Merge pull request #298222 from v-thepet/redis5

Azure for Redis Cache Freshness #5

Author: JamesJBarnett

articles/azure-cache-for-redis/cache-configure-role-based-access-control.md

@@ -1,135 +1,120 @@
 ---
-title: Configure role-based access control with Data Access Policy
-description: Learn how to configure role-based access control with Data Access Policy.
+title: Configure custom data access policies
+description: Learn how to create and configure a data access policy for Azure Cache for Redis and enable role-based access control via Microsoft Entra ID.
 ms.custom: references_regions, ignite-2024
 
 ms.topic: conceptual
-ms.date: 06/05/2023
+ms.date: 04/21/2025
 appliesto:
   - ✅ Azure Cache for Redis
 
 ---
 
-# Configure role-based access control with Data Access Policy
+# Configure custom data access policies
 
-Managing access to your Azure Cache for Redis instance is critical to ensure that the right users have access to the right set of data and commands. In Redis version 6, the [Access Control List](https://redis.io/docs/management/security/acl/) (ACL) was introduced. ACL limits which user can execute certain commands, and the keys that a user can be access. For example, you can prohibit specific users from deleting keys in the cache using [DEL](https://redis.io/commands/del/) command.
+Managing access to your Azure Redis cache instance is critical to ensuring that the right users have access to the right set of data and commands. Redis version 6 introduced the [Access Control List](https://redis.io/docs/management/security/acl/) (ACL), which lists the keys that specific users can access and the commands that they can execute. For example, you can prohibit specific users from using the [DEL](https://redis.io/commands/del/) command to delete keys in the cache.
 
-Azure Cache for Redis now integrates this ACL functionality with Microsoft Entra ID to allow you to configure your Data Access Policies for your application's service principal and managed identity.
+Azure Cache for Redis integrates this ACL functionality with Microsoft Entra to allow you to configure and assign data access policies for your application's users, service principal, and managed identity. Azure Cache for Redis offers three built-in access policies that you can assign via role-based access control (RBAC): **Data Owner**, **Data Contributor**, and **Data Reader**.
 
-Azure Cache for Redis offers three built-in access policies: _Data Owner_, _Data Contributor_, and _Data Reader_. If the built-in access policies don't satisfy your data protection and isolation requirements, you can create and use your own custom data access policy as described in [Configure custom data access policy](#configure-a-custom-data-access-policy-for-your-application).
+If the built-in access policies don't satisfy your data protection and isolation requirements, you can create and use your own custom data access policies. This article describes configuring a custom data access policy for Azure Cache for Redis and enabling RBAC via Microsoft Entra authentication.
 
 ## Scope of availability
 
 | **Tier**         | Basic, Standard, Premium | Enterprise, Enterprise Flash |
 |:-----------------|:------------------------:|:----------------------------:|
 | **Availability** | Yes                      | No                           |
 
-## Prerequisites and limitations
+## Limitations
 
-- Redis ACL and Data Access Policies aren't supported on Azure Cache for Redis instances that run Redis version 4.
-- Microsoft Entra authentication and authorization are supported for SSL connections only.
-- Some Redis commands are [blocked](cache-configure.md#redis-commands-not-supported-in-azure-cache-for-redis).
+- Configuring data access policies isn't supported on Enterprise and Enterprise Flash tiers.
+- Redis ACL and data access policies aren't supported on Azure Redis instances that run Redis version 4.
+- Microsoft Entra authentication and authorization are supported only for Secure Socket Layer (SSL) connections.
+- Some Redis commands are blocked in Azure Cache for Redis. For more information, see [Redis commands not supported in Azure Cache for Redis](cache-configure.md#redis-commands-not-supported-in-azure-cache-for-redis).
 
-## Permissions for your data access policy
+## Redis ACL permissions
 
-As documented on [Redis Access Control List](https://redis.io/docs/management/security/acl/), ACL in Redis version 6.0 allows configuring access permissions for three areas:
+[Redis ACL](https://redis.io/docs/management/security/acl/) in Redis version 6.0 allows configuring access permissions for three areas: command categories, commands, and keys.
 
