Merge pull request #211201 from jimmart-dev/jammart-abac-queues

build abac docs for queues

Author: v-dirichards

articles/storage/blobs/TOC.yml

@@ -148,7 +148,7 @@ items:
           - name: Authorize with Azure roles
             href: authorize-access-azure-active-directory.md
           - name: Authorize with conditions
-            href: storage-auth-abac.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
+            href: storage-auth-abac.md
           - name: Actions and attributes for conditions
             href: storage-auth-abac-attributes.md
           - name: Security for conditions
@@ -922,6 +922,23 @@ items:
       href: data-lake-storage-integrate-with-services-tutorials.md
   - name: Concepts
     items:
+    - name: Authorization
+      items:
+      - name: Authorizing data operations
+        href: ../common/authorize-data-access.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
+        items:
+        - name: Authorize with Azure AD
+          items:
+          - name: Authorize with Azure roles
+            href: authorize-access-azure-active-directory.md
+          - name: Authorize with conditions
+            href: storage-auth-abac.md
+          - name: Actions and attributes for conditions
+            href: storage-auth-abac-attributes.md
+          - name: Security for conditions
+            href: storage-auth-abac-security.md
+          - name: Example conditions
+            href: storage-auth-abac-examples.md
     - name: Best practices
       href: data-lake-storage-best-practices.md
     - name: Query acceleration

articles/storage/blobs/storage-auth-abac-attributes.md

@@ -1,13 +1,13 @@
 ---
-title: Actions and attributes for Azure role assignment conditions in Azure Storage (preview)
+title: Actions and attributes for Azure role assignment conditions in Azure Storage
 titleSuffix: Azure Storage
 description: Supported actions and attributes for Azure role assignment conditions and Azure attribute-based access control (Azure ABAC) in Azure Storage. 
 services: storage
 author: jimmart-dev
 
 ms.service: storage
 ms.topic: conceptual
-ms.date: 09/01/2022
+ms.date: 09/14/2022
 ms.author: jammart
 ms.reviewer: nachakra
 ms.subservice: blobs
@@ -17,6 +17,7 @@ ms.subservice: blobs
 
 > [!IMPORTANT]
 > Azure ABAC and Azure role assignment conditions are currently in preview.
+>
 > This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
 > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
@@ -294,70 +295,6 @@ This section lists the supported Azure Blob storage actions and suboperations yo
 > | **Examples** | [Example: Read, write, or delete blobs in named containers](storage-auth-abac-examples.md#example-read-write-or-delete-blobs-in-named-containers)<br/>[Example: Read blobs in named containers with a path](storage-auth-abac-examples.md#example-read-blobs-in-named-containers-with-a-path)<br/>[Example: Read or list blobs in named containers with a path](storage-auth-abac-examples.md#example-read-or-list-blobs-in-named-containers-with-a-path)<br/>[Example: Write blobs in named containers with a path](storage-auth-abac-examples.md#example-write-blobs-in-named-containers-with-a-path)<br/>[Example: Read only current blob versions](storage-auth-abac-examples.md#example-read-only-current-blob-versions)<br/>[Example: Read current blob versions and any blob snapshots](storage-auth-abac-examples.md#example-read-current-blob-versions-and-any-blob-snapshots)<br/>[Example: Read only storage accounts with hierarchical namespace enabled](storage-auth-abac-examples.md#example-read-only-storage-accounts-with-hierarchical-namespace-enabled) |
 > | **Learn more** | [Azure Data Lake Storage Gen2 hierarchical namespace](../blobs/data-lake-storage-namespace.md) |
 
-## Azure Queue storage actions
-
-This section lists the supported Azure Queue storage actions you can target for conditions.
-
-### Peek messages
-
-> [!div class="mx-tdCol2BreakAll"]
-> | Property | Value |
-> | --- | --- |
-> | **Display name** | Peek messages |
-> | **Description** | DataAction for peeking messages. |
-> | **DataAction** | `Microsoft.Storage/storageAccounts/queueServices/queues/messages/read` |
-> | **Resource attributes** | [Account name](#account-name)<br/>[Queue name](#queue-name) |
-> | **Request attributes** |  |
-> | **Principal attributes support** | True |
-
-### Put a message
-
-> [!div class="mx-tdCol2BreakAll"]
-> | Property | Value |
-> | --- | --- |
-> | **Display name** | Put a message |
-> | **Description** | DataAction for putting a message. |
-> | **DataAction** | `Microsoft.Storage/storageAccounts/queueServices/queues/messages/add/action` |
-> | **Resource attributes** | [Account name](#account-name)<br/>[Queue name](#queue-name) |
-> | **Request attributes** |  |
-> | **Principal attributes support** | True |
-
-### Put or update a message
-
-> [!div class="mx-tdCol2BreakAll"]
-> | Property | Value |
-> | --- | --- |
-> | **Display name** | Put or update a message |
-> | **Description** | DataAction for putting or updating a message. |
-> | **DataAction** | `Microsoft.Storage/storageAccounts/queueServices/queues/messages/write` |
-> | **Resource attributes** | [Account name](#account-name)<br/>[Queue name](#queue-name) |
-> | **Request attributes** |  |
-> | **Principal attributes support** | True |
-
-### Clear messages
-
-> [!div class="mx-tdCol2BreakAll"]
-> | Property | Value |
-> | --- | --- |
-> | **Display name** | Clear messages |
-> | **Description** | DataAction for clearing messages. |
-> | **DataAction** | `Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete` |
-> | **Resource attributes** | [Account name](#account-name)<br/>[Queue name](#queue-name) |
-> | **Request attributes** |  |
-> | **Principal attributes support** | True |
-
-### Get or delete messages
-
-> [!div class="mx-tdCol2BreakAll"]
-> | Property | Value |
-> | --- | --- |
-> | **Display name** | Get or delete messages |
-> | **Description** | DataAction for getting or deleting messages. |
-> | **DataAction** | `Microsoft.Storage/storageAccounts/queueServices/queues/messages/process/action` |
-> | **Resource attributes** | [Account name](#account-name)<br/>[Queue name](#queue-name) |
-> | **Request attributes** |  |
-> | **Principal attributes support** | True |
-
 ## Azure Blob storage attributes
 
