You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/machine-learning/how-to-assign-roles.md
+38-30Lines changed: 38 additions & 30 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -65,7 +65,6 @@ To use Azure AD security groups:
65
65
3. Assign the group an RBAC role on the workspace, such as AzureML Data Scientist, Reader or Contributor.
66
66
4.[Add group members](../active-directory/fundamentals/active-directory-groups-members-azure-portal.md). The members consequently gain access to the workspace.
67
67
68
-
69
68
## Create custom role
70
69
71
70
If the built-in roles are insufficient, you can create custom roles. Custom roles might have read, write, delete, and compute resource permissions in that workspace. You can make the role available at a specific workspace level, a specific resource group level, or a specific subscription level.
@@ -157,7 +156,7 @@ If you anticipate that you will need to recreate complex role assignments, an Az
157
156
158
157
## Common scenarios
159
158
160
-
The following table is a summary of Azure Machine Learning activities and the permissions required to perform them at the least scope. For example, if an activity can be performed with a workspace scope (Column 4), then all higher scope with that permission will also work automatically:
159
+
The following table is a summary of Azure Machine Learning activities and the permissions required to perform them at the least scope. For example, if an activity can be performed with a workspace scope (Column 4), then all higher scope with that permission will also work automatically. Note that for certain activities the permissions differ between V1 and V2 APIs.
161
160
162
161
> [!IMPORTANT]
163
162
> All paths in this table that start with `/` are **relative paths** to `Microsoft.MachineLearningServices/` :
@@ -168,8 +167,10 @@ The following table is a summary of Azure Machine Learning activities and the pe
168
167
| Request subscription level Amlcompute quota or set workspace level quota | Owner, or contributor, or custom role </br>allowing `/locations/updateQuotas/action`</br> at subscription scope | Not Authorized | Not Authorized |
169
168
| Create new compute cluster | Not required | Not required | Owner, contributor, or custom role allowing: `/workspaces/computes/write`|
170
169
| Create new compute instance | Not required | Not required | Owner, contributor, or custom role allowing: `/workspaces/computes/write`|
171
-
| Submitting any type of run | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/*/read", "/workspaces/environments/write", "/workspaces/experiments/runs/write", "/workspaces/metadata/artifacts/write", "/workspaces/metadata/snapshots/write", "/workspaces/environments/build/action", "/workspaces/experiments/runs/submit/action", "/workspaces/environments/readSecrets/action"`|
172
-
| Publishing pipelines and endpoints | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/endpoints/pipelines/*", "/workspaces/pipelinedrafts/*", "/workspaces/modules/*"`|
170
+
| Submitting any type of run (V1) | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/*/read", "/workspaces/environments/write", "/workspaces/experiments/runs/write", "/workspaces/metadata/artifacts/write", "/workspaces/metadata/snapshots/write", "/workspaces/environments/build/action", "/workspaces/experiments/runs/submit/action", "/workspaces/environments/readSecrets/action"`|
171
+
| Submitting any type of run (V2) | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/*/read", "/workspaces/environments/write", "/workspaces/jobs/*", "/workspaces/metadata/artifacts/write", "/workspaces/metadata/codes/*/write", "/workspaces/environments/build/action", "/workspaces/environments/readSecrets/action"`|
172
+
| Publishing pipelines and endpoints (V1) | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/endpoints/pipelines/*", "/workspaces/pipelinedrafts/*", "/workspaces/modules/*"`|
173
+
| Publishing pipelines and endpoints (V2) | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/endpoints/pipelines/*", "/workspaces/pipelinedrafts/*", "/workspaces/components/*"`|
173
174
| Attach an AKS resource <sub>2</sub> | Not required | Owner or contributor on the resource group that contains AKS |
174
175
| Deploying a registered model on an AKS/ACI resource | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/services/aks/write", "/workspaces/services/aci/write"`|
175
176
| Scoring against a deployed AKS endpoint | Not required | Not required | Owner, contributor, or custom role allowing: `"/workspaces/services/aks/score/action", "/workspaces/services/aks/listkeys/action"` (when you are not using Azure Active Directory auth) OR `"/workspaces/read"` (when you are using token auth) |
@@ -182,6 +183,20 @@ The following table is a summary of Azure Machine Learning activities and the pe
182
183
183
184
2: When attaching an AKS cluster, you also need to the [Azure Kubernetes Service Cluster Admin Role](../role-based-access-control/built-in-roles.md#azure-kubernetes-service-cluster-admin-role) on the cluster.
