Clarifying roles for workbook creation and deletion

-------
cc: @yelevin

Author: yelevin

articles/sentinel/roles.md

@@ -54,7 +54,7 @@ Users with particular job requirements may need to be assigned additional roles
 
 - **Creating and deleting workbooks**
 
-    For a user to create and delete a Microsoft Sentinel workbook, the user will also need to be assigned with the Azure Monitor role of [Monitoring Contributor](../role-based-access-control/built-in-roles.md#monitoring-contributor). This role is not necessary for *using* workbooks, but only for creating and deleting.
+    To create and delete a Microsoft Sentinel workbook, the user requires either the Microsoft Sentinel Contributor role or a lesser Microsoft Sentinel role plus the Azure Monitor role of [Workbook Contributor](../role-based-access-control/built-in-roles.md#workbook-contributor). This role is not necessary for *using* workbooks, but only for creating and deleting.
 
 ### Other roles you might see assigned
 
@@ -70,15 +70,18 @@ For example, a user who is assigned the **Microsoft Sentinel Reader** role, but
 
 The following table summarizes the Microsoft Sentinel roles and their allowed actions in Microsoft Sentinel.
 
-| Role | Create and run playbooks| Create and edit analytic rules and other Microsoft Sentinel resources [*](#workbooks) | Manage incidents (dismiss, assign, etc.) | View data, incidents, workbooks, and other Microsoft Sentinel resources |
+| Role | Create and run playbooks| Create and edit analytics rules, workbooks, and other Microsoft Sentinel resources | Manage incidents (dismiss, assign, etc.) | View data, incidents, workbooks, and other Microsoft Sentinel resources |
 |---|---|---|---|---|
-| Microsoft Sentinel Reader | -- | -- | -- | ✓ |
-| Microsoft Sentinel Responder | -- | -- | ✓ | ✓ |
+| Microsoft Sentinel Reader | -- | --[*](#workbooks) | -- | ✓ |
+| Microsoft Sentinel Responder | -- | --[*](#workbooks) | ✓ | ✓ |
 | Microsoft Sentinel Contributor | -- | ✓ | ✓ | ✓ |
 | Microsoft Sentinel Contributor + Logic App Contributor | ✓ | ✓ | ✓ | ✓ |
 | | | | | |
 
-<a name=workbooks></a>* Creating and deleting workbooks requires the additional [Monitoring Contributor](../role-based-access-control/built-in-roles.md#monitoring-contributor) role. For more information, see [Additional roles and permissions](#additional-roles-and-permissions).
+<a name=workbooks></a>* Users with these roles can create and delete workbooks with the additional [Workbook Contributor](../role-based-access-control/built-in-roles.md#workbook-contributor) role. For more information, see [Additional roles and permissions](#additional-roles-and-permissions).
+
+Consult the [Role recommendations](#role-recommendations) section for best practices in which roles to assign to which users in your SOC.
+
 ## Custom roles and advanced Azure RBAC
 
 - **Custom roles**. In addition to, or instead of, using Azure built-in roles, you can create Azure custom roles for Microsoft Sentinel. Azure custom roles for Microsoft Sentinel are created the same way you create other [Azure custom roles](../role-based-access-control/custom-roles-rest.md#create-a-custom-role), based on [specific permissions to Microsoft Sentinel](../role-based-access-control/resource-provider-operations.md#microsoftsecurityinsights) and to [Azure Log Analytics resources](../role-based-access-control/resource-provider-operations.md#microsoftoperationalinsights).