Merge pull request #107314 from diberry/diberry/0311-qna-rbac

v-albemi · web-flow · commit 23055fd76cdd · 2020-05-19T07:07:19.000-07:00
[Cogsvcs] Post keynote - QnA Maker - RBAC
diff --git a/articles/cognitive-services/QnAMaker/Concepts/role-based-access-control.md b/articles/cognitive-services/QnAMaker/Concepts/role-based-access-control.md
@@ -0,0 +1,50 @@
+---
+title: Collaborate with others - QnA Maker
+description:
+ms.topic: conceptual
+ms.date: 05/15/2020
+---
+
+# Collaborate with other authors and editors
+
+Collaborate with other authors and editors using role-based access control (RBAC) placed on your QnA Maker resource.
+
+## Access is provided on the QnA Maker resource
+
+All permissions are controlled by the permissions placed on the QnA Maker resource. These permissions align to read, write, publish, and full access.
+
+This RBAC feature includes:
+* Azure Active Directory (AAD) is 100% backward compatible with key-based authentication for owners and contributors. Customers can use either key-based authentication or RBAC-based authentication in their requests.
+* Quickly add authors and editors to all knowledge bases in the resource because control is at the resource level, not at the knowledge base level.
+
+## Access is provided by a defined role
+
+[!INCLUDE [RBAC permissions table](../includes/role-based-access-control.md)]
+
+## Authentication flow
+
+The following diagram shows the flow, from the author's perspective, for signing into the QnA Maker portal and using the authoring APIs.
+
+> [!div class="mx-imgBorder"]
+> ![The following diagram shows the flow, from the author's perspective, for signing into the QnA Maker portal and using the authoring APIs.](../media/qnamaker-how-to-collaborate-knowledge-base/rbac-flow-from-portal-to-service.png)
+
+|Steps|Description|
+|--|--|
+|1|Portal Acquires token for QnA Maker resource.|
+|2|Portal Calls the appropriate QnA Maker authoring API (APIM) passing the token instead of keys.|
+|3|QnA Maker API validates the token.|
+|4 |QnA Maker API calls QnAMaker Service.|
+
+If you intend to call the authoring APIs](../How-To/collaborate-knowledge-base.md), learn more about how to set up authentication.
+
+## Authenticate by QnA Maker portal
+
+If you author and collaborate using the QnA Maker portal, after you [add the appropriate role to the resource for a collaborator](../How-To/collaborate-knowledge-base.md), the QnA Maker portal manages all the access permissions.
+
+## Authenticate by QnA Maker APIs and SDKs
+
+If you author and collaborate using the APIs, either through REST or the SDKs, you need to [create a service principal](../../authentication.md#assign-a-role-to-a-service-principal) to manage the authentication.
+
+## Next step
+
+* Design a knowledge base for [languages](design-language-culture.md) and for [client applications](integration-with-other-applications.md)
diff --git a/articles/cognitive-services/QnAMaker/How-To/collaborate-knowledge-base.md b/articles/cognitive-services/QnAMaker/How-To/collaborate-knowledge-base.md
@@ -1,24 +1,29 @@
 ---
 title: Collaborating on knowledge base - QnA Maker
-titleSuffix: Azure Cognitive Services
 description: QnA Maker allows multiple people to collaborate on a knowledge base. This feature is provided with the Azure Role-Based Access Control.
-services: cognitive-services
-author: diberry
-manager: nitinme
-ms.service: cognitive-services
-ms.subservice: qna-maker
 ms.topic: conceptual
-ms.date: 01/03/2020
-ms.author: diberry
+ms.date: 03/17/2020
 ---
 
-# Collaborate on your knowledge base
+# Collaboration with authors and editors
 
-QnA Maker allows multiple people to collaborate on all knowledge bases in the same QnA Maker resource. This feature is provided with the Azure [Role-Based Access Control](https://docs.microsoft.com/azure/active-directory/role-based-access-control-configure).
+Collaboration is provided at the QnA Maker resource level to allow you to restrict collaborator access based on the collaborator's role. Learn more about QnA Maker collaborator authentication [concepts](../Concepts/role-based-access-control.md).
 
-Perform the following steps to share your QnA Maker service with someone:
+## Add role-based access (RBAC) to your QnA Maker resource
 
-1. Sign in to the Azure portal, and go to your QnA Maker resource.
+QnA Maker allows multiple people to collaborate on all knowledge bases in the same QnA Maker resource. This feature is provided with the Azure [Role-Based Access Control](../../../active-directory/role-based-access-control-configure.md).
+
+## Access at the QnA Maker resource level
+
+You cannot share a particular knowledge base in a QnA Maker service. If you want more granular access control, consider distributing your knowledge bases across different QnA Maker resources, then add roles to each resource.
+
+## Add role to resource
+
+### Add a user account to the QnA Maker resource
+
+The following steps use the collaborator role but any of the [roles](../reference-role-based-access-control.md) can be added using these steps
+
+1. Sign in to the [Azure](https://portal.azure.com/) portal, and go to your QnA Maker resource.
 
