource group `this-rg` in the subscription with an ID of `00000000-0000-0000-0000-000000000000`:
0 commit comments