|
| 1 | +--- |
| 2 | +title: Role-based access control for Azure OpenAI |
| 3 | +titleSuffix: Azure AI services |
| 4 | +description: Learn how to use Azure RBAC for managing individual access to Azure OpenAI resources. |
| 5 | +services: cognitive-services |
| 6 | +author: mrbullwinkle |
| 7 | +manager: nitinme |
| 8 | +ms.service: cognitive-services |
| 9 | +ms.subservice: language-service |
| 10 | +ms.topic: how-to |
| 11 | +ms.date: 08/02/2022 |
| 12 | +ms.author: mbullwin |
| 13 | +recommendations: false |
| 14 | +--- |
| 15 | + |
| 16 | +# Role-based access control for Azure OpenAI Service |
| 17 | + |
| 18 | +Azure OpenAI Service supports Azure role-based access control (Azure RBAC), an authorization system for managing individual access to Azure resources. Using Azure RBAC, you assign different team members different levels of permissions based on their needs for a given project. For more information, see the [Azure RBAC documentation](../../../role-based-access-control/index.yml) for more information. |
| 19 | + |
| 20 | +## Add role assignment to an Azure OpenAI resource |
| 21 | + |
| 22 | +Azure RBAC can be assigned to an Azure OpenAI resource. To grant access to an Azure resource, you add a role assignment. |
| 23 | +1. In the [Azure portal](https://portal.azure.com/), search for **Azure OpenAI**. |
| 24 | +1. Select **Azure OpenAI**, and navigate to your specific resource. |
| 25 | + > [!NOTE] |
| 26 | + > You can also set up Azure RBAC for whole resource groups, subscriptions, or management groups. Do this by selecting the desired scope level and then navigating to the desired item. For example, selecting **Resource groups** and then navigating to a specific resource group. |
| 27 | +
|
| 28 | +1. Select **Access control (IAM)** on the left navigation pane. |
| 29 | +1. Select **Add**, then select **Add role assignment**. |
| 30 | +1. On the **Role** tab on the next screen, select a role you want to add. |
| 31 | +1. On the **Members** tab, select a user, group, service principal, or managed identity. |
| 32 | +1. On the **Review + assign** tab, select **Review + assign** to assign the role. |
| 33 | + |
| 34 | +Within a few minutes, the target will be assigned the selected role at the selected scope. For help with these steps, see [Assign Azure roles using the Azure portal](../../../role-based-access-control/role-assignments-portal.md). |
| 35 | + |
| 36 | +## Azure OpenAI roles |
| 37 | + |
| 38 | +- **Cognitive Services OpenAI User** |
| 39 | +- **Cognitive Services OpenAI Contributor** |
| 40 | +- **Cognitive Services Contributor** |
| 41 | +- **Cognitive Services Usages Reader** |
| 42 | + |
| 43 | +> [!NOTE] |
| 44 | +> Subscription level *Owner* and *Contributor* roles are inherited and take priority over the custom Azure OpenAI roles applied at the Resource Group level. |
| 45 | +
|
| 46 | +This section covers common tasks that different accounts and combinations of accounts are able to perform for Azure OpenAI resources. To view the full list of available **Actions** and **DataActions**, an individual role is granted from your Azure OpenAI resource go **Access control (IAM)** > **Roles** > Under the **Details** column for the role you're interested in select **View**. By default the **Actions** radial button is selected. You need to examine both **Actions** and **DataActions** to understand the full scope of capabilities assigned to a role. |
| 47 | + |
| 48 | +### Cognitive Services OpenAI User |
| 49 | + |
| 50 | +If a user were granted role-based access to only this role for an Azure OpenAI resource, they would be able to perform the following common tasks: |
| 51 | + |
| 52 | +✅ View the resource in [Azure portal](https://portal.azure.com) <br> |
| 53 | +✅ View the resource endpoint under **Keys and Endpoint** <br> |
| 54 | +✅ Ability to view the resource and associated model deployments in Azure OpenAI Studio. <br> |
| 55 | +✅ Ability to view what models are available for deployment in Azure OpenAI Studio. <br> |
| 56 | +✅ Use the Chat, Completions, and DALL-E (preview) playground experiences to generate text and images with any models that have already been deployed to this Azure OpenAI resource. |
| 57 | + |
| 58 | +A user with only this role assigned would be unable to: |
| 59 | + |
| 60 | +❌ Create new Azure OpenAI resources <br> |
| 61 | +❌ View/Copy/Regenerate keys under **Keys and Endpoint** <br> |
| 62 | +❌ Create new model deployments or edit existing model deployments <br> |
| 63 | +❌ Create/deploy custom fine-tuned models <br> |
| 64 | +❌ Upload datasets for fine-tuning <br> |
| 65 | +❌ Access quota <br> |
| 66 | +❌ Create customized content filters <br> |
| 67 | +❌ Add a data source for the use your data feature |
| 68 | + |
| 69 | +### Cognitive Services OpenAI Contributor |
| 70 | + |
| 71 | +This role has all the permissions of Cognitive Services OpenAI User and is also able to perform additional tasks like: |
| 72 | + |
| 73 | +✅ Create custom fine-tuned models <br> |
| 74 | +✅ Upload datasets for fine-tuning <br> |
| 75 | + |
| 76 | +A user with only this role assigned would be unable to: |
| 77 | + |
| 78 | +❌ Create new Azure OpenAI resources <br> |
| 79 | +❌ View/Copy/Regenerate keys under **Keys and Endpoint** <br> |
| 80 | +❌ Create new model deployments or edit existing model deployments <br> |
| 81 | +❌ Access quota <br> |
| 82 | +❌ Create customized content filters <br> |
| 83 | +❌ Add a data source for the use your data feature |
| 84 | + |
| 85 | +### Cognitive Services Contributor |
| 86 | + |
| 87 | +This role is typically granted access at the resource group level for a user in conjunction with additional roles. By itself this role would allow a user to perform the following tasks. |
| 88 | + |
| 89 | +✅ Create new Azure OpenAI resources within the assigned resource group. <br> |
| 90 | +✅ View resources in the assigned resource group in the [Azure portal](https://portal.azure.com). <br> |
| 91 | +✅ View the resource endpoint under **Keys and Endpoint** <br> |
| 92 | +✅ View/Copy/Regenerate keys under **Keys and Endpoint** <br> |
| 93 | +✅ Ability to view what models are available for deployment in Azure OpenAI Studio <br> |
| 94 | +✅ Use the Chat, Completions, and DALL-E (preview) playground experiences to generate text and images with any models that have already been deployed to this Azure OpenAI resource <br> |
| 95 | +✅ Create customized content filters <br> |
| 96 | +✅ Add a data source for the use your data feature <br> |
| 97 | + |
| 98 | +A user with only this role assigned would be unable to: |
| 99 | + |
| 100 | +❌ Create new model deployments or edit existing model deployments <br> |
| 101 | +❌ Access quota <br> |
| 102 | +❌ Create custom fine-tuned models <br> |
| 103 | +❌ Upload datasets for fine-tuning |
| 104 | + |
| 105 | +### Cognitive Services Usages Reader |
| 106 | + |
| 107 | +Viewing quota requires the **Cognitive Services Usages Reader** role. This role provides the minimal access necessary to view quota usage across an Azure subscription. |
| 108 | + |
| 109 | +This role can be found in the Azure portal under **Subscriptions** > ***Access control (IAM)** > **Add role assignment** > search for **Cognitive Services Usages Reader**. The role must be applied at the subscription level, it does not exist at the resource level. |
| 110 | + |
| 111 | +If you don't wish to use this role, the subscription **Reader** role provides equivalent access, but it also grants read access beyond the scope of what is needed for viewing quota. Model deployment via the Azure OpenAI Studio is also partially dependent on the presence of this role. |
| 112 | + |
| 113 | +This role provides little value by itself and is instead typically assigned in combination with one or more of the previously described roles. |
| 114 | + |
| 115 | +#### Cognitive Services Usages Reader + Cognitive Services OpenAI User |
| 116 | + |
| 117 | +All the capabilities of Cognitive Services OpenAI plus the ability to: |
| 118 | + |
| 119 | +✅ View quota allocations in Azure OpenAI Studio |
| 120 | + |
| 121 | +#### Cognitive Services Usages Reader + Cognitive Services OpenAI Contributor |
| 122 | + |
| 123 | +All the capabilities of Cognitive Services OpenAI Contributor plus the ability to: |
| 124 | + |
| 125 | +✅ View quota allocations in Azure OpenAI Studio |
| 126 | + |
| 127 | +#### Cognitive Services Usages Reader + Cognitive Services Contributor |
| 128 | + |
| 129 | +All the capabilities of Cognitive Services Contributor plus the ability to: |
| 130 | + |
| 131 | +✅ View & edit quota allocations in Azure OpenAI Studio <br> |
| 132 | +✅ Create new model deployments or edit existing model deployments <br> |
| 133 | + |
| 134 | +## Common Issues |
| 135 | + |
| 136 | +### Unable to view Azure Cognitive Search option in Azure OpenAI Studio |
| 137 | + |
| 138 | +**Issue:** |
| 139 | + |
| 140 | +When selecting an existing Cognitive Search resource the search indices don't load, and the loading wheel spins continuously. In Azure OpenAI Studio, go to **Playground Chat** > **Add your data (preview)** under Assistant setup. Selecting **Add a data source** opens a modal that allows you to add a data source through either Azure Cognitive Search or Blob Storage. Selecting the Azure Cognitive Search option and an existing Cognitive Search resource should load the available Azure Cognitive Search indices to select from. |