     ![QnA Maker resource list](../media/qnamaker-how-to-collaborate-knowledge-base/qnamaker-resource-list.PNG)
 
@@ -30,19 +35,29 @@ Perform the following steps to share your QnA Maker service with someone:
 
     ![QnA Maker IAM add](../media/qnamaker-how-to-collaborate-knowledge-base/qnamaker-iam-add.PNG)
 
-1. Select the **Owner** or the **Contributor** role. You cannot grant read-only access through Role-Based Access Control. Owner and Contributor roles have read-write access permissions to the QnA Maker service.
+1. Select a role from the following list:
+
+    |Role|
+    |--|
+    |Owner|
+    |Contributor|
+    |QnA Maker Reader|
+    |QnA Maker Editor|
+    |Cognitive Services User|
 
     ![QnA Maker IAM add role](../media/qnamaker-how-to-collaborate-knowledge-base/qnamaker-iam-add-role.PNG)
 
 1. Enter the user's email address and press **Save**.
 
     ![QnA Maker IAM add email](../media/qnamaker-how-to-collaborate-knowledge-base/qnamaker-iam-add-email.PNG)
 
-When the person, you shared your QnA Maker service with, logs into the [QnA Maker portal](https://qnamaker.ai) they can see all the knowledge bases in that service.
-
-Remember, you cannot share a particular knowledge base in a QnA Maker service. If you want more granular access control, consider distributing your knowledge bases across different QnA Maker services.
+When the person you shared your QnA Maker service with logs into the [QnA Maker portal](https://qnamaker.ai), they can see all the knowledge bases in that service based on their role.
 
 ## Next steps
 
 > [!div class="nextstepaction"]
 > [Test a knowledge base](./test-knowledge-base.md)
+
+Learn more about collaboration:
+* [Azure](../../../active-directory/role-based-access-control-configure.md) role-based access control
+* QnA Maker role-based access control [concepts](../Concepts/role-based-access-control.md)
diff --git a/articles/cognitive-services/QnAMaker/includes/role-based-access-control.md b/articles/cognitive-services/QnAMaker/includes/role-based-access-control.md
@@ -0,0 +1,17 @@
+---
+title: include file
+description: include file
+ms.topic: include
+ms.custom: include file
+ms.date: 03/11/2020
+---
+
+The following roles are provided for collaboration:
+
+|Role|Functionalities|API Access|API permissions|
+|--|--|--|--|
+|Owner|All|Authentication Key|All|
+|Contributor|All except ability to add new members to roles|Authentication Key|All except ability to add new members to roles|
+|QnA Maker Read<br>(read)|Export/Download<br>Test|Bearer token|1. Download KB API<br>2. List KBs for user API<br>3. Get Knowledge base details<br>4. Download Alterations<br>Generate Answer |
+|QnA Maker Editor<br>(read/write)|Export/Download<br>Test<br>Update KB<br>Export KB<br>Import KB<br>Replace KB<br>Create KB|Bearer token|1. Create KB API<br>2. Update KB API<br>3. Replace KB API<br>4. Replace Alterations<br>5. "Train API" [in new service model v5]|
+|Cognitive Service User<br>(read/write/publish)|All|Bearer token|All|
diff --git a/articles/cognitive-services/QnAMaker/media/qnamaker-how-to-collaborate-knowledge-base/rbac-flow-from-portal-to-service.png b/articles/cognitive-services/QnAMaker/media/qnamaker-how-to-collaborate-knowledge-base/rbac-flow-from-portal-to-service.png
diff --git a/articles/cognitive-services/QnAMaker/reference-role-based-access-control.md b/articles/cognitive-services/QnAMaker/reference-role-based-access-control.md
@@ -0,0 +1,12 @@
+---
+title: Role-based access control (RBAC) - QnA Maker
+description: Control access to QnA Maker with the Azure roles for your QnA Maker resource
+ms.topic: reference
+ms.date: 05/15/2020
+---
+
+# Role-based access control (RBAC)
+
+Use the following table to determine your access needs for your QnA Maker resource.
+
+[!INCLUDE [RBAC list](./includes/role-based-access-control.md)]
diff --git a/articles/cognitive-services/QnAMaker/toc.yml b/articles/cognitive-services/QnAMaker/toc.yml
@@ -30,6 +30,8 @@
   items:
   - name: Azure resources
     href: Concepts/azure-resources.md
+  - name: Collaborate with others
+    href: Concepts/role-based-access-control.md
   - name: Design a knowledge base
     items:
     - name: For languages
@@ -155,6 +157,8 @@
     href: Overview/language-support.md
   - name: Limits
     href: limits.md
+  - name: Role-based access control (RBAC)
+    href: reference-role-based-access-control.md
   - name: Troubleshooting
     href: troubleshooting.md
   - name: Service configuration
