Merge pull request #286507 from rolyon/rolyon-rbac-roles-deid-healthdataaiservices

prmerger-automator[bot] · web-flow · commit 04db7b787460 · 2024-09-10T23:54:41.000Z
[Azure RBAC] DeID roles and HealthDataAIServices provider
diff --git a/articles/role-based-access-control/built-in-roles.md b/articles/role-based-access-control/built-in-roles.md
@@ -303,6 +303,10 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='azure-service-bus-data-receiver'></a>[Azure Service Bus Data Receiver](./built-in-roles/integration.md#azure-service-bus-data-receiver) | Allows for receive access to Azure Service Bus resources. | 4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0 |
 > | <a name='azure-service-bus-data-sender'></a>[Azure Service Bus Data Sender](./built-in-roles/integration.md#azure-service-bus-data-sender) | Allows for send access to Azure Service Bus resources. | 69a216fc-b8fb-44d8-bc22-1f3c2cd27a39 |
 > | <a name='biztalk-contributor'></a>[BizTalk Contributor](./built-in-roles/integration.md#biztalk-contributor) | Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac73342 |
+> | <a name='deid-batch-data-owner'></a>[DeID Batch Data Owner](./built-in-roles/integration.md#deid-batch-data-owner) | Create and manage DeID batch jobs. This role is in preview and subject to change. | 8a90fa6b-6997-4a07-8a95-30633a7c97b9 |
+> | <a name='deid-batch-data-reader'></a>[DeID Batch Data Reader](./built-in-roles/integration.md#deid-batch-data-reader) | Read DeID batch jobs. This role is in preview and subject to change. | b73a14ee-91f5-41b7-bd81-920e12466be9 |
+> | <a name='deid-data-owner'></a>[DeID Data Owner](./built-in-roles/integration.md#deid-data-owner) | Full access to DeID data. This role is in preview and subject to change | 78e4b983-1a0b-472e-8b7d-8d770f7c5890 |
+> | <a name='deid-realtime-data-user'></a>[DeID Realtime Data User](./built-in-roles/integration.md#deid-realtime-data-user) | Execute requests against DeID realtime endpoint. This role is in preview and subject to change. | bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e |
 > | <a name='eventgrid-contributor'></a>[EventGrid Contributor](./built-in-roles/integration.md#eventgrid-contributor) | Lets you manage EventGrid operations. | 1e241071-0855-49ea-94dc-649edcd759de |
 > | <a name='eventgrid-data-sender'></a>[EventGrid Data Sender](./built-in-roles/integration.md#eventgrid-data-sender) | Allows send access to event grid events. | d5a91429-5739-47e2-a06b-3470a27159e7 |
 > | <a name='eventgrid-eventsubscription-contributor'></a>[EventGrid EventSubscription Contributor](./built-in-roles/integration.md#eventgrid-eventsubscription-contributor) | Lets you manage EventGrid event subscription operations. | 428e0ff0-5e57-4d9c-a221-2c70d0e0a443 |
diff --git a/articles/role-based-access-control/built-in-roles/integration.md b/articles/role-based-access-control/built-in-roles/integration.md
@@ -1102,6 +1102,178 @@ Lets you manage BizTalk services, but not access to them.
 }
 ```
 
+## DeID Batch Data Owner
+
+Create and manage DeID batch jobs. This role is in preview and subject to change.
+
+[Learn more](/azure/healthcare-apis/deidentification/manage-access-rbac)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | *none* |  |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | [Microsoft.HealthDataAIServices](../permissions/integration.md#microsofthealthdataaiservices)/DeidServices/Batch/write | Creates batches |
+> | [Microsoft.HealthDataAIServices](../permissions/integration.md#microsofthealthdataaiservices)/DeidServices/Batch/delete | Deletes a batch |
+> | [Microsoft.HealthDataAIServices](../permissions/integration.md#microsofthealthdataaiservices)/DeidServices/Batch/read | Reads a batch |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Create and manage DeID batch jobs. This role is in preview and subject to change.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/8a90fa6b-6997-4a07-8a95-30633a7c97b9",
+  "name": "8a90fa6b-6997-4a07-8a95-30633a7c97b9",
+  "permissions": [
+    {
+      "actions": [],
+      "notActions": [],
+      "dataActions": [
+        "Microsoft.HealthDataAIServices/DeidServices/Batch/write",
+        "Microsoft.HealthDataAIServices/DeidServices/Batch/delete",
+        "Microsoft.HealthDataAIServices/DeidServices/Batch/read"
+      ],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "DeID Batch Data Owner",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
+## DeID Batch Data Reader
+
+Read DeID batch jobs. This role is in preview and subject to change.
