|
| 1 | +--- |
| 2 | +title: Role-based access control for Speech resources - Speech service |
| 3 | +titleSuffix: Azure Cognitive Services |
| 4 | +description: Learn how to assign access roles for a Speech resource. |
| 5 | +services: cognitive-services |
| 6 | +author: eric-urban |
| 7 | +manager: nitinme |
| 8 | +ms.service: cognitive-services |
| 9 | +ms.subservice: speech-service |
| 10 | +ms.topic: conceptual |
| 11 | +ms.date: 04/03/2022 |
| 12 | +ms.author: eur |
| 13 | +--- |
| 14 | + |
| 15 | +# Role-based access control for Speech resources |
| 16 | + |
| 17 | +You can manage access and permissions to your Speech resources with Azure role-based access control (Azure RBAC). Assigned roles can vary across Speech resources. For example, you can assign a role to a Speech resource that should only be used to train a Custom Speech model. You can assign another role to a Speech resource that is used to transcribe audio files. Depending on who can access each Speech resource, you can effectively set a different level of access per application or user. For more information on Azure RBAC, see the [Azure RBAC documentation](../../role-based-access-control/overview.md). |
| 18 | + |
| 19 | +> [!NOTE] |
| 20 | +> A Speech resource can inherit or be assigned multiple roles. The final level of access to this resource is a combination of all roles permissions from the operation level. |
| 21 | +
|
| 22 | +## Roles for Speech resources |
| 23 | + |
| 24 | +A role definition is a collection of permissions. When you create a Speech resource, the built-in roles in this table are assigned by default. |
| 25 | + |
| 26 | +| Role | Can list resource keys | Access to data, models, and endpoints| |
| 27 | +| ---| ---| ---| |
| 28 | +|**Owner** |Yes |View, create, edit, and delete | |
| 29 | +|**Contributor** |Yes |View, create, edit, and delete | |
| 30 | +|**Cognitive Services Contributor** |Yes |View, create, edit, and delete | |
| 31 | +|**Cognitive Services User** |Yes |View, create, edit, and delete | |
| 32 | +|**Cognitive Services Speech Contributor** |No | View, create, edit, and delete | |
| 33 | +|**Cognitive Services Speech User** |No |View only | |
| 34 | +|**Cognitive Services Data Reader (Preview)** |No |View only | |
| 35 | + |
| 36 | +> [!IMPORTANT] |
| 37 | +> Whether a role can list resource keys is important for [Speech Studio authentication](#speech-studio-authentication). To list resource keys, a role must have permission to run the `Microsoft.CognitiveServices/accounts/listKeys/action` operation. Please note that if key authentication is disabled in the Azure Portal, then none of the roles can list keys. |
| 38 | +
|
| 39 | +Keep the built-in roles if your Speech resource can have full read and write access to the projects. |
| 40 | + |
| 41 | +For finer-grained resource access control, you can [add or remove roles](../../role-based-access-control/role-assignments-portal.md?tabs=current) using the Azure portal. For example, you could create a custom role with permission to upload Custom Speech datasets, but without permission to deploy a Custom Speech model to an endpoint. |
| 42 | + |
| 43 | +## Authentication with keys and tokens |
| 44 | + |
| 45 | +The [roles](#roles-for-speech-resources) define what permissions you have. Authentication is required to use the Speech resource. |
| 46 | + |
| 47 | +To authenticate with Speech resource keys, all you need is the key and region. To authenticate with an Azure AD token, the Speech resource must have a [custom subdomain](speech-services-private-link.md#create-a-custom-domain-name) and use a [private endpoint](speech-services-private-link.md#turn-on-private-endpoints). The Speech service uses custom subdomains with private endpoints only. |
| 48 | + |
| 49 | +### Speech SDK authentication |
| 50 | + |
| 51 | +For the SDK, you configure whether to authenticate with a Speech resource key or Azure AD token. For details, see [Azure Active Directory Authentication with the Speech SDK](how-to-configure-azure-ad-auth.md). |
| 52 | + |
| 53 | +### Speech Studio authentication |
| 54 | + |
| 55 | +Once you're signed into [Speech Studio](speech-studio-overview.md), you select a subscription and Speech resource. You don't choose whether to authenticate with a Speech resource key or Azure AD token. Speech Studio gets the key or token automatically from the Speech resource. If one of the assigned [roles](#roles-for-speech-resources) has permission to list resource keys, Speech Studio will authenticate with the key. Otherwise, Speech Studio will authenticate with the Azure AD token. |
| 56 | + |
| 57 | +If Speech Studio uses your Azure AD token, but the Speech resource doesn't have a custom subdomain and private endpoint, then you can't use some features in Speech Studio. In this case, for example, the Speech resource can be used to train a Custom Speech model, but you can't use a Custom Speech model to transcribe audio files. |
| 58 | + |
| 59 | +| Authentication credential | Feature availability | |
| 60 | +| ---| ---| |
| 61 | +|Speech resource key|Full access limited only by the assigned role permissions.| |
| 62 | +|Azure AD token with custom subdomain and private endpoint|Full access limited only by the assigned role permissions.| |
| 63 | +|Azure AD token without custom subdomain and private endpoint (not recommended)|Features are limited. For example, the Speech resource can be used to train a Custom Speech model or Custom Neural Voice. But you can't use a Custom Speech model or Custom Neural Voice.| |
| 64 | + |
| 65 | +## Next steps |
| 66 | + |
| 67 | +* [Azure Active Directory Authentication with the Speech SDK](how-to-configure-azure-ad-auth.md). |
| 68 | +* [Speech service encryption of data at rest](speech-encryption-of-data-at-rest.md). |
0 commit comments