Merge pull request #101581 from rolyon/rolyon-rbac-monitor-notactions

[Azure RBAC] Updates to monitor notactions

Author: PRMerger20

articles/azure-monitor/platform/manage-access.md

@@ -237,13 +237,12 @@ See [Defining per-table access control](#table-level-rbac) below if you want to
 
 **Table level RBAC** allows you to define more granular control to data in a Log Analytics workspace in addition to the other permissions. This control allows you to define specific data types that are accessible only to a specific set of users.
 
-You implement table access control with [Azure custom roles](../../role-based-access-control/custom-roles.md) to either grant or deny access to specific [tables](../log-query/logs-structure.md) in the workspace. These roles are applied to workspaces with either workspace-context or resource-context [access control modes](design-logs-deployment.md#access-control-mode) regardless of the user's [access mode](design-logs-deployment.md#access-mode).
+You implement table access control with [Azure custom roles](../../role-based-access-control/custom-roles.md) to either grant access to specific [tables](../log-query/logs-structure.md) in the workspace. These roles are applied to workspaces with either workspace-context or resource-context [access control modes](design-logs-deployment.md#access-control-mode) regardless of the user's [access mode](design-logs-deployment.md#access-mode).
 
 Create a [custom role](../../role-based-access-control/custom-roles.md) with the following actions to define access to table access control.
 
-* To grant access to a table, include it in the **Actions** section of the role definition.
-* To deny access to a table, include it in the **NotActions** section of the role definition.
-* Use * to specify all tables.
+* To grant access to a table, include it in the **Actions** section of the role definition. To subtract access from the allowed **Actions**, include it in the **NotActions** section.
+* Use Microsoft.OperationalInsights/workspaces/query/* to specify all tables.
 
 For example, to create a role with access to the _Heartbeat_ and _AzureActivity_ tables, create a custom role using the following actions:
 
@@ -256,24 +255,21 @@ For example, to create a role with access to the _Heartbeat_ and _AzureActivity_
   ],
 ```
 
-To create a role with access to only _SecurityBaseline_ and no other tables, create a custom role using the following actions:
+To create a role with access to only the _SecurityBaseline_ table, create a custom role using the following actions:
 
 ```
 "Actions":  [
     "Microsoft.OperationalInsights/workspaces/read",
     "Microsoft.OperationalInsights/workspaces/query/read",
     "Microsoft.OperationalInsights/workspaces/query/SecurityBaseline/read"
 ],
-"NotActions":  [
-    "Microsoft.OperationalInsights/workspaces/query/*/read"
-],
 ```
 
 ### Custom logs
 
  Custom logs are created from data sources such as custom logs and HTTP Data Collector API. The easiest way to identify the type of log is by checking the tables listed under [Custom Logs in the log schema](../log-query/get-started-portal.md#understand-the-schema).
 
- You can't currently grant or deny access to individual custom logs, but you can grant or deny access to all custom logs. To create a role with access to all custom logs, create a custom role using the following actions:
+ You can't currently grant access to individual custom logs, but you can grant access to all custom logs. To create a role with access to all custom logs, create a custom role using the following actions:
 
 ```
 "Actions":  [