 ### Command categories
 
-Redis has created groupings of commands such as administrative commands, dangerous commands, etc. to make setting permissions on a group of commands easier.
-
-- Use `+@commandcategory` to allow a command category
-- Use `-@commandcategory` to disallow a command category
-
-These [commands](cache-configure.md#redis-commands-not-supported-in-azure-cache-for-redis) are still blocked. The following groups are useful command categories that Redis supports. For more information on command categories, see the full list under the heading [Command Categories](https://redis.io/docs/management/security/acl/).
-
-- `admin`
-  - Administrative commands. Normal applications never need to use these, including `MONITOR`, `SHUTDOWN`, and others.
-- `dangerous`
-  - Potentially dangerous commands. Each should be considered with care for various reasons, including `FLUSHALL`, `RESTORE`, `SORT`, `KEYS`, `CLIENT`, `DEBUG`, `INFO`, `CONFIG`, and others.
-- `keyspace`
-  - Writing or reading from keys, databases, or their metadata in a type agnostic way, including `DEL`, `RESTORE`, `DUMP`, `RENAME`, `EXISTS`, `DBSIZE`, `KEYS`, `EXPIRE`, `TTL`, `FLUSHALL`, and more. Commands that can modify the keyspace, key, or metadata also have the write category. Commands that only read the keyspace, key, or metadata have the read category.
-- `pubsub`
-  - PubSub-related commands.
-- `read`
-  - Reading from keys, values or metadata. Commands that don't interact with keys, don't have either read or write.
-- `set`
-  - Data type: sets related.
-- `sortedset`
-  - Data type: sorted sets related.
-- `stream`
-  - Data type: streams related.
-- `string`
-  - Data type: strings related.
-- `write`
-  - Writing to keys (values or metadata).
+Redis created *command categories*, such as administrative commands and dangerous commands, to make setting permissions on a group of commands easier. In a permissions string, use `+@<category>` to allow a command category or `-@<category>` to disallow a command category.
 
-### Commands
-
-_Commands_ allow you to control which specific commands can be run by a particular Redis user.
-
-- Use `+command` to allow a command.
-- Use `-command` to disallow a command.
-
-### Keys
-
-Keys allow you to control access to specific keys or groups of keys stored in the cache.
+Redis supports the following useful command categories. For more information and a full list, see the **Command Categories** heading in the [Redis ACL documentation](https://redis.io/docs/management/security/acl/).
 
-- Use `~<pattern>` to provide a pattern for keys.
+|Category|Description|
+|--------|-----------|
+|`admin`|Administrative commands, such as `MONITOR` and `SHUTDOWN`. Normal applications never need to use these commands.|
+|`dangerous`|Potentially dangerous commands, including `FLUSHALL`, `RESTORE`, `SORT`, `KEYS`, `CLIENT`, `DEBUG`, `INFO`, and `CONFIG`. Consider each with care, for various reasons.|
+|`keyspace`|Includes `DEL`, `RESTORE`, `DUMP`, `RENAME`, `EXISTS`, `DBSIZE`, `KEYS`, `EXPIRE`, `TTL`, and `FLUSHALL`. Writing or reading from keys, databases, or their metadata in a type agnostic way. Commands that only read the keyspace, key, or metadata have the `read` category. Commands that can modify the keyspace, key, or metadata also have the `write` category.|
+|`pubsub`|PubSub-related commands.|
+|`read`|Reading from keys, values or metadata. Commands that don't interact with keys don't have either `read` or `write`.|
+|`set`|Data type: sets related.|
+|`sortedset`|Data type: sorted sets related.|
+|`stream`|Data type: streams related.|
+|`string`|Data type: strings related.|
+|`write`|Writing values or metadata to keys.|
 
-- Use either `~*` or `allkeys` to indicate that the command category permissions apply to all keys in the cache instance.
+>[!NOTE]
+>Commands that are [blocked](cache-configure.md#redis-commands-not-supported-in-azure-cache-for-redis) for Azure Redis remain blocked within the categories.
 
-### How to specify permissions
+### Commands
 
-To specify permissions, you need to create a string to save as your custom access policy, then assign the string to your Azure Cache for Redis user.
+*Commands* allow you to control which specific commands a particular Redis user can run. In a permissions string, use `+<command>` to allow a command or `-<command>` to disallow a command.
 
-The following list contains some examples of permission strings for various scenarios.
+### Keys
 
-- Allow application to execute all commands on all keys
+*Keys* allow you to control access to specific keys or groups of keys stored in the cache. Use `~<pattern>` in a permission string to provide a pattern for keys. Use either `~*` or `allkeys` to indicate that the permissions apply to all keys in the cache.
 
