|
| 1 | +--- |
| 2 | +title: Language service role-based access control (RBAC) |
| 3 | +titleSuffix: Azure Cognitive Services |
| 4 | +description: Use this article to learn about access controls for Azure Cognitive Service for Language |
| 5 | +services: cognitive-services |
| 6 | +author: aahill |
| 7 | +manager: nitinme |
| 8 | +ms.service: cognitive-services |
| 9 | +ms.subservice: language-service |
| 10 | +ms.topic: conceptual |
| 11 | +ms.date: 08/02/2022 |
| 12 | +ms.author: aahi |
| 13 | +--- |
| 14 | + |
| 15 | + |
| 16 | +# Language role-based access control |
| 17 | + |
| 18 | +Azure Cognitive Service for Language supports Azure role-based access control (Azure RBAC), an authorization system for managing individual access to Azure resources. Using Azure RBAC, you assign different team members different levels of permissions for your projects authoring resources. See the [Azure RBAC documentation](/azure/role-based-access-control/) for more information. |
| 19 | + |
| 20 | +## Enable Azure Active Directory authentication |
| 21 | + |
| 22 | +To use Azure RBAC, you must enable Azure Active Directory authentication. You can [create a new resource with a custom subdomain](../../authentication.md) or [create a custom subdomain for your existing resource](../../cognitive-services-custom-subdomains.md#how-does-this-impact-existing-resources). |
| 23 | + |
| 24 | +## Add role assignment to Language Authoring resource |
| 25 | + |
| 26 | +Azure RBAC can be assigned to a Language Authoring resource. To grant access to an Azure resource, you add a role assignment. |
| 27 | +1. In the [Azure portal](https://ms.portal.azure.com/), select **All services**. |
| 28 | +2. Select **Cognitive Services**, and navigate to your specific Language Authoring resource. |
| 29 | + |
| 30 | + > [!NOTE] |
| 31 | + > You can also set up Azure RBAC for whole resource groups, subscriptions, or management groups. Do this by selecting the desired scope level and then navigating to the desired item. For example, selecting **Resource groups** and then navigating to a specific resource group. |
| 32 | +
|
| 33 | +1. Select **Access control (IAM)** on the left navigation pane. |
| 34 | +1. Select **Add**, then select **Add role assignment**. |
| 35 | +1. On the **Role** tab on the next screen, select a role you want to add. |
| 36 | +1. On the **Members** tab, select a user, group, service principal, or managed identity. |
| 37 | +1. On the **Review + assign** tab, select **Review + assign** to assign the role. |
| 38 | + |
| 39 | +Within a few minutes, the target will be assigned the selected role at the selected scope. For help with these steps, see [Assign Azure roles using the Azure portal](/azure/role-based-access-control/role-assignments-portal). |
| 40 | + |
| 41 | +## Language role types |
| 42 | + |
| 43 | +Use the following table to determine access needs for your Language projects. |
| 44 | + |
| 45 | +These custom roles only apply to Language authoring resources. |
| 46 | + |
| 47 | +> [!NOTE] |
| 48 | +> * All prebuilt capabilities are accessible to all roles. |
| 49 | +> * The "Owner" and "Contributor" roles take priority over custom language roles. |
| 50 | +> * Azure Active Directory (Azure AD) is only used for custom Language roles. |
| 51 | +
|
| 52 | +### Cognitive Services Language reader |
| 53 | + |
| 54 | +A user that should only be validating and reviewing the Language apps, typically a tester to ensure the application is performing well before deploying the project. They may want to review the application’s assets to notify the app developers of any changes that need to be made, but do not have direct access to make them. Readers will have access to view the evaluation results. |
| 55 | + |
| 56 | + |
| 57 | +:::row::: |
| 58 | + :::column span=""::: |
| 59 | + **Capabilities** |
| 60 | + :::column-end::: |
| 61 | + :::column span=""::: |
| 62 | + **API Access** |
| 63 | + :::column-end::: |
| 64 | +:::row-end::: |
| 65 | +:::row::: |
| 66 | + :::column span=""::: |
| 67 | + * Read |
| 68 | + * Test |
| 69 | + :::column-end::: |
| 70 | + :::column span=""::: |
| 71 | + * All GET APIs under: |
