MicrosoftDocs
diff --git a/‎articles/role-based-access-control/built-in-roles.md
Lines changed: 9 additions & 0 deletions b/‎articles/role-based-access-control/built-in-roles.md
Lines changed: 9 additions & 0 deletions
@@ -211,6 +211,15 @@ The following table provides a brief description of each built-in role. Click th
 > | <a name='azure-kubernetes-service-rbac-reader'></a>[Azure Kubernetes Service RBAC Reader](./built-in-roles/containers.md#azure-kubernetes-service-rbac-reader) | Allows read-only access to see most objects in a namespace. It does not allow viewing roles or role bindings. This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). Applying this role at cluster scope will give access across all namespaces. | 7f6c6a51-bcf8-42ba-9220-52d62157d7db |
 > | <a name='azure-kubernetes-service-rbac-writer'></a>[Azure Kubernetes Service RBAC Writer](./built-in-roles/containers.md#azure-kubernetes-service-rbac-writer) | Allows read/write access to most objects in a namespace. This role does not allow viewing or modifying roles or role bindings. However, this role allows accessing Secrets and running Pods as any ServiceAccount in the namespace, so it can be used to gain the API access levels of any ServiceAccount in the namespace. Applying this role at cluster scope will give access across all namespaces. | a7ffa36f-339b-4b5c-8bdf-e2c188b2c0eb |
 > | <a name='connected-cluster-managed-identity-checkaccess-reader'></a>[Connected Cluster Managed Identity CheckAccess Reader](./built-in-roles/containers.md#connected-cluster-managed-identity-checkaccess-reader) | Built-in role that allows a Connected Cluster managed identity to call the checkAccess API | 65a14201-8f6c-4c28-bec4-12619c5a9aaa |
+> | <a name='container-registry-configuration-reader-and-data-access-configuration-reader'></a>[Container Registry Configuration Reader and Data Access Configuration Reader](./built-in-roles/containers.md#container-registry-configuration-reader-and-data-access-configuration-reader) | Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks. | 69b07be0-09bf-439a-b9a6-e73de851bd59 |
+> | <a name='container-registry-contributor-and-data-access-configuration-administrator'></a>[Container Registry Contributor and Data Access Configuration Administrator](./built-in-roles/containers.md#container-registry-contributor-and-data-access-configuration-administrator) | Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks. | 3bc748fc-213d-45c1-8d91-9da5725539b9 |
+> | <a name='container-registry-data-importer-and-data-reader'></a>[Container Registry Data Importer and Data Reader](./built-in-roles/containers.md#container-registry-data-importer-and-data-reader) | Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules. | 577a9874-89fd-4f24-9dbd-b5034d0ad23a |
+> | <a name='container-registry-repository-catalog-lister'></a>[Container Registry Repository Catalog Lister](./built-in-roles/containers.md#container-registry-repository-catalog-lister) | Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change. | bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7 |
+> | <a name='container-registry-repository-contributor'></a>[Container Registry Repository Contributor](./built-in-roles/containers.md#container-registry-repository-contributor) | Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change. | 2efddaa5-3f1f-4df3-97df-af3f13818f4c |
+> | <a name='container-registry-repository-reader'></a>[Container Registry Repository Reader](./built-in-roles/containers.md#container-registry-repository-reader) | Allows for read access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change. | b93aa761-3e63-49ed-ac28-beffa264f7ac |
+> | <a name='container-registry-repository-writer'></a>[Container Registry Repository Writer](./built-in-roles/containers.md#container-registry-repository-writer) | Allows for read and write access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change. | 2a1e307c-b015-4ebd-883e-5b7698a07328 |
+> | <a name='container-registry-tasks-contributor'></a>[Container Registry Tasks Contributor](./built-in-roles/containers.md#container-registry-tasks-contributor) | Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts. | fb382eab-e894-4461-af04-94435c366c3f |
+> | <a name='container-registry-transfer-pipeline-contributor'></a>[Container Registry Transfer Pipeline Contributor](./built-in-roles/containers.md#container-registry-transfer-pipeline-contributor) | Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments. | bf94e731-3a51-4a7c-8c54-a1ab9971dfc1 |
 > | <a name='kubernetes-agentless-operator'></a>[Kubernetes Agentless Operator](./built-in-roles/containers.md#kubernetes-agentless-operator) | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services | d5a2ae44-610b-4500-93be-660a0c5f5ca6 |
 > | <a name='kubernetes-cluster---azure-arc-onboarding'></a>[Kubernetes Cluster - Azure Arc Onboarding](./built-in-roles/containers.md#kubernetes-cluster---azure-arc-onboarding) | Role definition to authorize any user/service to create connectedClusters resource | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 |
 > | <a name='kubernetes-extension-contributor'></a>[Kubernetes Extension Contributor](./built-in-roles/containers.md#kubernetes-extension-contributor) | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | 85cb6faf-e071-4c9b-8136-154b5a04f717 |