Merge pull request #295315 from rolyon/rolyon-rbac-roles-chaos-studio-target-contributor

prmerger-automator[bot] · web-flow · commit 54f8c6d5526e · 2025-02-25T23:12:29.000Z
[Azure RBAC] Chaos Studio Target Contributor role
diff --git a/articles/role-based-access-control/built-in-roles.md b/articles/role-based-access-control/built-in-roles.md
@@ -453,6 +453,7 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='chaos-studio-experiment-contributor'></a>[Chaos Studio Experiment Contributor](./built-in-roles/devops.md#chaos-studio-experiment-contributor) | Can create, run, and see details for experiments, onboard targets, and manage capabilities. | 7c2e40b7-25eb-482a-82cb-78ba06cb46d5 |
 > | <a name='chaos-studio-operator'></a>[Chaos Studio Operator](./built-in-roles/devops.md#chaos-studio-operator) | Can run and see details for experiments but cannot create experiments or manage targets and capabilities. | 1a40e87e-6645-48e0-b27a-0b115d849a20 |
 > | <a name='chaos-studio-reader'></a>[Chaos Studio Reader](./built-in-roles/devops.md#chaos-studio-reader) | Can view targets, capabilities, experiments, and experiment details. | 29e2da8a-229c-4157-8ae8-cc72fc506b74 |
+> | <a name='chaos-studio-target-contributor'></a>[Chaos Studio Target Contributor](./built-in-roles/devops.md#chaos-studio-target-contributor) | Can onboard targets and manage capabilities but cannot create, run, or see details for experiments | 59a618e3-3c9a-406e-9f03-1a20dd1c55f1 |
 > | <a name='deployment-environments-reader'></a>[Deployment Environments Reader](./built-in-roles/devops.md#deployment-environments-reader) | Provides read access to environment resources. | eb960402-bf75-4cc3-8d68-35b34f960f72 |
 > | <a name='deployment-environments-user'></a>[Deployment Environments User](./built-in-roles/devops.md#deployment-environments-user) | Provides access to manage environment resources. | 18e40d4e-8d2e-438d-97e1-9528336e149c |
 > | <a name='devcenter-dev-box-user'></a>[DevCenter Dev Box User](./built-in-roles/devops.md#devcenter-dev-box-user) | Provides access to create and manage dev boxes. | 45d50f46-0b78-4001-a660-4198cbe8cd05 |
diff --git a/articles/role-based-access-control/built-in-roles/devops.md b/articles/role-based-access-control/built-in-roles/devops.md
@@ -7,7 +7,7 @@ ms.workload: identity
 author: rolyon
 manager: amycolannino
 ms.author: rolyon
-ms.date: 01/25/2025
+ms.date: 02/25/2025
 ms.custom: generated
 ---
 
@@ -20,6 +20,8 @@ This article lists the Azure built-in roles in the DevOps category.
 
 Can create, run, and see details for experiments, onboard targets, and manage capabilities.
 
+[Learn more](/azure/chaos-studio/chaos-studio-permissions-security)
+
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
@@ -67,6 +69,8 @@ Can create, run, and see details for experiments, onboard targets, and manage ca
 
 Can run and see details for experiments but cannot create experiments or manage targets and capabilities.
 
+[Learn more](/azure/chaos-studio/chaos-studio-permissions-security)
+
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
@@ -124,6 +128,8 @@ Can run and see details for experiments but cannot create experiments or manage
 
 Can view targets, capabilities, experiments, and experiment details.
 
+[Learn more](/azure/chaos-studio/chaos-studio-permissions-security)
+
 > [!div class="mx-tableFixed"]
 > | Actions | Description |
 > | --- | --- |
@@ -169,6 +175,69 @@ Can view targets, capabilities, experiments, and experiment details.
 }
 ```
 
+## Chaos Studio Target Contributor
+
+Can onboard targets and manage capabilities but cannot create, run, or see details for experiments
+
+[Learn more](/azure/chaos-studio/chaos-studio-permissions-security)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/targets/write | Creates or update a Target resource that extends a tracked resource. |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/targets/delete | Deletes a Target resource that extends a tracked resource. |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/targets/read | Gets all Targets that extend a tracked resource. |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/targets/capabilities/write | Creates or update a Capability resource that extends a Target resource. |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/targets/capabilities/delete | Deletes a Capability resource that extends a Target resource. |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/targets/capabilities/read | Gets all Capabilities that extend a Target resource. |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/locations/targetTypes/read | Gets all TargetTypes. |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/locations/targetTypes/capabilityTypes/read | Gets all CapabilityType. |
+> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | *none* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Can onboard targets and manage capabilities but cannot create, run, or see details for experiments",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/59a618e3-3c9a-406e-9f03-1a20dd1c55f1",
+  "name": "59a618e3-3c9a-406e-9f03-1a20dd1c55f1",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.Chaos/targets/write",
+        "Microsoft.Chaos/targets/delete",
+        "Microsoft.Chaos/targets/read",
+        "Microsoft.Chaos/targets/capabilities/write",
+        "Microsoft.Chaos/targets/capabilities/delete",
+        "Microsoft.Chaos/targets/capabilities/read",
+        "Microsoft.Chaos/locations/targetTypes/read",
+        "Microsoft.Chaos/locations/targetTypes/capabilityTypes/read",
+        "Microsoft.Authorization/*/read",
+        "Microsoft.Insights/alertRules/*",
+        "Microsoft.Resources/deployments/*",
+        "Microsoft.Resources/subscriptions/resourceGroups/read"
+      ],
+      "notActions": [],
+      "dataActions": [],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Chaos Studio Target Contributor",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
 ## Deployment Environments Reader
 
 Provides read access to environment resources.
diff --git a/articles/role-based-access-control/whats-new.md b/articles/role-based-access-control/whats-new.md
@@ -18,6 +18,7 @@ This article provides information about new features and documentation improveme
 
 | Date | Area | Description |
 | --- | --- | --- |
+| February 2025 | Roles | Added [Chaos Studio Target Contributor](built-in-roles/devops.md#chaos-studio-target-contributor) role. |
 | February 2025 | Security | Added instructions for how to detect elevate access events using Microsoft Sentinel. See [Detect elevate access events using Microsoft Sentinel](elevate-access-global-admin.md#detect-elevate-access-events-using-microsoft-sentinel). |
 | February 2025 | Permissions | Updated list of permissions for the Azure Container Registry. See [Microsoft.ContainerRegistry](permissions/containers.md#microsoftcontainerregistry). |
 | February 2025 | Roles | Added [Locks Contributor](built-in-roles/security.md#locks-contributor) role. |
