Merge pull request #287180 from rolyon/rolyon-rbac-roles-app-configuration

prmerger-automator[bot] · web-flow · commit 3f468a903639 · 2024-09-23T17:35:25.000Z
[Azure RBAC] App Configuration roles
diff --git a/articles/role-based-access-control/built-in-roles.md b/articles/role-based-access-control/built-in-roles.md
@@ -338,8 +338,10 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='api-management-workspace-api-product-manager'></a>[API Management Workspace API Product Manager](./built-in-roles/integration.md#api-management-workspace-api-product-manager) | Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope. | 73c2c328-d004-4c5e-938c-35c6f5679a1f |
 > | <a name='api-management-workspace-contributor'></a>[API Management Workspace Contributor](./built-in-roles/integration.md#api-management-workspace-contributor) | Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope. | 0c34c906-8d99-4cb7-8bb7-33f5b0a1a799 |
 > | <a name='api-management-workspace-reader'></a>[API Management Workspace Reader](./built-in-roles/integration.md#api-management-workspace-reader) | Has read-only access to entities in the workspace. This role should be assigned on the workspace scope. | ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2 |
+> | <a name='app-configuration-contributor'></a>[App Configuration Contributor](./built-in-roles/integration.md#app-configuration-contributor) | Grants permission for all management operations, except purge, for App Configuration resources. | fe86443c-f201-4fc4-9d2a-ac61149fbda0 |
 > | <a name='app-configuration-data-owner'></a>[App Configuration Data Owner](./built-in-roles/integration.md#app-configuration-data-owner) | Allows full access to App Configuration data. | 5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b |
 > | <a name='app-configuration-data-reader'></a>[App Configuration Data Reader](./built-in-roles/integration.md#app-configuration-data-reader) | Allows read access to App Configuration data. | 516239f1-63e1-4d78-a4de-a74fb236a071 |
+> | <a name='app-configuration-reader'></a>[App Configuration Reader](./built-in-roles/integration.md#app-configuration-reader) | Grants permission for read operations for App Configuration resources. | 175b81b9-6e0d-490a-85e4-0d422273c10c |
 > | <a name='azure-api-center-compliance-manager'></a>[Azure API Center Compliance Manager](./built-in-roles/integration.md#azure-api-center-compliance-manager) | Allows managing API compliance in Azure API Center service. | ede9aaa3-4627-494e-be13-4aa7c256148d |
 > | <a name='azure-api-center-data-reader'></a>[Azure API Center Data Reader](./built-in-roles/integration.md#azure-api-center-data-reader) | Allows for access to Azure API Center data plane read operations. | c7244dfb-f447-457d-b2ba-3999044d1706 |
 > | <a name='azure-api-center-service-contributor'></a>[Azure API Center Service Contributor](./built-in-roles/integration.md#azure-api-center-service-contributor) | Allows managing Azure API Center service. | dd24193f-ef65-44e5-8a7e-6fa6e03f7713 |
diff --git a/articles/role-based-access-control/built-in-roles/integration.md b/articles/role-based-access-control/built-in-roles/integration.md
@@ -578,6 +578,55 @@ Has read-only access to entities in the workspace. This role should be assigned
 }
 ```
 
+## App Configuration Contributor
+
+Grants permission for all management operations, except purge, for App Configuration resources.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/* |  |
+> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | **NotActions** |  |
+> | [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/locations/deletedConfigurationStores/purge/action | Purge the specified deleted configuration store. |
+> | **DataActions** |  |
+> | *none* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Grants permission for all management operations, except purge, for App Configuration resources.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/fe86443c-f201-4fc4-9d2a-ac61149fbda0",
+  "name": "fe86443c-f201-4fc4-9d2a-ac61149fbda0",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.AppConfiguration/*",
+        "Microsoft.Authorization/*/read",
+        "Microsoft.Insights/alertRules/*",
+        "Microsoft.Resources/deployments/*",
+        "Microsoft.Resources/subscriptions/resourceGroups/read"
+      ],
+      "notActions": [
+        "Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action"
+      ],
+      "dataActions": [],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "App Configuration Contributor",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
 ## App Configuration Data Owner
 
 Allows full access to App Configuration data.
@@ -666,6 +715,53 @@ Allows read access to App Configuration data.
 }
 ```
 
+## App Configuration Reader
+
+Grants permission for read operations for App Configuration resources.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | [Microsoft.AppConfiguration](../permissions/integration.md#microsoftappconfiguration)/*/read |  |
+> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/read | Read a classic metric alert |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/read | Gets or lists deployments. |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | *none* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Grants permission for read operations for App Configuration resources.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/175b81b9-6e0d-490a-85e4-0d422273c10c",
+  "name": "175b81b9-6e0d-490a-85e4-0d422273c10c",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.AppConfiguration/*/read",
+        "Microsoft.Authorization/*/read",
+        "Microsoft.Insights/alertRules/read",
+        "Microsoft.Resources/deployments/read",
+        "Microsoft.Resources/subscriptions/resourceGroups/read"
+      ],
+      "notActions": [],
+      "dataActions": [],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "App Configuration Reader",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
 ## Azure API Center Compliance Manager
 
 Allows managing API compliance in Azure API Center service.
