You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/virtual-wan/roles-permissions.md
+17-9Lines changed: 17 additions & 9 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -92,9 +92,22 @@ The Virtual WAN reader role has the ability to view and monitor all Virtual WAN-
92
92
93
93
Creating or updating Virtual WAN resources requires you to have the proper permission(s) to create that Virtual WAN resource type. In some scenarios, having permissions to create or update that resource type is sufficient. However, in many scenarios, updating a Virtual WAN resource that has a **reference** to another Azure resource requires you to have permissions over both the created resource **and** any referenced resources.
94
94
95
+
### Error Message
96
+
97
+
A user or service principal must have sufficient permissions to execute an operation on a Virtual WAN resource. If the user does not have sufficient permissions to perform the operation, the operation will fail with an error message similar to the one below.
98
+
99
+
|Error Code| Message|
100
+
|--|--|
101
+
|LinkedAccessCheckFailed| The client with object id 'xxx' does not have authorization to perform action 'xxx' over scope 'zzz resource' or the scope is invalid. If access was recently granted, please refresh your credentials.|
102
+
103
+
> [!NOTE]
104
+
> A user or service principal may be missing multiple permissions needed to manage a Virtual WAN resource. The returned error message only references one missing permission. As a result, you may see a different missing permission after you update the permissions assigned to your service principal or user.
105
+
106
+
To fix this error, grant the user or service principal that is managing your Virtual WAN resource(s) the additional permission described in the error message and retry.
107
+
95
108
### Example 1
96
109
97
-
When a connection is created between a Virtual WAN hub and a spoke Virtual Network, Virtual WAN's control plane creates a Virtual Network peering between the Virtual WAN hub and your spoke Virtual Network. You can also specify the Virtual WAN route tables to which the Virtual Network connection is associating to or propagating to.
110
+
When a connection is created between a Virtual WAN hub and a spoke Virtual Network, Virtual WAN's control plane creates a Virutal Network peering between the Virtual WAN hub and your spoke Virtual Network. You can also specify the Virtual WAN route tables to which the Virtual Network connection is associating to or propagating to.
98
111
99
112
Therefore, to create a Virtual Network connection to the Virtual WAN hub, you must have the following permissions:
100
113
@@ -110,7 +123,7 @@ If you want to associate an inbound or out-bound route map is associated with th
110
123
111
124
To create or modify routing intent, a routing intent resource is created with a reference to the next hop resources specified in the routing intent's routing policy. This means that to create or modify routing intent, you need permissions over any referenced Azure Firewall or Network Virtual Appliance resource(s).
112
125
113
-
If the next hop for a hub's private routing intent policy is a Network Virtual Appliance and the next hop for a hub's internet policy is an Azure Firewall, creating or updating a routing intent resource requires the following permissions.
126
+
If the next hop for a hub's private routing intent policy is a Network Virtual Appliance and the next hop for a hub's internet policy is an Azure Firewall, creating or updating a routing intent resource requires the following permisisons.
* Reference (read) the Network Virtual Appliance resource (Microsoft.Network/networkVirtualAppliances/read)
@@ -120,9 +133,9 @@ In this example, you do **not** need permissions to read Microsoft.Network/secur
120
133
121
134
## Additional permissions required due to referenced resources
122
135
123
-
The following section describes the set of possible permissions that are needed to create or modify Virtual WAN resources.
136
+
The following section describes the set of possible permisisons that are needed to create or modify Virtual WAN resources.
124
137
125
-
Depending on your Virtual WAN configuration, the user or service principal that is managing your Virtual WAN deployments may need all, a subset or none of the below permissions.
138
+
Depending on your Virtual WAN configuration, the user or service principal that is managing your Virtual WAN deployments may need all, a subset or none of the below permissions over referenced resources.
126
139
127
140
### Virtual hub resources
128
141
@@ -176,11 +189,6 @@ For more information, see [Scope levels](../role-based-access-control/scope-over
176
189
> [!NOTE]
177
190
> Allow sufficient time for [Azure Resource Manager cache](../role-based-access-control/troubleshooting.md) to refresh after role assignment changes.
178
191
179
-
## Permissions Error
180
-
181
-
If you see an error in the following format, then please make sure you have the above permissions properly configured.
182
-
183
-
Error message format: "The client with object id {} does not have authorization to perform action {} over scope {} or the scope is invalid. If access was recently granted, please refresh your credentials."
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments