Update role descriptions with read permissions

Author: rolyon

articles/role-based-access-control/built-in-roles/analytics.md

@@ -563,12 +563,14 @@ Can read, create, modify and delete HDInsight on AKS cluster pools and create cl
 
 Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; adding solutions; and configuring Azure diagnostics on all Azure resources.
 
+[!INCLUDE [role-read-permissions.md](../includes/role-read-permissions.md)]
+
 [Learn more](/azure/azure-monitor/logs/manage-access)
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | */read | Read resources of all types, except secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | [Microsoft.ClassicCompute](../permissions/compute.md#microsoftclassiccompute)/virtualMachines/extensions/* |  |
 > | [Microsoft.ClassicStorage](../permissions/storage.md#microsoftclassicstorage)/storageAccounts/listKeys/action | Lists the access keys for the storage accounts. |
 > | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/extensions/* |  |
@@ -628,12 +630,14 @@ Log Analytics Contributor can read all monitoring data and edit monitoring setti
 
 Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources.
 
+[!INCLUDE [role-read-permissions.md](../includes/role-read-permissions.md)]
+
 [Learn more](/azure/azure-monitor/logs/manage-access)
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | */read | Read resources of all types, except secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/analytics/query/action | Search using new engine. |
 > | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/search/action | Executes a search query |
 > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket |

articles/role-based-access-control/built-in-roles/general.md

@@ -20,12 +20,14 @@ This article lists the Azure built-in roles in the General category.
 
 View all resources, but does not allow you to make any changes.
 
+[!INCLUDE [role-read-permissions.md](../includes/role-read-permissions.md)]
+
 [Learn more](/azure/role-based-access-control/rbac-and-directory-admin-roles)
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | */read | Read resources of all types, except secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | **NotActions** |  |
 > | *none* |  |
 > | **DataActions** |  |

articles/role-based-access-control/built-in-roles/management-and-governance.md

@@ -1463,10 +1463,12 @@ Allows users to edit and delete Hierarchy Settings
 
 Allows for creating managed application resources.
 
+[!INCLUDE [role-read-permissions.md](../includes/role-read-permissions.md)]
+
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | */read | Read resources of all types, except secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | [Microsoft.Solutions](../permissions/management-and-governance.md#microsoftsolutions)/applications/* |  |
 > | [Microsoft.Solutions](../permissions/management-and-governance.md#microsoftsolutions)/register/action | Register the subscription for Microsoft.Solutions |
 > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/* |  |
@@ -1510,10 +1512,12 @@ Allows for creating managed application resources.
 
 Lets you read and perform actions on Managed Application resources
 
+[!INCLUDE [role-read-permissions.md](../includes/role-read-permissions.md)]
+
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | */read | Read resources of all types, except secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | [Microsoft.Solutions](../permissions/management-and-governance.md#microsoftsolutions)/applications/read | Lists all the applications within a subscription. |
 > | [Microsoft.Solutions](../permissions/management-and-governance.md#microsoftsolutions)/*/action |  |
 > | **NotActions** |  |
@@ -1553,10 +1557,12 @@ Lets you read and perform actions on Managed Application resources
 
 Lets you read resources in a managed app and request JIT access.
 
+[!INCLUDE [role-read-permissions.md](../includes/role-read-permissions.md)]
+
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | */read | Read resources of all types, except secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment |
 > | [Microsoft.Solutions](../permissions/management-and-governance.md#microsoftsolutions)/jitRequests/* |  |
 > | **NotActions** |  |
@@ -2010,12 +2016,14 @@ Lets one read all the reservations in a tenant
 
 Users with rights to create/modify resource policy, create support ticket and read resources/hierarchy.
 
+[!INCLUDE [role-read-permissions.md](../includes/role-read-permissions.md)]
+
 [Learn more](/azure/governance/policy/overview)
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | */read | Read resources of all types, except secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policyassignments/* | Create and manage policy assignments |
 > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policydefinitions/* | Create and manage policy definitions |
 > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/policyexemptions/* | Create and manage policy exemptions |

articles/role-based-access-control/built-in-roles/monitor.md

@@ -397,12 +397,14 @@ View dashboards, playlists, and query data sources.
 
 Can read all monitoring data and edit monitoring settings. See also [Get started with roles, permissions, and security with Azure Monitor](/azure/azure-monitor/roles-permissions-security#built-in-monitoring-roles).
 
+[!INCLUDE [role-read-permissions.md](../includes/role-read-permissions.md)]
+
 [Learn more](/azure/azure-monitor/roles-permissions-security)
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | */read | Read resources of all types, except secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | [Microsoft.AlertsManagement](../permissions/monitor.md#microsoftalertsmanagement)/alerts/* |  |
 > | [Microsoft.AlertsManagement](../permissions/monitor.md#microsoftalertsmanagement)/alertsSummary/* |  |
 > | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/actiongroups/* |  |
@@ -571,12 +573,14 @@ Enables publishing metrics against Azure resources
 
 Can read all monitoring data (metrics, logs, etc.). See also [Get started with roles, permissions, and security with Azure Monitor](/azure/azure-monitor/roles-permissions-security#built-in-monitoring-roles).
 
+[!INCLUDE [role-read-permissions.md](../includes/role-read-permissions.md)]
+
 [Learn more](/azure/azure-monitor/roles-permissions-security)
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | */read | Read resources of all types, except secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | [Microsoft.OperationalInsights](../permissions/monitor.md#microsoftoperationalinsights)/workspaces/search/action | Executes a search query |
 > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket |
 > | **NotActions** |  |

articles/role-based-access-control/built-in-roles/privileged.md

@@ -184,7 +184,7 @@ Manage access to Azure resources by assigning roles using Azure RBAC. This role
 > | --- | --- |
 > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/write | Create a role assignment at the specified scope. |
 > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/roleAssignments/delete | Delete a role assignment at the specified scope. |
-> | */read | Global read of all Azure resources and all types, except for secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket |
 > | **NotActions** |  |
 > | *none* |  |
@@ -231,7 +231,7 @@ Lets you manage user access to Azure resources.
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | */read | Global read of all Azure resources and all types, except for secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/* | Manage authorization |
 > | [Microsoft.Support](../permissions/general.md#microsoftsupport)/* | Create and update a support ticket |
 > | **NotActions** |  |

articles/role-based-access-control/built-in-roles/security.md

@@ -20,6 +20,8 @@ This article lists the Azure built-in roles in the Security category.
 
 Create, read, download, modify and delete reports objects and related other resource objects.
 
+[!INCLUDE [role-read-permissions.md](../includes/role-read-permissions.md)]
+
 [Learn more](/microsoft-365-app-certification/docs/automate-certification-with-acat)
 
 > [!div class="mx-tableFixed"]
@@ -52,7 +54,7 @@ Create, read, download, modify and delete reports objects and related other reso
 > | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/automations/write | Creates or updates the automation for the scope |
 > | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/register/action | Registers the subscription for Azure Security Center |
 > | [Microsoft.Security](../permissions/security.md#microsoftsecurity)/unregister/action | Unregisters the subscription from Azure Security Center |
-> | */read | Read resources of all types, except secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | **NotActions** |  |
 > | *none* |  |
 > | **DataActions** |  |
@@ -115,12 +117,14 @@ Create, read, download, modify and delete reports objects and related other reso
 
 Read, download the reports objects and related other resource objects.
 
+[!INCLUDE [role-read-permissions.md](../includes/role-read-permissions.md)]
+
 [Learn more](/microsoft-365-app-certification/docs/automate-certification-with-acat)
 
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
-> | */read | Read resources of all types, except secrets. |
+> | */read | Read control plane information for all Azure resources. |
 > | **NotActions** |  |
 > | *none* |  |
 > | **DataActions** |  |

articles/role-based-access-control/includes/role-read-permissions.md

@@ -6,4 +6,4 @@ ms.date: 01/31/2025
 ms.author: rolyon
 ---
 
-This role includes global read permissions with the `*/read` action. Users that are assigned this role can read all Azure resources of all types, except for secrets.
+This role includes the `*/read` action for the control plane. Users that are assigned this role can read [control plane](/azure/role-based-access-control/role-definitions#control-and-data-actions) information for all Azure resources.