Merge pull request #292986 from rolyon/rolyon-rbac-roles-chaos-studio

prmerger-automator[bot] · web-flow · commit 733b4ee42da8 · 2025-01-15T00:39:23.000Z
[Azure RBAC] Chaos Studio roles
diff --git a/articles/role-based-access-control/built-in-roles.md b/articles/role-based-access-control/built-in-roles.md
@@ -443,6 +443,9 @@ The following table provides a brief description of each built-in role. Click th
 > [!div class="mx-tableFixed"]
 > | Built-in role | Description | ID |
 > | --- | --- | --- |
+> | <a name='chaos-studio-experiment-contributor'></a>[Chaos Studio Experiment Contributor](./built-in-roles/devops.md#chaos-studio-experiment-contributor) | Can create, run, and see details for experiments, onboard targets, and manage capabilities. | 7c2e40b7-25eb-482a-82cb-78ba06cb46d5 |
+> | <a name='chaos-studio-operator'></a>[Chaos Studio Operator](./built-in-roles/devops.md#chaos-studio-operator) | Can run and see details for experiments but cannot create experiments or manage targets and capabilities. | 1a40e87e-6645-48e0-b27a-0b115d849a20 |
+> | <a name='chaos-studio-reader'></a>[Chaos Studio Reader](./built-in-roles/devops.md#chaos-studio-reader) | Can view targets, capabilities, experiments, and experiment details. | 29e2da8a-229c-4157-8ae8-cc72fc506b74 |
 > | <a name='deployment-environments-reader'></a>[Deployment Environments Reader](./built-in-roles/devops.md#deployment-environments-reader) | Provides read access to environment resources. | eb960402-bf75-4cc3-8d68-35b34f960f72 |
 > | <a name='deployment-environments-user'></a>[Deployment Environments User](./built-in-roles/devops.md#deployment-environments-user) | Provides access to manage environment resources. | 18e40d4e-8d2e-438d-97e1-9528336e149c |
 > | <a name='devcenter-dev-box-user'></a>[DevCenter Dev Box User](./built-in-roles/devops.md#devcenter-dev-box-user) | Provides access to create and manage dev boxes. | 45d50f46-0b78-4001-a660-4198cbe8cd05 |
diff --git a/articles/role-based-access-control/built-in-roles/devops.md b/articles/role-based-access-control/built-in-roles/devops.md
@@ -16,6 +16,159 @@ ms.custom: generated
 This article lists the Azure built-in roles in the DevOps category.
 
 
+## Chaos Studio Experiment Contributor
+
+Can create, run, and see details for experiments, onboard targets, and manage capabilities.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/* |  |
+> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | *none* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Can create, run, and see details for experiments, onboard targets, and manage capabilities.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/7c2e40b7-25eb-482a-82cb-78ba06cb46d5",
+  "name": "7c2e40b7-25eb-482a-82cb-78ba06cb46d5",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.Chaos/*",
+        "Microsoft.Authorization/*/read",
+        "Microsoft.Insights/alertRules/*",
+        "Microsoft.Resources/deployments/*",
+        "Microsoft.Resources/subscriptions/resourceGroups/read"
+      ],
+      "notActions": [],
+      "dataActions": [],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Chaos Studio Experiment Contributor",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
+## Chaos Studio Operator
+
+Can run and see details for experiments but cannot create experiments or manage targets and capabilities.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/*/read |  |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/experiments/start/action | Starts a Chaos Experiment to inject faults. |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/experiments/cancel/action | Cancels a running Chaos Experiment to stop the fault injection. |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/experiments/executions/getExecutionDetails/action | Gets details of a chaos experiment execution for a given chaos experiment. |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/locations/operationResults/read | Gets an Operation Result. |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/locations/operationStatuses/read | Gets an Operation Status. |
+> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | *none* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Can run and see details for experiments but cannot create experiments or manage targets and capabilities.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/1a40e87e-6645-48e0-b27a-0b115d849a20",
+  "name": "1a40e87e-6645-48e0-b27a-0b115d849a20",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.Chaos/*/read",
+        "Microsoft.Chaos/experiments/start/action",
+        "Microsoft.Chaos/experiments/cancel/action",
+        "Microsoft.Chaos/experiments/executions/getExecutionDetails/action",
+        "Microsoft.Chaos/locations/operationResults/read",
+        "Microsoft.Chaos/locations/operationStatuses/read",
+        "Microsoft.Authorization/*/read",
+        "Microsoft.Insights/alertRules/*",
+        "Microsoft.Resources/deployments/*",
+        "Microsoft.Resources/subscriptions/resourceGroups/read"
+      ],
+      "notActions": [],
+      "dataActions": [],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Chaos Studio Operator",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
+## Chaos Studio Reader
+
+Can view targets, capabilities, experiments, and experiment details.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/*/read |  |
+> | [Microsoft.Chaos](../permissions/devops.md#microsoftchaos)/experiments/executions/getExecutionDetails/action | Gets details of a chaos experiment execution for a given chaos experiment. |
+> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | *none* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "Can view targets, capabilities, experiments, and experiment details.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/29e2da8a-229c-4157-8ae8-cc72fc506b74",
+  "name": "29e2da8a-229c-4157-8ae8-cc72fc506b74",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.Chaos/*/read",
+        "Microsoft.Chaos/experiments/executions/getExecutionDetails/action",
+        "Microsoft.Authorization/*/read",
+        "Microsoft.Insights/alertRules/*",
+        "Microsoft.Resources/deployments/*",
+        "Microsoft.Resources/subscriptions/resourceGroups/read"
+      ],
+      "notActions": [],
+      "dataActions": [],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Chaos Studio Reader",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
 ## Deployment Environments Reader
 
 Provides read access to environment resources.
