Change to reference

dominicbetts · dominicbetts · commit 8738e90d5a0d · 2025-04-15T11:44:23.000+01:00
diff --git a/articles/iot-operations/reference/custom-rbac.md b/articles/iot-operations/reference/custom-rbac.md
@@ -1,34 +1,64 @@
 ---
-title: Configure RBAC on your resources
-description: Use the Azure portal or CLI to secure access to Azure IoT Operations resources such as dataflows and assets by using Azure role-based access control.
+title: Custom RBAC for your resources
+description: Use the Azure portal to secure access to Azure IoT Operations resources such as data flows and assets by using Azure role-based access control.
 author: dominicbetts
 ms.author: dobett
-ms.topic: how-to
-ms.date: 04/10/2025
+ms.topic: reference
+ms.date: 04/15/2025
 
-#CustomerIntent: As an IT administrator, I want configure Azure RBAC on resources in my Azure IoT Operations instance to control access to them.
+#CustomerIntent: As an IT administrator, I want configure Azure RBAC custom roles on resources in my Azure IoT Operations instance to control access to them.
 ---
 
-# Configure RBAC
+# Custom RBAC for your Azure IoT Operations resources
 
-To manage access to Azure IoT Operations resources such as assets and data flows, you can use Azure role-based access control (RBAC). Azure RBAC is an authorization system that enables you to manage access to Azure resources. You can use Azure RBAC to grant permissions to users, groups, and applications at a scope such as a subscription or resource group.
+To define custom roles that grant specific permissions to users, you can use Azure RBAC. For example, you can define an **Onboarding** role that grants sufficient permissions to a user to complete the Azure Arc connect process and deploy Azure IoT Operations securely.
 
-This article describes how you can create custom roles for Azure IoT Operations and assign them to users. You can use some or all of the example [custom roles](#list-of-custom-roles) in your environment
+This article includes a list of example that you can download and use in your environment. These custom roles are JSON files that list the specific permissions and scope for the role.
 
-For example, you can assign a user the **Data Flow Administrator** custom role in a specific resource group. This role allows the user to create and manage data flows in the resource group. For another user, you can assign the **Data Flow Viewer** custom role in the same resource group. This role allows the user to view data flows but not create or manage them.
+To learn more about custom roles in Azure RBAC, see [Azure custom roles](/azure/role-based-access-control/custom-roles).
 
-You can assign custom roles at either the subscription or resource group level. Assigning roles at the level of a resource group enables the most granular control.
+## Example custom roles
 
-> [!NOTE]
-> The Assets Endpoint Administrator and Data Flow Endpoint Administrator roles have access to Azure Key Vault. However, even if these custom roles are assigned at the subscription level, users can only see the list of key vaults from the specific resource group. Access to schema registries is also restricted to the resource group level.
+The following sections list the example Azure IoT Operations custom roles you can download and use:
 
-To learn more about Azure RBAC, see [What is Azure role-based access control (Azure RBAC)?](/azure/role-based-access-control/overview).
+### Onboarding roles
+
+| Custom role | Description |
+| ----------- | ----------- |
+| [Onboarding](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Onboarding.json) | This is privileged role. The user can complete Azure Arc connect process and deploy Azure IoT Operations securely. |
 
-## Create custom role definitions
+### Viewer roles
+
+| Custom role | Description |
+| ----------- | ----------- |
+| [Instance viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Instance%20Viewer.json) | This role allows the user to view the Azure IoT Operations instance. |
+| [Asset viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Asset%20Viewer.json) | This role allows the user to view the assets in the Azure IoT Operations instance. |
+| [Asset endpoint viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Asset%20Endpoint%20Viewer.json) | This role allows the user to view the asset endpoints in the Azure IoT Operations instance. |
+| [Data flow viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Data%20Flow%20Viewer.json) | This role allows the user to view the data flows in the Azure IoT Operations instance. |
+| [Data flow destination viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Data%20Flow%20Destination%20Viewer.json) | This role allows the user to view the data flow destinations in the Azure IoT Operations instance. |
+| [MQ viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/MQ%20Viewer.json) | This role allows the user to view the MQTT broker in the Azure IoT Operations instance. |
+| [Viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Viewer.json) | This role allows the user to view the Azure IoT Operations instance. This role is a combination of the **Instance viewer**, **Asset viewer**, **Asset endpoint viewer**, **Data flow viewer**, **Data flow destination viewer**, and **MQ viewer** roles. |
+
+### Administrator roles
+
+| Custom role | Description |
+| ----------- | ----------- |
+| [Instance administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Instance%20Administrator.json) | The user can deploy an instance. The role includes permissions to create and update instances, brokers, authentications, listeners, dataflow profiles, dataflow endpoints, schema registries, and user assigned identities. The role also incudes permission to delete instances. |
+| [Asset administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Asset%20Administrator.json) | The user can create and manage assets in the Azure IoT Operations instance. |
+| [Asset endpoint administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Asset%20Endpoint%20Administrator.json) | The user can create and manage asset endpoints in the Azure IoT Operations instance. |
+| [Data flow administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Data%20Flow%20Administrator.json) | The user can create and manage data flows in the Azure IoT Operations instance. |
+| [Data flow destination administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Data%20Flow%20Destination%20Administrator.json) | The user can create and manage data flow destinations in the Azure IoT Operations instance. |
+| [MQ administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/MQ%20Administrator.json) | The user can create and manage the MQTT broker in the Azure IoT Operations instance. |
+| [Administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Administrator.json) | The user can create and manage the Azure IoT Operations instance. This role is a combination of the **Instance administrator**, **Asset administrator**, **Asset endpoint administrator**, **Data flow administrator**, **Data flow destination administrator**, and **MQ administrator** roles. |
+
+> [!NOTE]
+> The example _Assets endpoint administrator_ and _Data flow destination administrator_ roles have access to Azure Key Vault. However, even if these custom roles are assigned at the subscription level, users can only see the list of key vaults from the specific resource group. Access to schema registries is also restricted to the resource group level.
+
+## Create a custom role definition
 
 To prepare one of the sample custom roles:
 
-1. Download the [JSON file for the custom role](#create-custom-role-definitions) you want to create. The JSON file contains the role definition, including the permissions and scope for the role.
+1. Download the JSON file for the custom role you want to create. The JSON file contains the role definition, including the permissions and scope for the role.
 
