You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/storage/blobs/data-lake-storage-access-control-model.md
+8-8Lines changed: 8 additions & 8 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -63,15 +63,15 @@ During security principal-based authorization, permissions are evaluated as show
63
63
> 
64
64
65
65
1. Azure determines whether a role assignment exists for the principal.
66
-
1. If a role assignment exists, the role assignment conditions (2) are evaluated next.
67
-
1. If not, the ACLs (3) are evaluated next.
68
-
1. Azure determines whether the all of the ABAC role assignment conditions, if any exist, match the attributes of the request.
69
-
1. If no conditions exist, access is granted.
70
-
1. If conditions exist and all of them match the attributes of the request, access is granted.
71
-
1. If conditions exist and at least one of them does not match the attributes of the request, the ACLs (3) are evaluated next.
66
+
- If a role assignment exists, the role assignment conditions (2) are evaluated next.
67
+
- If not, the ACLs (3) are evaluated next.
68
+
1. Azure determines whether all of the ABAC role assignment conditions, if any exist, match the attributes of the request.
69
+
- If no conditions exist, access is granted.
70
+
- If conditions exist and all of them match the attributes of the request, access is granted.
71
+
- If conditions exist and at least one of them does not match the attributes of the request, the ACLs (3) are evaluated next.
72
72
1. If access has not been explicitly granted after evaluating the role assignments and conditions, the ACLs are evaluated.
73
-
1. If the ACLs permit the requested level of access, access is granted.
74
-
1. If not, access is denied.
73
+
- If the ACLs permit the requested level of access, access is granted.
74
+
- If not, access is denied.
75
75
76
76
> [!IMPORTANT]
77
77
> Because of the way that access permissions are evaluated by the system, you **cannot** use an ACL to **restrict** access that has already been granted by a role assignment and its conditions. That's because the system evaluates Azure role assignments and conditions first, and if the assignment grants sufficient access permission, ACLs are ignored.
0 commit comments