| 141 | + |
| 142 | +**Root cause** |
| 143 | + |
| 144 | +To make a generic API call for listing Azure Cognitive Search services, the following call is made: |
| 145 | + |
| 146 | +https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Search/searchServices?api-version=2021-04-01-Preview |
| 147 | + |
| 148 | +Replace {subscriptionId} with your actual subscription ID. |
| 149 | + |
| 150 | +For this API call, you need a **subscription-level scope** role. You can use the **Reader** role for read-only access or the **Contributor** role for read-write access. If you only need access to Azure Cognitive Search services, you can use the **Azure Cognitive Search Service Contributor** or **Azure Cognitive Search Service Reader** roles. |
| 151 | + |
| 152 | +**Solution options** |
| 153 | + |
| 154 | +- Contact your subscription administrator or owner: Reach out to the person managing your Azure subscription and request the appropriate access. Explain your requirements and the specific role you need (for example, Reader, Contributor, Azure Cognitive Search Service Contributor, or Azure Cognitive Search Service Reader). |
| 155 | + |
| 156 | +- Request subscription-level or resource group-level access: If you need access to specific resources, ask the subscription owner to grant you access at the appropriate level (subscription or resource group). This enables you to perform the required tasks without having access to unrelated resources. |
| 157 | + |
| 158 | +- Use API keys for Azure Cognitive Search: If you only need to interact with the Azure Cognitive Search service, you can request the admin keys or query keys from the subscription owner. These keys allow you to make API calls directly to the search service without needing an Azure RBAC role. Keep in mind that using API keys will **bypass** the Azure RBAC access control, so use them cautiously and follow security best practices. |
| 159 | + |
| 160 | +### Unable to upload files in Azure OpenAI Studio for on your data |
| 161 | + |
| 162 | +**Symptom:** Unable to access storage for the **on your data** feature using Azure OpenAI Studio. |
| 163 | + |
| 164 | +**Root cause:** |
| 165 | + |
| 166 | +Insufficient subscription-level access for the user attempting to access the blob storage in Azure OpenAI Studio. The user may **not** have the necessary permissions to call the Azure Management API endpoint: https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Storage/storageAccounts/{accountName}/listAccountSas?api-version=2022-09-01 |
| 167 | + |
| 168 | +Public access to the blob storage is disabled by the owner of the Azure subscription for security reasons. |
| 169 | + |
| 170 | +Permissions needed for the API call: |
| 171 | +`**Microsoft.Storage/storageAccounts/listAccountSas/action:**` This permission allows the user to list the Shared Access Signature (SAS) tokens for the specified storage account. |
| 172 | + |
| 173 | +Possible reasons why the user may **not** have permissions: |
| 174 | + |
| 175 | +- The user is assigned a limited role in the Azure subscription, which does not include the necessary permissions for the API call. |
| 176 | +- The user's role has been restricted by the subscription owner or administrator due to security concerns or organizational policies. |
| 177 | +- The user's role has been recently changed, and the new role does not grant the required permissions. |
| 178 | + |
| 179 | +**Solution options** |
| 180 | + |
| 181 | +- Verify and update access rights: Ensure the user has the appropriate subscription-level access, including the necessary permissions for the API call (Microsoft.Storage/storageAccounts/listAccountSas/action). If required, request the subscription owner or administrator to grant the necessary access rights. |
| 182 | +- Request assistance from the owner or admin: If the solution above is not feasible, consider asking the subscription owner or administrator to upload the data files on your behalf. This approach can help import the data into Azure OpenAI Studio without **user** requiring subscription-level access or public access to the blob storage. |
| 183 | + |
| 184 | +## Next steps |
| 185 | + |
| 186 | +- Learn more about [Azure-role based access control (Azure RBAC)](../../../role-based-access-control/index.yml). |
| 187 | +- Also check out[assign Azure roles using the Azure portal](../../../role-based-access-control/role-assignments-portal.md). |
0 commit comments