You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/role-based-access-control/role-assignments.md
+16-4Lines changed: 16 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -81,13 +81,13 @@ The following table describes what the role assignment properties mean.
81
81
|`RoleDefinitionId`<br />`roleDefinitionId`| The unique ID of the role. |
82
82
|`RoleDefinitionName`<br />`roleDefinitionName`| The name of the role. |
83
83
|`ObjectId`<br />`principalId`| The Azure Active Directory (Azure AD) object identifier for the principal who has the role assigned. |
84
-
|`ObjectType`<br />`principalType`| The type of Azure AD object that the principal represents. |
84
+
|`ObjectType`<br />`principalType`| The type of Azure AD object that the principal represents. Valid values include `User`, `Group`, and `ServicePrincipal`. |
85
85
|`DisplayName`| For role assignments for users, the display name of the user. |
86
86
|`SignInName`<br />`principalName`| The unique principal name (UPN) of the user, or the name of the application associated with the service principal. |
87
87
|`Description`<br />`description`| The description of the role assignment. |
88
-
|`Condition`<br />`condition`|TODO|
89
-
|`ConditionVersion`<br />`conditionVersion`|TODO|
90
-
|`CanDelegate`<br />`canDelegate`|TODO|
88
+
|`Condition`<br />`condition`|Condition statement built using one or more actions from role definition and attributes.|
89
+
|`ConditionVersion`<br />`conditionVersion`|The condition version number. Defaults to 2.0 and is the only supported version.|
@@ -135,6 +135,18 @@ Any role assignments that refer to a deleted principal ID become invalid. If you
135
135
136
136
You can add a text description to a role assignment. While descriptions are optional, it's a good practice to add them to your role assignments. Provide a short justification for why the principal needs the assigned role. When somebody audits the role assignments, descriptions can help to understand why they've been created and whether they're still applicable.
137
137
138
+
## Conditions
139
+
140
+
Some roles support *role assignment conditions* based on attributes in the context of specific actions. A role assignment condition is an additional check that you can optionally add to your role assignment to provide more fine-grained access control. For example, you can add a condition that requires an object to have a specific tag to read the object.
141
+
142
+
You typically build conditions using a visual condition editor, but here's what an example condition looks like in code:
143
+
144
+
```
145
+
((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})) OR (@resource[Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags:Project<$key_case_sensitive$>] StringEqualsIgnoreCase 'Cascade'))
146
+
```
147
+
148
+
For more information about conditions, see [What is Azure attribute-based access control (Azure ABAC)?](conditions-overview.md)
149
+
138
150
## Next steps
139
151
140
152
*[Understand role definitions](role-definitions.md)
0 commit comments