+
+[Learn more](/azure/healthcare-apis/deidentification/manage-access-rbac)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | *none* |  |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | [Microsoft.HealthDataAIServices](../permissions/integration.md#microsofthealthdataaiservices)/DeidServices/Batch/read | Reads a batch |
+> | **NotDataActions** |  |
+> | [Microsoft.HealthDataAIServices](../permissions/integration.md#microsofthealthdataaiservices)/DeidServices/Batch/write | Creates batches |
+> | [Microsoft.HealthDataAIServices](../permissions/integration.md#microsofthealthdataaiservices)/DeidServices/Batch/delete | Deletes a batch |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Read DeID batch jobs. This role is in preview and subject to change.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/b73a14ee-91f5-41b7-bd81-920e12466be9",
+  "name": "b73a14ee-91f5-41b7-bd81-920e12466be9",
+  "permissions": [
+    {
+      "actions": [],
+      "notActions": [],
+      "dataActions": [
+        "Microsoft.HealthDataAIServices/DeidServices/Batch/read"
+      ],
+      "notDataActions": [
+        "Microsoft.HealthDataAIServices/DeidServices/Batch/write",
+        "Microsoft.HealthDataAIServices/DeidServices/Batch/delete"
+      ]
+    }
+  ],
+  "roleName": "DeID Batch Data Reader",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
+## DeID Data Owner
+
+Full access to DeID data. This role is in preview and subject to change
+
+[Learn more](/azure/healthcare-apis/deidentification/manage-access-rbac)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | *none* |  |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | [Microsoft.HealthDataAIServices](../permissions/integration.md#microsofthealthdataaiservices)/DeidServices/* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Full access to DeID data. This role is in preview and subject to change",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/78e4b983-1a0b-472e-8b7d-8d770f7c5890",
+  "name": "78e4b983-1a0b-472e-8b7d-8d770f7c5890",
+  "permissions": [
+    {
+      "actions": [],
+      "notActions": [],
+      "dataActions": [
+        "Microsoft.HealthDataAIServices/DeidServices/*"
+      ],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "DeID Data Owner",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
+## DeID Realtime Data User
+
+Execute requests against DeID realtime endpoint. This role is in preview and subject to change.
+
+[Learn more](/azure/healthcare-apis/deidentification/manage-access-rbac)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | *none* |  |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | [Microsoft.HealthDataAIServices](../permissions/integration.md#microsofthealthdataaiservices)/DeidServices/Realtime/action | Allows access to the realtime endpoint |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Execute requests against DeID realtime endpoint. This role is in preview and subject to change.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e",
+  "name": "bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e",
+  "permissions": [
+    {
+      "actions": [],
+      "notActions": [],
+      "dataActions": [
+        "Microsoft.HealthDataAIServices/DeidServices/Realtime/action"
+      ],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "DeID Realtime Data User",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
 ## EventGrid Contributor
 
 Lets you manage EventGrid operations.
