You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/role-based-access-control/role-definitions.md
+20-4Lines changed: 20 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@ ms.devlang: na
12
12
ms.topic: conceptual
13
13
ms.tgt_pltfrm: na
14
14
ms.workload: identity
15
-
ms.date: 03/19/2020
15
+
ms.date: 04/17/2020
16
16
ms.author: rolyon
17
17
ms.reviewer: bagovind
18
18
ms.custom:
@@ -21,9 +21,9 @@ ms.custom:
21
21
22
22
If you are trying to understand how a role works or if you are creating your own [custom role for Azure resources](custom-roles.md), it's helpful to understand how roles are defined. This article describes the details of role definitions and provides some examples.
23
23
24
-
## Role definition structure
24
+
## Role definition
25
25
26
-
A *role definition* is a collection of permissions. It's sometimes just called a *role*. A role definition lists the operations that can be performed, such as read, write, and delete. It can also list the operations that can't be performed or operations related to underlying data. A role definition has the following structure:
26
+
A *role definition* is a collection of permissions. It's sometimes just called a *role*. A role definition lists the operations that can be performed, such as read, write, and delete. It can also list the operations that can't be performed or operations related to underlying data. A role definition has the following properties:
27
27
28
28
```
29
29
Name
@@ -37,6 +37,20 @@ NotDataActions []
37
37
AssignableScopes []
38
38
```
39
39
40
+
| Property | Description |
41
+
| --- | --- |
42
+
|`Name`| The display name of the role. |
43
+
|`Id`| The unique ID of the role. |
44
+
|`IsCustom`| Indicates whether this is a custom role. Set to `true` for custom roles. |
45
+
|`Description`| The description of the role. |
46
+
|`Actions`| An array of strings that specifies the management operations that the role allows to be performed. |
47
+
|`NotActions`| An array of strings that specifies the management operations that are excluded from the allowed `Actions`. |
48
+
|`DataActions`| An array of strings that specifies the data operations that the role allows to be performed to your data within that object. |
49
+
|`NotDataActions`| An array of strings that specifies the data operations that are excluded from the allowed `DataActions`. |
50
+
|`AssignableScopes`| An array of strings that specifies the scopes that the role is available for assignment. |
51
+
52
+
### Operations format
53
+
40
54
Operations are specified with strings that have the following format:
@@ -51,6 +65,8 @@ The `{action}` portion of an operation string specifies the type of operations y
51
65
|`action`| Enables custom operations like restart virtual machines (POST). |
52
66
|`delete`| Enables delete operations (DELETE). |
53
67
68
+
### Role definition example
69
+
54
70
Here's the [Contributor](built-in-roles.md#contributor) role definition in JSON format. The wildcard (`*`) operation under `Actions` indicates that the principal assigned to this role can perform all actions, or in other words, it can manage everything. This includes actions defined in the future, as Azure adds new resource types. The operations under `NotActions` are subtracted from `Actions`. In the case of the [Contributor](built-in-roles.md#contributor) role, `NotActions` removes this role's ability to manage access to resources and also assign access to resources.
55
71
56
72
```json
@@ -87,7 +103,7 @@ Management access is not inherited to your data provided that the container auth
87
103
88
104
Previously, role-based access control was not used for data operations. Authorization for data operations varied across resource providers. The same role-based access control authorization model used for management operations has been extended to data operations.
89
105
90
-
To support data operations, new data properties have been added to the role definition structure. Data operations are specified in the `DataActions` and `NotDataActions` properties. By adding these data properties, the separation between management and data is maintained. This prevents current role assignments with wildcards (`*`) from suddenly having accessing to data. Here are some data operations that can be specified in `DataActions` and `NotDataActions`:
106
+
To support data operations, new data properties have been added to the role definition. Data operations are specified in the `DataActions` and `NotDataActions` properties. By adding these data properties, the separation between management and data is maintained. This prevents current role assignments with wildcards (`*`) from suddenly having accessing to data. Here are some data operations that can be specified in `DataActions` and `NotDataActions`:
0 commit comments