 This section lists the Azure Blob storage attributes you can use in your condition expressions depending on the action you target. If you select multiple actions for a single condition, there might be fewer attributes to choose from for your condition because the attributes must be available across the selected actions.
@@ -518,21 +455,6 @@ This section lists the Azure Blob storage attributes you can use in your conditi
 > | **Examples** | `@Request[Microsoft.Storage/storageAccounts/blobServices/containers/blobs:versionId] DateTimeEquals '2022-06-01T23:38:32.8883645Z'`<br/>[Example: Read current blob versions and a specific blob version](storage-auth-abac-examples.md#example-read-current-blob-versions-and-a-specific-blob-version)<br/>[Example: Read current blob versions and any blob snapshots](storage-auth-abac-examples.md#example-read-current-blob-versions-and-any-blob-snapshots) |
 > | **Learn more** | [Azure Data Lake Storage Gen2 hierarchical namespace](../blobs/data-lake-storage-namespace.md) |
 
-## Azure Queue storage attributes
-
-This section lists the Azure Queue storage attributes you can use in your condition expressions depending on the action you target.
-
-### Queue name
-
-> [!div class="mx-tdCol2BreakAll"]
-> | Property | Value |
-> | --- | --- |
-> | **Display name** | Queue name |
-> | **Description** | Name of a storage queue. |
-> | **Attribute** | `Microsoft.Storage/storageAccounts/queueServices/queues:name` |
-> | **Attribute source** | Resource |
-> | **Attribute type** | String |
-
 ## See also
 
 - [Example Azure role assignment conditions (preview)](storage-auth-abac-examples.md)

articles/storage/blobs/storage-auth-abac.md

@@ -1,13 +1,13 @@
 ---
 title: Authorize access to blobs using Azure role assignment conditions (preview)
 titleSuffix: Azure Storage
-description: Authorize access to Azure blobs using Azure role assignment conditions and Azure attribute-based access control (Azure ABAC). Define conditions on role assignments using Storage attributes.
+description: Authorize access to Azure blobs and Azure Data Lake Storage Gen2 (ADLS G2) using Azure role assignment conditions and Azure attribute-based access control (Azure ABAC). Define conditions on role assignments using Storage attributes.
 services: storage
 author: jimmart-dev
 
 ms.service: storage
 ms.topic: conceptual
-ms.date: 09/01/2022
+ms.date: 09/14/2022
 ms.author: jammart
 ms.reviewer: nachakra
 ms.subservice: blobs
@@ -17,6 +17,7 @@ ms.subservice: blobs
 
 > [!IMPORTANT]
 > Azure ABAC and Azure role assignment conditions are currently in preview.
+>
 > This preview version is provided without a service level agreement, and it's not recommended for production workloads. Certain features might not be supported or might have constrained capabilities.
 > For more information, see [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/).
 
@@ -26,22 +27,22 @@ Azure ABAC builds on Azure role-based access control (Azure RBAC) by adding [con
 
 ## Overview of conditions in Azure Storage
 
-Azure Storage enables the [use of Azure Active Directory](../common/authorize-data-access.md) (Azure AD) to authorize requests to blob, queue, and table resources using Azure RBAC. Azure RBAC helps you manage access to resources by defining who has access to resources and what they can do with those resources, using role definitions and role assignments. Azure Storage defines a set of Azure [built-in roles](../../role-based-access-control/built-in-roles.md#storage) that encompass common sets of permissions used to access blob, queue and table data. You can also define custom roles with select set of permissions. Azure Storage supports role assignments for storage accounts or blob containers.
+You can [use of Azure Active Directory](../common/authorize-data-access.md) (Azure AD) to authorize requests to Azure storage resources using Azure RBAC. Azure RBAC helps you manage access to resources by defining who has access to resources and what they can do with those resources, using role definitions and role assignments. Azure Storage defines a set of Azure [built-in roles](../../role-based-access-control/built-in-roles.md#storage) that encompass common sets of permissions used to access Azure storage data. You can also define custom roles with select sets of permissions. Azure Storage supports role assignments for both storage accounts and blob containers.
 