| 72 | + * [Language Authoring CLU APIs](/rest/api/language/conversational-analysis-authoring) |
| 73 | + * [Language Authoring Text Analysis APIs](/rest/api/language/text-analysis-authoring) |
| 74 | + * [Question Answering Projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects) |
| 75 | + * Only the `TriggerExportProjectJob` POST operation under: |
| 76 | + * [Language Authoring CLU export API](/rest/api/language/conversational-analysis-authoring/export?tabs=HTTP) |
| 77 | + * [Language Authoring Text Analysis export API](/rest/api/language/text-analysis-authoring/export?tabs=HTTP) |
| 78 | + * Only Export POST operation under: |
| 79 | + * [Question Answering Projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects/export) |
| 80 | + * All the Batch testing web APIs |
| 81 | + *[Language Runtime CLU APIs](/rest/api/language/conversation-analysis-runtime) |
| 82 | + *[Language Runtime Text Analysis APIs](/rest/api/language/text-analysis-runtime) |
| 83 | + :::column-end::: |
| 84 | +:::row-end::: |
| 85 | + |
| 86 | +### Cognitive Services Language writer |
| 87 | + |
| 88 | +A user that is responsible for building and modifying an application, as a collaborator in a larger team. The collaborator can modify the Language apps in any way, train those changes, and validate/test those changes in the portal. However, this user shouldn’t have access to deploying this application to the runtime, as they may accidentally reflect their changes in production. They also shouldn’t be able to delete the application or alter its prediction resources and endpoint settings (assigning or unassigning prediction resources, making the endpoint public). This restricts this role from altering an application currently being used in production. They may also create new applications under this resource, but with the restrictions mentioned. |
| 89 | + |
| 90 | +:::row::: |
| 91 | + :::column span=""::: |
| 92 | + **Capabilities** |
| 93 | + :::column-end::: |
| 94 | + :::column span=""::: |
| 95 | + **API Access** |
| 96 | + :::column-end::: |
| 97 | +:::row-end::: |
| 98 | +:::row::: |
| 99 | + :::column span=""::: |
| 100 | + * All functionalities under Cognitive Services Language Reader. |
| 101 | + * Ability to: |
| 102 | + * Train |
| 103 | + * Write |
| 104 | + :::column-end::: |
| 105 | + :::column span=""::: |
| 106 | + * All APIs under Language reader |
| 107 | + * All POST, PUT and PATCH APIs under: |
| 108 | + * [Language Authoring CLU APIs](/rest/api/language/conversational-analysis-authoring) |
| 109 | + * [Language Authoring Text Analysis APIs](/rest/api/language/text-analysis-authoring) |
| 110 | + * [Question Answering Projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects) |
| 111 | + Except for |
| 112 | + * Delete deployment |
| 113 | + * Delete trained model |
| 114 | + * Delete project |
| 115 | + * Deploy model |
| 116 | + :::column-end::: |
| 117 | +:::row-end::: |
| 118 | + |
| 119 | +### Cognitive Services Language owner |
| 120 | + |
| 121 | +These users are the gatekeepers for the Language applications in production environments. They should have full access to any of the underlying functions and thus can view everything in the application and have direct access to edit any changes for both authoring and runtime environments |
| 122 | + |
| 123 | +:::row::: |
| 124 | + :::column span=""::: |
| 125 | + **Functionality** |
| 126 | + :::column-end::: |
| 127 | + :::column span=""::: |
| 128 | + **API Access** |
| 129 | + :::column-end::: |
| 130 | +:::row-end::: |
| 131 | +:::row::: |
| 132 | + :::column span=""::: |
| 133 | + * All functionalities under Cognitive Services Language Writer |
| 134 | + * Deploy |
| 135 | + * Delete |
| 136 | + :::column-end::: |
| 137 | + :::column span=""::: |
| 138 | + * All APIs available under: |
| 139 | + * [Language Authoring CLU APIs](/rest/api/language/conversational-analysis-authoring) |
| 140 | + * [Language Authoring Text Analysis APIs](/rest/api/language/text-analysis-authoring) |
| 141 | + * [Question Answering Projects](/rest/api/cognitiveservices/questionanswering/question-answering-projects) |
| 142 | + |
| 143 | + :::column-end::: |
| 144 | +:::row-end::: |
0 commit comments