You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/container-registry/container-registry-repository-scoped-permissions.md
+7-5Lines changed: 7 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -19,6 +19,8 @@ Scenarios for creating a token include:
19
19
* Provide an external organization with permissions to a specific repository
20
20
* Limit repository access to different user groups in your organization. For example, provide write and read access to developers who build images that target specific repositories, and read access to teams that deploy from those repositories.
21
21
22
+
This feature is available in all the service tiers. For information about registry service tiers and limits, see [Azure Container Registry service tiers](container-registry-skus.md)
23
+
22
24
## Limitations
23
25
24
26
* You can't currently assign repository-scoped permissions to an Azure Active Directory identity, such as a service principal or managed identity.
@@ -39,7 +41,7 @@ To configure repository-scoped permissions, you create a *token* with an associa
39
41
|`metadata/read`| Read metadata from the repository | List tags or manifests |
40
42
|`metadata/write`| Write metadata to the repository | Enable or disable read, write, or delete operations |
41
43
42
-
* A **scope map** groups the repository permissions you apply to a token, and can reapply to other tokens. Every token is associated with a single scope map.
44
+
* A **scope map** groups the repository permissions you apply to a token, and can reapply to other tokens. Every token is associated with a single scope map.
43
45
44
46
With a scope map:
45
47
@@ -48,7 +50,7 @@ To configure repository-scoped permissions, you create a *token* with an associa
48
50
49
51
Azure Container Registry also provides several system-defined scope maps you can apply when creating tokens. The permissions of system-defined scope maps apply to all repositories in your registry.The individual *actions* corresponds to the limit of [Repositories per scope map.](container-registry-skus.md)
50
52
51
-
The following image shows the relationship between tokens and scope maps.
53
+
The following image shows the relationship between tokens and scope maps.
52
54
53
55
54
56
@@ -162,7 +164,7 @@ After the token is validated and created, token details appear in the **Tokens**
162
164
163
165
### Add token password
164
166
165
-
To use a token created in the portal, you must generate a password. You can generate one or two passwords, and set an expiration date for each one. New passwords created for tokens are available immediately. Regenerating new passwords for tokens will take 60 seconds to replicate and be available.
167
+
To use a token created in the portal, you must generate a password. You can generate one or two passwords, and set an expiration date for each one. New passwords created for tokens are available immediately. Regenerating new passwords for tokens will take 60 seconds to replicate and be available.
166
168
167
169
1. In the portal, navigate to your container registry.
168
170
1. Under **Repository permissions**, select **Tokens**, and select a token.
@@ -398,7 +400,7 @@ In the portal, on the **Tokens** screen, select the token, and under **Scope map
398
400
399
401
## Disable or delete token
400
402
401
-
You might need to temporarily disable use of the token credentials for a user or service.
403
+
You might need to temporarily disable use of the token credentials for a user or service.
402
404
403
405
Using the Azure CLI, run the [az acr token update][az-acr-token-update] command to set the `status` to `disabled`:
0 commit comments