Merge pull request #194095 from rolyon/rolyon-abac-blobs-list-optimization

[Azure ABAC] Blobs list optimization

Author: v-regandowner

articles/role-based-access-control/conditions-format.md

@@ -8,7 +8,7 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: overview
 ms.workload: identity
-ms.date: 11/16/2021
+ms.date: 05/16/2022
 ms.author: rolyon
 
 #Customer intent: As a dev, devops, or it admin, I want to learn how to constrain access within a role assignment by using conditions.
@@ -55,23 +55,19 @@ For more information about how to create these examples, see [Examples of Azure
 
 ## Where can conditions be added?
 
-Currently, conditions can be added to built-in or custom role assignments that have [storage blob data actions](conditions-format.md#actions). These include the following built-in roles:
+Currently, conditions can be added to built-in or custom role assignments that have [blob storage or queue storage data actions](conditions-format.md#actions). Conditions are added at the same scope as the role assignment. Just like role assignments, you must have `Microsoft.Authorization/roleAssignments/write` permissions to add a condition.
 
-- [Storage Blob Data Contributor](built-in-roles.md#storage-blob-data-contributor)
-- [Storage Blob Data Owner](built-in-roles.md#storage-blob-data-owner)
-- [Storage Blob Data Reader](built-in-roles.md#storage-blob-data-reader)
+Here are some of the [blob storage attributes](../storage/common/storage-auth-abac-attributes.md#azure-blob-storage-attributes) you can use in your conditions.
 
-Conditions are added at the same scope as the role assignment. Just like role assignments, you must have `Microsoft.Authorization/roleAssignments/write` permissions to add a condition.
-
-Here are the storage attributes you can use in your conditions.
-
-- Container name
-- Blob path
-- Blob index tags keys
+- Account name
 - Blob index tags
-
-> [!TIP]
-> Blobs also support the ability to store arbitrary user-defined key-value metadata. Although metadata is similar to blob index tags, you must use blob index tags with conditions. For more information, see [Manage and find Azure Blob data with blob index tags (preview)](../storage/blobs/storage-manage-find-blobs.md).
+- Blob path
+- Blob prefix
+- Container name
+- Encryption scope name
+- Is hierarchical namespace enabled
+- Snapshot
+- Version ID
 
 ## What does a condition look like?
 
@@ -85,7 +81,7 @@ If Chandra tries to read a blob without the Project=Cascade tag, access will not
 
 Here is what the condition looks like in the Azure portal:
 
-![Build expression section with values for blob index tags.](./media/shared/condition-expressions.png)
+:::image type="content" source="./media/shared/condition-expressions.png" alt-text="Screenshot of condition editor in Azure portal showing build expression section with values for blob index tags." lightbox="./media/shared/condition-expressions.png":::
 
 Here is what the condition looks like in code:
 
@@ -107,14 +103,15 @@ For more information about the format of conditions, see [Azure role assignment
 
 ## Features of conditions
 
-Here's a list of the some of the primary features of conditions:
+Here's a list of the primary features of conditions:
 
 | Feature | Status | Date |
 | --- | --- | --- |
-| Add conditions to Storage Blob Data role assignments | Preview | May 2021 |
+| Use the following [attributes](../storage/common/storage-auth-abac-attributes.md#azure-blob-storage-attributes) in a condition: Account name, Blob prefix, Encryption scope name, Is hierarchical namespace enabled, Snapshot, Version ID | Preview | May 2022 |
+| Use [custom security attributes on a principal in a condition](conditions-format.md#principal-attributes) | Preview | November 2021 |
+| Add conditions to blob storage data role assignments | Preview | May 2021 |
 | Use attributes on a resource in a condition | Preview | May 2021 |
 | Use attributes that are part of the action request in a condition | Preview | May 2021 |
-| Use custom security attributes on a principal in a condition | Preview | November 2021 |
 
 ## Conditions and Privileged Identity Management (PIM)
 
@@ -132,6 +129,13 @@ To better understand Azure RBAC and Azure ABAC, you can refer back to the follow
 | attribute | In this context, a key-value pair such as Project=Blue, where Project is the attribute key and Blue is the attribute value. Attributes and tags are synonymous for access control purposes. |
 | expression | A statement in a condition that evaluates to true or false. An expression has the format of <attribute> <operator> <value>. |
 
+## Limits
+
+Here are some of the limits for conditions.
+
+| Resource | Limit | Notes |
+| --- | --- | --- |
+| Number of expressions per condition using the visual editor | 5 | You can add more than five expressions using the code editor |
 
 ## Known issues
 

articles/role-based-access-control/conditions-overview.md

@@ -8,7 +8,7 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: conceptual
 ms.workload: identity
-ms.date: 11/16/2021
+ms.date: 05/16/2022
 ms.author: rolyon
 ms.custom: subject-rbac-steps
 ---
@@ -119,7 +119,7 @@ Once you have the Add role assignment condition page open, you can review the ba
 
 1. In the **Operator** list, select an operator.
 
-    For more information, see [Operators](conditions-format.md#operators).
+    For more information, see [Azure role assignment condition format and syntax](conditions-format.md).
 
 1. In the **Value** box, enter a value for the right side of the expression.
 

articles/role-based-access-control/conditions-role-assignments-portal.md

@@ -8,7 +8,7 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: troubleshooting
 ms.workload: identity
-ms.date: 11/16/2021
+ms.date: 05/16/2022
 ms.author: rolyon
 
 #Customer intent: 
@@ -187,12 +187,36 @@ Fix any [condition format or syntax](conditions-format.md) issues. Alternatively
 
 **Cause**
 
-If you copy a condition from a document, it might include special characters and cause errors. Some editors (such as Microsoft Word) add control characters when formatting text that does not appear.
+If you use PowerShell and copy a condition from a document, it might include special characters that cause the following error. Some editors (such as Microsoft Word) add control characters when formatting text that does not appear.
+
+`The given role assignment condition is invalid.`
 
 **Solution**
 
 If you copied a condition from a rich text editor and you are certain the condition is correct, delete all spaces and returns and then add back the relevant spaces. Alternatively, use a plain text editor or a code editor, such as Visual Studio Code.
 
+## Symptom - Attribute does not apply error in visual editor for previously saved condition
+
+When you open a previously saved condition in the visual editor, you get the following message:
+
+`Attribute does not apply for the selected actions. Select a different set of actions.`
+
+**Cause**
+
+In May 2022, the Read a blob action was changed from the following format:
+
+`!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})`
+
+To exclude the `Blob.List` suboperation:
+
+`!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'} AND NOT SubOperationMatches{'Blob.List'})`
+
+If you created a condition with the Read a blob action prior to May 2022, you might see this error message in the visual editor.
+
+**Solution**
+
+Open the **Select an action** pane and reselect the **Read a blob** action.
+
 ## Next steps
 
 - [Azure role assignment condition format and syntax (preview)](conditions-format.md)