-Azure ABAC builds on Azure RBAC by adding role assignment conditions in the context of specific actions. A *role assignment condition* is an additional check that is evaluated when the action on the storage resource is being authorized. This condition is expressed as a predicate using attributes associated with any of the following:
+Azure ABAC builds on Azure RBAC by adding [role assignment conditions](../../role-based-access-control/conditions-overview.md) in the context of specific actions. A *role assignment condition* is an additional check that is evaluated when the action on the storage resource is being authorized. This condition is expressed as a predicate using attributes associated with any of the following:
 - Security principal that is requesting authorization
 - Resource to which access is being requested
 - Parameters of the request
 - Environment from which the request originates
 
 The benefits of using role assignment conditions are:
 - **Enable finer-grained access to resources** - For example, if you want to grant a user read access to blobs in your storage accounts only if the blobs are tagged as Project=Sierra, you can use conditions on the read action using tags as an attribute.
-- **Reduce the number of role assignments you have to create and manage** - You can do this by using a generalized role assignment for a security group, and then restricting the access for individual members of the group using a condition that matches attributes of a principal with attributes of a specific resource being accessed (such as, a blob or a container).
+- **Reduce the number of role assignments you have to create and manage** - You can do this by using a generalized role assignment for a security group, and then restricting the access for individual members of the group using a condition that matches attributes of a principal with attributes of a specific resource being accessed (such as a blob or a container).
 - **Express access control rules in terms of attributes with business meaning** - For example, you can express your conditions using attributes that represent a project name, business application, organization function, or classification level.
 
 The tradeoff of using conditions is that you need a structured and consistent taxonomy when using attributes across your organization. Attributes must be protected to prevent access from being compromised. Also, conditions must be carefully designed and reviewed for their effect.
 
-Role-assignment conditions in Azure Storage are supported for blobs. You can use conditions with accounts that have the [hierarchical namespace](../blobs/data-lake-storage-namespace.md) (HNS) feature enabled on them. Conditions are currently not supported for queue, table, or file resources in Azure Storage.
+Role-assignment conditions in Azure Storage are supported for Azure blob storage. You can also use conditions with accounts that have the [hierarchical namespace](../blobs/data-lake-storage-namespace.md) (HNS) feature enabled on them (ADLS G2).
 
 
 ## Supported attributes and operations
@@ -51,10 +52,6 @@ In this preview, you can add conditions to built-in roles or custom roles. The b
 - [Storage Blob Data Reader](../../role-based-access-control/built-in-roles.md#storage-blob-data-reader)
 - [Storage Blob Data Contributor](../../role-based-access-control/built-in-roles.md#storage-blob-data-contributor)
 - [Storage Blob Data Owner](../../role-based-access-control/built-in-roles.md#storage-blob-data-owner).
-- [Storage Queue Data Contributor](../../role-based-access-control/built-in-roles.md#storage-queue-data-contributor)
-- [Storage Queue Data Message Processor](../../role-based-access-control/built-in-roles.md#storage-queue-data-message-processor)
-- [Storage Queue Data Message Sender](../../role-based-access-control/built-in-roles.md#storage-queue-data-message-sender)
-- [Storage Queue Data Reader](../../role-based-access-control/built-in-roles.md#storage-queue-data-reader)
 
 You can use conditions with custom roles so long as the role includes [actions that support conditions](storage-auth-abac-attributes.md#azure-blob-storage-actions-and-suboperations).
 

articles/storage/queues/TOC.yml

@@ -50,6 +50,17 @@
   - name: Authorization
     href: ../common/authorize-data-access.md?toc=/azure/storage/queues/toc.json
     items:
+    - name: Authorizing data operations
+      href: ../common/authorize-data-access.md?toc=%2fazure%2fstorage%2fblobs%2ftoc.json
+      items:
+      - name: Authorize with Azure AD
+        items:
+        - name: Authorize with Azure roles
+          href: authorize-access-azure-active-directory.md
+        - name: Authorize with conditions
+          href: queues-auth-abac.md
+        - name: Actions and attributes for conditions
+          href: queues-auth-abac-attributes.md
     - name: Authenticate and authorize with Azure AD
       href: authorize-access-azure-active-directory.md
     - name: Authorize with Shared Key

articles/storage/queues/authorize-access-azure-active-directory.md

@@ -7,9 +7,9 @@ author: jimmart-dev
 
 ms.service: storage
 ms.topic: conceptual
-ms.date: 07/13/2021
+ms.date: 09/14/2022
 ms.author: jammart
-ms.subservice: common
+ms.subservice: queues
 ---
 
 # Authorize access to queues using Azure Active Directory