 1. Edit the JSON file to replace the placeholder value in the `assignableScopes` field with your subscription ID. Save your changes.
 
@@ -40,27 +70,17 @@ To add the custom role to your Azure subscription using the Azure portal:
 
 1. Select **Add > Add custom role**.
 
-1. Enter a name, such as **Data flow administrator**, and a description for the role.
+1. Enter a name, such as **Onboarding**, and a description for the role.
 
 1. Select **Start from JSON** and then select the JSON file you downloaded. The custom role name and description are populated from the file.
 
 1. Optionally, review the permissions and assignable scopes.
 
 1. To add the custom role to your subscription, select **Review + create** and then **Create**.
 
-To add the custom role to your Azure subscription using the Azure CLI:
-
-1. Open a command prompt and log in to your Azure account using the `az login` command.
-
-1. The following command shows how to create the **Data flow administrator** custom role:
-
-    ```console
-    az role definition create --role-definition "Data Flow Administrator.json"
-    ```
-
-## Assign roles
+## Configure and use a custom role
 
-After you create the custom roles in your subscription, you can assign them to users, groups, or applications. You can assign roles at the subscription or resource group level.
+After you create the custom roles in your subscription, you can assign them to users, groups, or applications. You can assign roles at the subscription or resource group level. Assigning roles at the level of a resource group enables the most granular control.
 
 To assign the custom role to a user at the resource group level using the Azure portal:
 
@@ -75,49 +95,3 @@ To assign the custom role to a user at the resource group level using the Azure
 1. Select the user or users you want to assign the role to. You can search for users by name or email address.
 
 1. Select **Review + assign** to review the role assignment. If everything looks good, select **Assign**.
-
-To create a role assignment at the resource group level using the Azure CLI:
-
-1. Open a command prompt and log in to your Azure account using the `az login` command.
-
-1. The following command shows how to assign a user to the **Data flow administrator** custom role:
-
-    ```console
-    az role assignment create --assignee "<User to assign>" \
-    --role "Data flow administrator" \
-    --scope "/subscriptions/<Your subscription Id>/resourceGroups/<Your resource group name>"
-    ```
-
-## List of custom roles
-
-The following sections list the example Azure IoT Operations custom roles you can download and use:
-
-### Onboarding roles
-
-| Custom role | Description |
-| ----------- | ----------- |
-| [Onboarding](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Onboarding.json) | This is privileged role. The user can complete Azure Arc connect process and deploy Azure IoT Operations securely. |
-
-### Viewer roles
-
-| Custom role | Description |
-| ----------- | ----------- |
-| [Instance viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Instance%20Viewer.json) | This role allows the user to view the Azure IoT Operations instance. |
-| [Asset viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Asset%20Viewer.json) | This role allows the user to view the assets in the Azure IoT Operations instance. |
-| [Asset endpoint viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Asset%20Endpoint%20Viewer.json) | This role allows the user to view the asset endpoints in the Azure IoT Operations instance. |
-| [Data flow viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Data%20Flow%20Viewer.json) | This role allows the user to view the data flows in the Azure IoT Operations instance. |
-| [Data flow destination viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Data%20Flow%20Destination%20Viewer.json) | This role allows the user to view the data flow destinations in the Azure IoT Operations instance. |
-| [MQ viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/MQ%20Viewer.json) | This role allows the user to view the MQTT broker in the Azure IoT Operations instance. |
-| [Viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Viewer.json) | This role allows the user to view the Azure IoT Operations instance. This role is a combination of the **Instance viewer**, **Asset viewer**, **Asset endpoint viewer**, **Data flow viewer**, **Data flow destination viewer**, and **MQ viewer** roles. |
-
-### Administrator roles
-
-| Custom role | Description |
-| ----------- | ----------- |
-| [Instance administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Instance%20Administrator.json) | The user can deploy an instance. The role includes permissions to create and update instances, brokers, authentications, listeners, dataflow profiles, dataflow endpoints, schema registries, and user assigned identities. The role also incudes permission to delete instances. |
-| [Asset administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Asset%20Administrator.json) | The user can create and manage assets in the Azure IoT Operations instance. |
-| [Asset endpoint administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Asset%20Endpoint%20Administrator.json) | The user can create and manage asset endpoints in the Azure IoT Operations instance. |
-| [Data flow administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Data%20Flow%20Administrator.json) | The user can create and manage data flows in the Azure IoT Operations instance. |
-| [Data flow destination administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Data%20Flow%20Destination%20Administrator.json) | The user can create and manage data flow destinations in the Azure IoT Operations instance. |
-| [MQ administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/MQ%20Administrator.json) | The user can create and manage the MQTT broker in the Azure IoT Operations instance. |
-| [Administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Administrator.json) | The user can create and manage the Azure IoT Operations instance. This role is a combination of the **Instance administrator**, **Asset administrator**, **Asset endpoint administrator**, **Data flow administrator**, **Data flow destination administrator**, and **MQ administrator** roles. |