diff --git a/articles/role-based-access-control/permissions/integration.md b/articles/role-based-access-control/permissions/integration.md
@@ -1100,6 +1100,39 @@ Azure service: [Azure API for FHIR](/azure/healthcare-apis/azure-api-for-fhir/)
 > | Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action | Allows user to perform Create Update Delete operations on profile resources. |
 > | Microsoft.HealthcareApis/workspaces/fhirservices/resources/searchParameter/action | Allows running of $status operation for Search Parameters |
 
+## Microsoft.HealthDataAIServices
+
+Azure service: [Azure Health Data Services](/azure/healthcare-apis/healthcare-apis-overview)
+
+> [!div class="mx-tableFixed"]
+> | Action | Description |
+> | --- | --- |
+> | Microsoft.HealthDataAIServices/register/action | Register the subscription for Microsoft.HealthDataAIServices |
+> | Microsoft.HealthDataAIServices/unregister/action | Unregister the subscription for Microsoft.HealthDataAIServices |
+> | Microsoft.HealthDataAIServices/DeidServices/read | List DeidService resources by subscription ID |
+> | Microsoft.HealthDataAIServices/DeidServices/read | List DeidService resources by resource group |
+> | Microsoft.HealthDataAIServices/DeidServices/read | Get a DeidService |
+> | Microsoft.HealthDataAIServices/DeidServices/write | Create a DeidService |
+> | Microsoft.HealthDataAIServices/DeidServices/delete | Delete a DeidService |
+> | Microsoft.HealthDataAIServices/DeidServices/write | Update a DeidService |
+> | Microsoft.HealthDataAIServices/locations/operationStatuses/read | read operationStatuses |
+> | Microsoft.HealthDataAIServices/locations/operationStatuses/write | write operationStatuses |
+> | Microsoft.HealthDataAIServices/Operations/read | read Operations |
+> | **DataAction** | **Description** |
+> | Microsoft.HealthDataAIServices/DeidServices/Realtime/action | Allows access to the realtime endpoint |
+> | Microsoft.HealthDataAIServices/DeidServices/Batch/write | Creates batches |
+> | Microsoft.HealthDataAIServices/DeidServices/Batch/delete | Deletes a batch |
+> | Microsoft.HealthDataAIServices/DeidServices/Batch/read | Reads a batch |
+> | Microsoft.HealthDataAIServices/DeidServices/PrivateEndpointConnectionProxies/delete | Deletes private endpoint connection proxies |
+> | Microsoft.HealthDataAIServices/DeidServices/PrivateEndpointConnectionProxies/read | Reads private endpoint connection proxies |
+> | Microsoft.HealthDataAIServices/DeidServices/PrivateEndpointConnectionProxies/write | Writes private endpoint connection proxies |
+> | Microsoft.HealthDataAIServices/DeidServices/PrivateEndpointConnectionProxies/validate/action | Validates private endpoint connection proxies |
+> | Microsoft.HealthDataAIServices/DeidServices/PrivateEndpointConnectionProxies/validate/action | Validates private endpoint connection proxies |
+> | Microsoft.HealthDataAIServices/DeidServices/PrivateEndpointConnections/read | Reads private endpoint connections |
+> | Microsoft.HealthDataAIServices/DeidServices/PrivateEndpointConnections/write | Writes private endpoint connections |
+> | Microsoft.HealthDataAIServices/DeidServices/PrivateEndpointConnections/delete | Deletes private endpoint connections |
+> | Microsoft.HealthDataAIServices/DeidServices/PrivateLinkResources/read | Reads private link resources |
+
 ## Microsoft.Logic
 
 Automate the access and use of data across clouds without writing code.
diff --git a/articles/role-based-access-control/resource-provider-operations.md b/articles/role-based-access-control/resource-provider-operations.md
@@ -186,6 +186,7 @@ Click the resource provider name in the following list to see the list of permis
 > | [Microsoft.EventGrid](./permissions/integration.md#microsofteventgrid) | Get reliable event delivery at massive scale. | [Event Grid](/azure/event-grid/) |
 > | [Microsoft.EventHub](./permissions/integration.md#microsofteventhub) | Receive telemetry from millions of devices. | [Event Hubs](/azure/event-hubs/) |
 > | [Microsoft.HealthcareApis](./permissions/integration.md#microsofthealthcareapis) |  | [Azure API for FHIR](/azure/healthcare-apis/azure-api-for-fhir/) |
+> | [Microsoft.HealthDataAIServices](./permissions/integration.md#microsofthealthdataaiservices) |  | [Azure Health Data Services](/azure/healthcare-apis/healthcare-apis-overview) |
 > | [Microsoft.Logic](./permissions/integration.md#microsoftlogic) | Automate the access and use of data across clouds without writing code. | [Logic Apps](/azure/logic-apps/) |
 > | [Microsoft.NotificationHubs](./permissions/integration.md#microsoftnotificationhubs) | Send push notifications to any platform from any back end. | [Notification Hubs](/azure/notification-hubs/) |
 > | [Microsoft.Relay](./permissions/integration.md#microsoftrelay) | Expose services that run in your corporate network to the public cloud. | [Azure Relay](/azure/azure-relay/relay-what-is-it) |
