Merge pull request #197557 from wtnlee/refreshpermissions

PRMerger14 · web-flow · commit 0534b71b9808 · 2022-05-09T11:57:40.000-07:00
refresh permissions
diff --git a/articles/virtual-wan/about-nva-hub.md b/articles/virtual-wan/about-nva-hub.md
@@ -3,11 +3,11 @@ title: 'About Network Virtual Appliances - Virtual WAN hub'
 titleSuffix: Azure Virtual WAN
 description: Learn about Network Virtual Appliances in a Virtual WAN hub.
 services: virtual-wan
-author: cherylmc
+author: wtnlee
 ms.service: virtual-wan
 ms.topic: conceptual
 ms.date: 06/02/2021
-ms.author: cherylmc
+ms.author: wellee
 ms.custom: references_regions
 # Customer intent: As someone with a networking background, I want to learn about Network Virtual Appliances in a Virtual WAN hub.
 ---
@@ -84,6 +84,24 @@ NVA Partners may create different resources depending on their appliance deploym
 
 :::image type="content" source="./media/about-nva-hub/managed-app.png" alt-text="Managed Application resource groups":::
 
+
+### Managed resource group permissions
+
+By default, all managed resource groups have an deny-all Azure Active Directory assignment. Deny-all assignments prevent customers from calling write operations on any resources in the managed resource group, including Network Virtual Appliance resources.
+
+However, partners may create exceptions for specific actions that customers are allowed to perform on resources deployed in managed resource groups.
+
+Permissions on resources in existing managed resource groups are not dynamically updated as new permitted actions are added by partners and require a manual refresh.
+
+To refresh permissions on the managed resource groups, customers can leverage the [Refresh Permissions REST API ](/rest/api/managedapplications/applications/refresh-permissions).
+
+> [!NOTE]
+> To properly apply new permissions, refresh permissions API must be called with an additional query parameter **targetVersion**. The value for targetVersion is provider-specific. Please reference your provider's documentation for the latest version number.
+
+```http-interactive
+POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Solutions/applications/{applicationName}/refreshPermissions?api-version=2019-07-01&targetVersion={targetVersion}
+```
+
 ### <a name="units"></a>NVA Infrastructure Units
 
 When you create an NVA in a Virtual WAN hub, you must choose the number of NVA Infrastructure Units you want to deploy it with. An **NVA Infrastructure Unit** is a unit of aggregate bandwidth capacity for an NVA in a Virtual WAN hub. An **NVA Infrastructure Unit** is similar to a VPN [Scale Unit](pricing-concepts.md#scale-unit) in terms of the way you think about capacity and sizing.
