Merge pull request #247709 from rolyon/rolyon-rbac-user-access-admin-description

prmerger-automator[bot] · web-flow · commit 11fc5c621343 · 2023-08-10T04:54:30.000Z
[Azure RBAC] User Access Administrator description
diff --git a/articles/role-based-access-control/rbac-and-directory-admin-roles.md b/articles/role-based-access-control/rbac-and-directory-admin-roles.md
@@ -11,7 +11,7 @@ ms.service: role-based-access-control
 ms.workload: identity
 ms.tgt_pltfrm: na
 ms.topic: overview
-ms.date: 08/08/2023
+ms.date: 08/09/2023
 ms.author: rolyon
 ms.custom: it-pro;
 ---
@@ -37,10 +37,10 @@ The following diagram is a high-level view of how the Azure roles, Azure AD role
 
 | Azure role | Permissions | Notes |
 | --- | --- | --- |
-| [Owner](built-in-roles.md#owner) | <ul><li>Full access to all resources</li><li>Delegate access to others</li></ul> | The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope<br>Applies to all resource types. |
-| [Contributor](built-in-roles.md#contributor) | <ul><li>Create and manage all of types of Azure resources</li><li>Can't grant access to others</li></ul> | Applies to all resource types. |
+| [Owner](built-in-roles.md#owner) | <ul><li>Grants full access to manage all resources</li><li>Assign roles in Azure RBAC</li></ul> | The Service Administrator and Co-Administrators are assigned the Owner role at the subscription scope<br>Applies to all resource types. |
+| [Contributor](built-in-roles.md#contributor) | <ul><li>Grants full access to manage all resources</li><li>Can't assign roles in Azure RBAC</li><li>Can't manage assignments in Azure Blueprints or share image galleries</li></ul> | Applies to all resource types. |
 | [Reader](built-in-roles.md#reader) | <ul><li>View Azure resources</li></ul> | Applies to all resource types. |
-| [User Access Administrator](built-in-roles.md#user-access-administrator) | <ul><li>Manage user access to Azure resources</li></ul> |  |
+| [User Access Administrator](built-in-roles.md#user-access-administrator) | <ul><li>Manage user access to Azure resources</li><li>Assign roles in Azure RBAC</li><li>Assign themselves or others the Owner role</li></ul> |  |
 
 The rest of the built-in roles allow management of specific Azure resources. For example, the [Virtual Machine Contributor](built-in-roles.md#virtual-machine-contributor) role allows the user to create and manage virtual machines. For a list of all the built-in roles, see [Azure built-in roles](built-in-roles.md).
 
diff --git a/articles/role-based-access-control/role-assignments-steps.md b/articles/role-based-access-control/role-assignments-steps.md
@@ -7,7 +7,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.topic: how-to
 ms.workload: identity
-ms.date: 05/10/2023
+ms.date: 08/09/2023
 ms.author: rolyon
 ---
 
@@ -52,11 +52,11 @@ Job function roles allow management of specific Azure resources. For example, th
 
 Privileged administrator roles are roles that grant privileged administrator access, such as the ability to manage Azure resources or assign roles to other users. The following roles are considered privileged and apply to all resource types.
 
-| Role | Description |
+| Azure role | Permissions |
 | --- | --- |
-| [Owner](built-in-roles.md#owner) | Grants full access to manage all resources, including the ability to assign roles in Azure RBAC. |
-| [Contributor](built-in-roles.md#contributor) | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries. |
-| [User Access Administrator](built-in-roles.md#user-access-administrator) | Lets you manage user access to Azure resources. |
+| [Owner](built-in-roles.md#owner) | <ul><li>Grants full access to manage all resources</li><li>Assign roles in Azure RBAC</li></ul> |
+| [Contributor](built-in-roles.md#contributor) | <ul><li>Grants full access to manage all resources</li><li>Can't assign roles in Azure RBAC</li><li>Can't manage assignments in Azure Blueprints or share image galleries</li></ul> |
+| [User Access Administrator](built-in-roles.md#user-access-administrator) | <ul><li>Manage user access to Azure resources</li><li>Assign roles in Azure RBAC</li><li>Assign themselves or others the Owner role</li></ul> |
 
 It's a best practice to grant users the least privilege to get their work done. You should avoid assigning a privileged administrator role when a job function role can be assigned instead. If you must assign a privileged administrator role, use a narrow scope, such as resource group or resource, instead of a broader scope, such as management group or subscription.
 
