You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/cosmos-db/how-to-setup-rbac.md
+6-4Lines changed: 6 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ description: Learn how to configure role-based access control with Azure Active
4
4
author: seesharprun
5
5
ms.service: cosmos-db
6
6
ms.topic: how-to
7
-
ms.date: 02/16/2022
7
+
ms.date: 03/13/2023
8
8
ms.author: sidandrews
9
9
ms.reviewer: mjbrown
10
10
---
@@ -36,10 +36,10 @@ The Azure Cosmos DB data plane RBAC is built on concepts that are commonly found
36
36
## <aid="permission-model"></a> Permission model
37
37
38
38
> [!IMPORTANT]
39
-
> This permission model covers only database operations that involve reading and writing data. It does *not* cover any kind of management operations on management resources, for example:
39
+
> This permission model covers only database operations that involve reading and writing data. It **does not** cover any kind of management operations on management resources, including:
40
40
> - Create/Replace/Delete Database
41
41
> - Create/Replace/Delete Container
42
-
> - Replace Container Throughput
42
+
> -Read/Replace Container Throughput
43
43
> - Create/Replace/Delete/Read Stored Procedures
44
44
> - Create/Replace/Delete/Read Triggers
45
45
> - Create/Replace/Delete/Read User Defined Functions
@@ -83,7 +83,7 @@ When using Azure Cosmos DB SDKs, these SDKs issue read-only metadata requests du
83
83
- The partition key of your containers or their indexing policy.
84
84
- The list of physical partitions that make a container and their addresses.
85
85
86
-
They do *not* fetch any of the data that you've stored in your account.
86
+
They **do not** fetch any of the data that you've stored in your account.
87
87
88
88
To ensure the best transparency of our permission model, these metadata requests are explicitly covered by the `Microsoft.DocumentDB/databaseAccounts/readMetadata` action. This action should be allowed in every situation where your Azure Cosmos DB account is accessed through one of the Azure Cosmos DB SDKs. It can be assigned (through a role assignment) at any level in the Azure Cosmos DB hierarchy (that is, account, database, or container).
89
89
@@ -95,6 +95,8 @@ The actual metadata requests allowed by the `Microsoft.DocumentDB/databaseAccoun
95
95
| Database | - Reading database metadata<br>- Listing the containers under the database<br>- For each container under the database, the allowed actions at the container scope |
96
96
| Container | - Reading container metadata<br>- Listing physical partitions under the container<br>- Resolving the address of each physical partition |
97
97
98
+
> [!IMPORTANT] Throughput is not included in the metadata for this action.
99
+
98
100
## Built-in role definitions
99
101
100
102
Azure Cosmos DB exposes two built-in role definitions:
0 commit comments