184
185
186
+
### Differences between actions for V1 and V2 APIs
187
+
188
+
There are certain differences between actions for V1 APIs and V2 APIs.
189
+
190
+
| Asset | Action path for V1 API | Action path for V2 API
| Snapshots and code | Microsoft.MachineLearningServices/workspaces/snapshots | Microsoft.MachineLearningServices/workspaces/codes/versions |
196
+
| Modules and components | Microsoft.MachineLearningServices/workspaces/modules | Microsoft.MachineLearningServices/workspaces/components |
197
+
198
+
You can make custom roles compatible with both V1 and V2 APIs by including both actions, or using wildcards that include both actions, for example Microsoft.MachineLearningServices/workspaces/datasets/*/read.
199
+
185
200
### Create a workspace using a customer-managed key
186
201
187
202
When using a customer-managed key (CMK), an Azure Key Vault is used to store the key. The user or service principal used to create the workspace must have owner or contributor access to the key vault.
@@ -198,14 +213,11 @@ To perform MLflow operations with your Azure Machine Learning workspace, use the
198
213
199
214
| MLflow operation | Scope |
200
215
| --- | --- |
201
-
| List all experiments in the workspace tracking store, get an experiment by id, get an experiment by name |`Microsoft.MachineLearningServices/workspaces/experiments/read`|
202
-
| Create an experiment with a name , set a tag on an experiment, restore an experiment marked for deletion|`Microsoft.MachineLearningServices/workspaces/experiments/write`|
203
-
| Delete an experiment |`Microsoft.MachineLearningServices/workspaces/experiments/delete`|
204
-
| Get a run and related data and metadata, get a list of all values for the specified metric for a given run, list artifacts for a run |`Microsoft.MachineLearningServices/workspaces/experiments/runs/read`|
205
-
| Create a new run within an experiment, delete runs, restore deleted runs, log metrics under the current run, set tags on a run, delete tags on a run, log params (key-value pair) used for a run, log a batch of metrics, params, and tags for a run, update run status |`Microsoft.MachineLearningServices/workspaces/experiments/runs/write`|
206
-
| Get registered model by name, fetch a list of all registered models in the registry, search for registered models, latest version models for each requests stage, get a registered model's version, search model versions, get URI where a model version's artifacts are stored, search for runs by experiment ids |`Microsoft.MachineLearningServices/workspaces/models/read`|
207
-
| Create a new registered model, update a registered model's name/description, rename existing registered model, create new version of the model, update a model version's description, transition a registered model to one of the stages |`Microsoft.MachineLearningServices/workspaces/models/write`|
208
-
| Delete a registered model along with all its version, delete specific versions of a registered model |`Microsoft.MachineLearningServices/workspaces/models/delete`|
216
+
| (V1) List, read, create, update or delete experiments |`Microsoft.MachineLearningServices/workspaces/experiments/*`|
217
+
| (V2) List, read, create, update or delete jobs |`Microsoft.MachineLearningServices/workspaces/jobs/*`|
218
+
| Get registered model by name, fetch a list of all registered models in the registry, search for registered models, latest version models for each requests stage, get a registered model's version, search model versions, get URI where a model version's artifacts are stored, search for runs by experiment ids |`Microsoft.MachineLearningServices/workspaces/models/*/read`|
219
+
| Create a new registered model, update a registered model's name/description, rename existing registered model, create new version of the model, update a model version's description, transition a registered model to one of the stages |`Microsoft.MachineLearningServices/workspaces/models/*/write`|
220
+
| Delete a registered model along with all its version, delete specific versions of a registered model |`Microsoft.MachineLearningServices/workspaces/models/*/delete`|
209
221
210
222
<aid="customroles"></a>
211
223
@@ -269,23 +281,20 @@ A more restricted role definition without wildcards in the allowed actions. It c
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments