Merge pull request #151403 from batamig/workbook-req-role

ttorble · web-flow · commit 84289daf51a7 · 2021-04-11T11:27:36.000+01:00
adding monitoring contributor role
diff --git a/articles/sentinel/roles.md b/articles/sentinel/roles.md
@@ -14,7 +14,7 @@ ms.workload: na
 ms.tgt_pltfrm: na
 ms.devlang: na
 ms.topic: conceptual
-ms.date: 06/28/2020
+ms.date: 04/11/2021
 ms.author: yelevin
 
 ---
@@ -30,8 +30,6 @@ Use Azure RBAC to create and assign roles within your security operations team t
 
 ### Azure Sentinel-specific roles
 
-There are three dedicated built-in Azure Sentinel roles.
-
 **All Azure Sentinel built-in roles grant read access to the data in your Azure Sentinel workspace.**
 
 - [Azure Sentinel Reader](../role-based-access-control/built-in-roles.md#azure-sentinel-reader) can view data, incidents, workbooks, and other Azure Sentinel resources.
@@ -52,41 +50,45 @@ There are three dedicated built-in Azure Sentinel roles.
 
 Users with particular job requirements may need to be assigned additional roles or specific permissions in order to accomplish their tasks.
 
-- Working with playbooks to automate responses to threats
+- **Working with playbooks to automate responses to threats**
 
     Azure Sentinel uses **playbooks** for automated threat response. Playbooks are built on **Azure Logic Apps**, and are a separate Azure resource. You might want to assign to specific members of your security operations team the ability to use Logic Apps for Security Orchestration, Automation, and Response (SOAR) operations. You can use the [Logic App Contributor](../role-based-access-control/built-in-roles.md#logic-app-contributor) role to assign explicit permission for using playbooks.
 
-- Connecting data sources to Azure Sentinel
+- **Connecting data sources to Azure Sentinel**
 
     For a user to add **data connectors**, you must assign the user write permissions on the Azure Sentinel workspace. Also, note the required additional permissions for each connector, as listed on the relevant connector page.
 
-- Guest users assigning incidents
+- **Guest users assigning incidents**
+
+    If a guest user needs to be able to assign incidents, then in addition to the Azure Sentinel Responder role, the user will also need to be assigned the role of [Directory Reader](../active-directory/roles/permissions-reference.md#directory-readers). Note that this role is *not* an Azure role but an **Azure Active Directory** role, and that regular (non-guest) users have this role assigned by default.
 
-    If a guest user needs to be able to assign incidents, then in addition to the Azure Sentinel Responder role, the user will also need to be assigned the role of [Directory Reader](../active-directory/roles/permissions-reference.md#directory-readers). Note that this role is *not* an Azure role but an **Azure Active Directory** role, and that regular (non-guest) users have this role assigned by default. 
+- **Creating and deleting workbooks**
 
-For a side-by-side comparison, see the [table below](#roles-and-allowed-actions).
+    For a user to create and delete an Azure Sentinel workbook, the user will also need to be assigned with the Azure Monitor role of [Monitoring Contributor](../role-based-access-control/built-in-roles.md#monitoring-contributor). This role is not necessary for *using* workbooks, but only for creating and deleting.
 
 ### Other roles you might see assigned
 
 In assigning Azure Sentinel-specific Azure roles, you may come across other Azure and Log Analytics Azure roles that may have been assigned to users for other purposes. You should be aware that these roles grant a wider set of permissions that includes access to your Azure Sentinel workspace and other resources:
 
 - **Azure roles:** [Owner](../role-based-access-control/built-in-roles.md#owner), [Contributor](../role-based-access-control/built-in-roles.md#contributor), and [Reader](../role-based-access-control/built-in-roles.md#reader). Azure roles grant access across all your Azure resources, including Log Analytics workspaces and Azure Sentinel resources.
 
-- **Log Analytics roles:** [Log Analytics Contributor](../role-based-access-control/built-in-roles.md#log-analytics-contributor) and [Log Analytics Reader](../role-based-access-control/built-in-roles.md#log-analytics-reader). Log Analytics roles grant access to your Log Analytics workspaces. 
+- **Log Analytics roles:** [Log Analytics Contributor](../role-based-access-control/built-in-roles.md#log-analytics-contributor) and [Log Analytics Reader](../role-based-access-control/built-in-roles.md#log-analytics-reader). Log Analytics roles grant access to your Log Analytics workspaces.
 
 For example, a user who is assigned the **Azure Sentinel Reader** role, but not the **Azure Sentinel Contributor** role, will still be able to edit items in Azure Sentinel if assigned the Azure-level **Contributor** role. Therefore, if you want to grant permissions to a user only in Azure Sentinel, you should carefully remove this user’s prior permissions, making sure you do not break any needed access to another resource.
 
-## Roles and allowed actions
+## Azure Sentinel roles and allowed actions
 
-The following table summarizes the roles and allowed actions in Azure Sentinel. 
+The following table summarizes the Azure Sentinel roles and their allowed actions in Azure Sentinel.
 
-| Role | Create and run playbooks| Create and edit workbooks, analytic rules, and other Azure Sentinel resources | Manage incidents (dismiss, assign, etc.) | View data, incidents, workbooks, and other Azure Sentinel resources |
+| Role | Create and run playbooks| Create and edit analytic rules and other Azure Sentinel resources [*](#workbooks) | Manage incidents (dismiss, assign, etc.) | View data, incidents, workbooks, and other Azure Sentinel resources |
 |---|---|---|---|---|
 | Azure Sentinel Reader | -- | -- | -- | &#10003; |
 | Azure Sentinel Responder | -- | -- | &#10003; | &#10003; |
 | Azure Sentinel Contributor | -- | &#10003; | &#10003; | &#10003; |
 | Azure Sentinel Contributor + Logic App Contributor | &#10003; | &#10003; | &#10003; | &#10003; |
+| | | | | |
 
+<a name=workbooks></a>* Creating and deleting workbooks requires the additional [Monitoring Contributor](../role-based-access-control/built-in-roles.md#monitoring-contributor) role. For more information, see [Additional roles and permissions](#additional-roles-and-permissions).
 ## Custom roles and advanced Azure RBAC
 
 - **Custom roles**. In addition to, or instead of, using Azure built-in roles, you can create Azure custom roles for Azure Sentinel. Azure custom roles for Azure Sentinel are created the same way you create other [Azure custom roles](../role-based-access-control/custom-roles-rest.md#create-a-custom-role), based on [specific permissions to Azure Sentinel](../role-based-access-control/resource-provider-operations.md#microsoftsecurityinsights) and to [Azure Log Analytics resources](../role-based-access-control/resource-provider-operations.md#microsoftoperationalinsights).
