You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/network-watcher/required-rbac-permissions.md
+16-17Lines changed: 16 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,13 +1,11 @@
1
1
---
2
2
title: Azure RBAC permissions required to use Azure Network Watcher capabilities
3
3
description: Learn which Azure role-based access control (Azure RBAC) permissions are required to use Azure Network Watcher capabilities.
4
-
services: network-watcher
5
4
author: halkazwini
5
+
ms.author: halkazwini
6
6
ms.service: network-watcher
7
7
ms.topic: conceptual
8
-
ms.date: 04/03/2023
9
-
ms.author: halkazwini
10
-
ms.custom: template-concept, engagement-fy23
8
+
ms.date: 08/18/2023
11
9
---
12
10
13
11
# Azure role-based access control permissions required to use Network Watcher capabilities
@@ -25,12 +23,13 @@ Azure role-based access control (Azure RBAC) enables you to assign only the spec
25
23
| Microsoft.Network/networkWatchers/write | Create or update a network watcher |
26
24
| Microsoft.Network/networkWatchers/delete | Delete a network watcher |
27
25
28
-
## NSG flow logs
26
+
## Flow logs
29
27
30
28
| Action | Description |
31
29
| --------- | ------------- |
32
30
| Microsoft.Network/networkWatchers/configureFlowLog/action | Configure a flow Log |
33
31
| Microsoft.Network/networkWatchers/queryFlowLogStatus/action | Query status for a flow log |
32
+
Microsoft.Storage/storageAccounts/listServiceSas/Action, </br> Microsoft.Storage/storageAccounts/listAccountSas/Action, <br> Microsoft.Storage/storageAccounts/listKeys/Action | Fetch shared access signatures (SAS) enabling [secure access to storage account](../storage/common/storage-sas-overview.md) and write to the storage account |
34
33
35
34
## Connection troubleshoot
36
35
@@ -98,15 +97,15 @@ Microsoft.Network/networkWatchers/packetCaptures/queryStatus/read | View the sta
98
97
99
98
Network Watcher capabilities also require the following actions:
100
99
101
-
| Action(s) | Description |
102
-
| --------- | ------------- |
103
-
| Microsoft.Authorization/\*/Read |Used to fetch Azure role assignments and policy definitions|
104
-
| Microsoft.Resources/subscriptions/resourceGroups/Read |Used to enumerate all the resource groups in a subscription |
105
-
| Microsoft.Storage/storageAccounts/Read |Used to get the properties for the specified storage account |
106
-
| Microsoft.Storage/storageAccounts/listServiceSas/Action, </br> Microsoft.Storage/storageAccounts/listAccountSas/Action, <br> Microsoft.Storage/storageAccounts/listKeys/Action| Used to fetch shared access signatures (SAS) enabling [secure access to storage account](../storage/common/storage-sas-overview.md) and write to the storage account |
107
-
| Microsoft.Compute/virtualMachines/Read, </br> Microsoft.Compute/virtualMachines/Write|Used to log in to the VM, do a packet capture and upload it to storage account|
108
-
| Microsoft.Compute/virtualMachines/extensions/Read </br> Microsoft.Compute/virtualMachines/extensions/Write| Used to check if Network Watcher extension is present, and install if necessary |
109
-
| Microsoft.Compute/virtualMachineScaleSets/Read, </br> Microsoft.Compute/virtualMachineScaleSets/Write| Used to access virtual machine scale sets, do packet captures and upload them to storage account|
110
-
| Microsoft.Compute/virtualMachineScaleSets/extensions/Read, </br> Microsoft.Compute/virtualMachineScaleSets/extensions/Write|Used to check if Network Watcher extension is present, and install if necessary |
111
-
| Microsoft.Insights/alertRules/*|Used to set up metric alerts|
112
-
| Microsoft.Support/*|Used to create and update support tickets from Network Watcher |
100
+
| Action(s) | Description |
101
+
| --------- | ------------- |
102
+
| Microsoft.Authorization/\*/Read |Fetch Azure role assignments and policy definitions |
103
+
| Microsoft.Resources/subscriptions/resourceGroups/Read |Enumerate all the resource groups in a subscription |
104
+
| Microsoft.Storage/storageAccounts/Read |Get the properties for the specified storage account |
105
+
| Microsoft.Storage/storageAccounts/listServiceSas/Action, </br> Microsoft.Storage/storageAccounts/listAccountSas/Action, <br> Microsoft.Storage/storageAccounts/listKeys/Action| Used to fetch shared access signatures (SAS) enabling [secure access to storage account](../storage/common/storage-sas-overview.md) and write to the storage account |
106
+
| Microsoft.Compute/virtualMachines/Read, </br> Microsoft.Compute/virtualMachines/Write|Log in to the VM, do a packet capture and upload it to storage account|
107
+
| Microsoft.Compute/virtualMachines/extensions/Read, </br> Microsoft.Compute/virtualMachines/extensions/Write| Check if Network Watcher extension is present, and install if necessary |
108
+
| Microsoft.Compute/virtualMachineScaleSets/Read, </br> Microsoft.Compute/virtualMachineScaleSets/Write| Access virtual machine scale sets, do packet captures and upload them to storage account|
109
+
| Microsoft.Compute/virtualMachineScaleSets/extensions/Read, </br> Microsoft.Compute/virtualMachineScaleSets/extensions/Write|Check if Network Watcher extension is present, and install if necessary |
110
+
| Microsoft.Insights/alertRules/*|Set up metric alerts |
111
+
| Microsoft.Support/*|Create and update support tickets from Network Watcher |
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments