Skip to content

Commit 6433c1e

Browse files
committed
addressed feedback
1 parent d0e9eea commit 6433c1e

File tree

1 file changed

+4
-4
lines changed

1 file changed

+4
-4
lines changed

articles/search/search-security-rbac.md

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -37,9 +37,9 @@ The following roles are built in. If these roles are insufficient, [create a cus
3737
| [Owner](../role-based-access-control/built-in-roles.md#owner) | Control & Data | Full access to the control plane of the search resource, including the ability to assign Azure roles. Only the Owner role can enable or disable authentication options or manage roles for other users. Subscription administrators are members by default. </br></br>On the data plane, this role has the same access as the Search Service Contributor role. It includes access to all data plane actions except the ability to query or index documents.|
3838
| [Contributor](../role-based-access-control/built-in-roles.md#contributor) | Control & Data | Same level of control plane access as Owner, minus the ability to assign roles or change authentication options. </br></br>On the data plane, this role has the same access as the Search Service Contributor role. It includes access to all data plane actions except the ability to query or index documents.|
3939
| [Reader](../role-based-access-control/built-in-roles.md#reader) | Control & Data | Read access across the entire service, including search metrics, content metrics (storage consumed, number of objects), and the object definitions of data plane resources (indexes, indexers, and so on). However, it can't read API keys or read content within indexes. |
40-
| [Search Service Contributor](../role-based-access-control/built-in-roles.md#search-service-contributor) | Control & Data | Read-write access to object definitions (indexes, aliases, synonym maps, indexers, data sources, and skillsets). This role is for developers who create objects and for search service administrators who manage a search service and its objects, but without access to index content. Use this role to create, delete, and list indexes, get index definitions, get service information (statistics and quotas), test analyzers, create and manage synonym maps, indexers, data sources, and skillsets. See [`Microsoft.Search/searchServices/*`](../role-based-access-control/resource-provider-operations.md#microsoftsearch) for the permissions list. |
41-
| [Search Index Data Contributor](../role-based-access-control/built-in-roles.md#search-index-data-contributor) | Data | Read-write access to content in indexes. This role is for developers or index owners who need to import, refresh, or query the documents collection of an index. You can't assign roles to specific indexes, so this role is for all indexes. This role doesn't support index creation or management. |
42-
| [Search Index Data Reader](../role-based-access-control/built-in-roles.md#search-index-data-reader) | Data | Read-only access for querying search indexes. This role is for apps and users who run queries. You can't assign roles to specific indexes, so this role is for all indexes. This role doesn't support read access to object definitions. For example, you can't read a search index definition or get search service statistics. |
40+
| [Search Service Contributor](../role-based-access-control/built-in-roles.md#search-service-contributor) | Control & Data | Read-write access to object definitions (indexes, aliases, synonym maps, indexers, data sources, and skillsets). This role is for developers who create objects, and for administrators who manage a search service and its objects, but without access to index content. Use this role to create, delete, and list indexes, get index definitions, get service information (statistics and quotas), test analyzers, create and manage synonym maps, indexers, data sources, and skillsets. See [`Microsoft.Search/searchServices/*`](../role-based-access-control/resource-provider-operations.md#microsoftsearch) for the permissions list. |
41+
| [Search Index Data Contributor](../role-based-access-control/built-in-roles.md#search-index-data-contributor) | Data | Read-write access to content in indexes. This role is for developers or index owners who need to import, refresh, or query the documents collection of an index. This role doesn't support index creation or management. By default, this role is for all indexes on a search service. See [Grant access to a single index](#grant-access-to-a-single-index) to narrow the scope. |
42+
| [Search Index Data Reader](../role-based-access-control/built-in-roles.md#search-index-data-reader) | Data | Read-only access for querying search indexes. This role is for apps and users who run queries. This role doesn't support read access to object definitions. For example, you can't read a search index definition or get search service statistics. By default, this role is for all indexes on a search service. See [Grant access to a single index](#grant-access-to-a-single-index) to narrow the scope. |
4343

4444
> [!NOTE]
4545
> If you disable Azure role-based access, built-in roles for the control plane (Owner, Contributor, Reader) continue to be available. Disabling role-based access removes just the data-related permissions associated with those roles. If data plane roles are disabled, Search Service Contributor is equivalent to control-plane Contributor.
@@ -253,7 +253,7 @@ For more information on how to acquire a token for a specific environment, see [
253253

254254
1. Use [Azure.Identity for .NET](/dotnet/api/overview/azure/identity-readme) for token authentication. Microsoft recommends [`DefaultAzureCredential()`](/dotnet/api/azure.identity.defaultazurecredential) for most scenarios.
255255

256-
+ The SDK requires the scope to be `https://search.azure.com/.default`. The audience is `https://search.azure.com`. The `.default` suffix is a Microsoft Entra convention.
256+
+ The SDK requires the scope to be `https://search.azure.com/.default`.
257257

258258
+ The SDK validates that the user has the "user_impersonation" scope, which must be granted by your app, but the SDK itself just asks for `https://search.azure.com/.default`.
259259

0 commit comments

Comments
 (0)