You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/machine-learning/how-to-assign-roles.md
+57-1Lines changed: 57 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -109,9 +109,65 @@ For more information on custom roles, see [Custom roles for Azure resources](/az
109
109
110
110
For more information on the operations (actions) usable with custom roles, see [Resource provider operations](/azure/role-based-access-control/resource-provider-operations#microsoftmachinelearningservices).
111
111
112
+
113
+
## Frequently asked questions
114
+
115
+
116
+
### Q. What are the permissions needed to perform various actions in the Azure Machine Learning service?
117
+
118
+
The following table is a summary of Azure Machine Learning activities and the permissions required to perform them at the least scope. As an example if an activity can be performed with a workspace scope (Column 4), then all higher scope with that permission will also work automatically. All paths in this table are **relative paths** to `Microsoft.MachineLearningServices/`.
| Create new workspace | Not required | Owner or contributor | N/A (becomes Owner or inherits higher scope role after creation) |
123
+
| Create new compute cluster | Not required | Not required | Owner, contributor, or custom role allowing: `workspaces/computes/write`|
124
+
| Create new Notebook VM | Not required | Owner or contributor | Not possible |
125
+
| Create new compute instance | Not required | Not required | Owner, contributor, or custom role allowing: `workspaces/computes/write`|
126
+
| Data plane activity like submitting run, accessing data, deploying model or publishing pipeline | Not required | Not required | Owner, contributor, or custom role allowing: `workspaces/*/write` <br/> Note that you also need a datastore registered to the workspace to allow MSI to access data in your storage account. |
127
+
128
+
129
+
### Q. How do I list all the custom roles in my subscription?
130
+
131
+
In the Azure CLI, run the following command.
132
+
133
+
```azurecli-interactive
134
+
az role definition list --subscription <sub-id> --custom-role-only true
135
+
```
136
+
137
+
### Q. How do I find the role definition for a role in my subscription?
138
+
139
+
In the Azure CLI, run the following command. Note that `<role-name>` should be in the same format returned by the command above.
140
+
141
+
```azurecli-interactive
142
+
az role definition list -n <role-name> --subscription <sub-id>
143
+
```
144
+
145
+
### Q. How do I update a role definition?
146
+
147
+
In the Azure CLI, run the following command.
148
+
149
+
```azurecli-interactive
150
+
az role definition update --role-definition update_def.json --subscription <sub-id>
151
+
```
152
+
153
+
Note that you need to have permissions on the entire scope of your new role definition. For example if this new role has a scope across three subscriptions, you need to have permissions on all three subscriptions.
154
+
155
+
> [!NOTE]
156
+
> Role updates can take 15 minutes to an hour to apply across all role assignments in that scope.
157
+
### Q. Can I define a role that prevents updating the workspace Edition?
158
+
159
+
Yes, you can define a role that prevents updating the workspace Edition. Since the workspace update is a PATCH call on the workspace object, you do this by putting the following action in the `"NotActions"` array in your JSON definition:
### Q. What permissions are needed to perform quota operations in a workspace?
164
+
165
+
You need subscription level permissions to perform any quota related operation in the workspace. This means setting either subscription level quota or workspace level quota for your managed compute resources can only happen if you have write permissions at the subscription scope.
0 commit comments