-   Permissions string: `+@all allkeys`
+## Configure a custom data access policy for your application
 
-- Allow application to execute only _read_ commands
+To configure a custom data access policy, you create a permissions string to use as your custom access policy, and enable Microsoft Entra authentication for your cache.
 
-    Permissions string: `+@read ~*`
+### Specify permissions
 
-- Allow application to execute _read_ command category and set command on keys with prefix `Az`.
+Configure permission strings according to your requirements. The following examples show permission strings for various scenarios:
 
-    Permissions string: `+@read +set ~Az*`
+|Permissions string|Description|
+|------------------|-----------|
+|`+@all allkeys`|Allow application to execute all commands on all keys.|
+|`+@read ~*`|Allow application to execute only `read` command category.|
+|`+@read +set ~Az*`|Allow application to execute `read` command category and set command on keys with prefix `Az`.|
 
-## Configure a custom data access policy for your application
+### Create the custom data access policy
 
-1. In the Azure portal, select the Azure Cache for Redis instance where you want to configure Microsoft Entra token-based authentication.
+1. In the Azure portal, select the Azure Redis cache where you want to create the data access policy.
 
-1. From the Resource menu, select **Data Access configuration**.
+1. Select **Data Access Configuration** under **Settings** in the left navigation menu.
 
    :::image type="content" source="media/cache-configure-role-based-access-control/cache-data-access-configuration.png" alt-text="Screenshot showing Data Access Configuration highlighted in the Resource menu.":::
 
-1. Select **Add** and choose **New Access Policy**.
+1. On the **Data Access Configuration** page, select **Add** > **New Access Policy**.
 
-   :::image type="content" source="media/cache-configure-role-based-access-control/cache-add-custom-policy.png" alt-text="Screenshot showing a form to add custom access policy.":::
+1. On the **Add/Edit a custom access policy** screen, provide a name for your access policy.
 
-1. Provide a name for your access policy.
+1. Under **Permissions**, add your custom permissions string, and then select **Apply**.
 
-1. [Configure Permissions](#permissions-for-your-data-access-policy) as per your requirements.
+   :::image type="content" source="media/cache-configure-role-based-access-control/cache-add-custom-policy.png" alt-text="Screenshot showing a form to add custom access policy.":::
 
-1. To add a user to the access policy using Microsoft Entra ID, you must first enable Microsoft Entra ID by selecting **Authentication** from the Resource menu.
+The custom policy now appears on the **Access Policies** tab of the **Data Access Configuration** page, along with the three built-in Azure Redis policies.
 
-1. Select **Enable Microsoft Entra Authentication** as the tab in the working pane.
+### Enable Microsoft Entra authentication
 
-1. If not checked already, check the box labeled **Enable Microsoft Entra Authentication** and select **OK**. Then, select **Save**.
+To assign a user to an access policy by using Microsoft Entra, you must have Microsoft Entra rather than Access Keys authentication enabled on your cache. To check your authentication method, select **Authentication** under **Settings** in the left navigation menu for your cache.
 
-   :::image type="content" source="media/cache-azure-active-directory-for-authentication/cache-enable-microsoft-entra.png" alt-text="Screenshot of Microsoft Entra ID access authorization.":::
+On the **Authentication** screen, if **Disable Access Keys Authentication** is selected and no access keys appear on the screen, your cache already uses Microsoft Entra authentication. Otherwise, select the checkbox next to **Disable Access Keys Authentication** and then select **Save**.
 
-1. A popup dialog box displays asking if you want to update your configuration, and informing you that it takes several minutes. Select **Yes.**
+:::image type="content" source="media/cache-configure-role-based-access-control/enable-entra.png" alt-text="Screenshot of disabling access keys authentication.":::
+   
+Respond **Yes** to the popup dialog box asking if you want to disable access keys authentication.
 
-   > [!IMPORTANT]
-   > Once the enable operation is complete, the nodes in your cache instance reboots to load the new configuration. We recommend performing this operation during your maintenance window or outside your peak business hours. The operation can take up to 30 minutes.
+> [!IMPORTANT]
+> Once the Microsoft Entra enable operation is complete, the nodes in your cache instance reboot to load the new configuration. The operation can take up to 30 minutes. It's best to perform this operation during your maintenance window or outside peak business hours.
 
 ## Configure your Redis client to use Microsoft Entra ID
 
-Now that you have configured Redis User and Data access policy for configuring role based access control, you need to update your client workflow to support authenticating using a specific user/password. To learn how to configure your client application to connect to your cache instance as a specific Redis User, see [Configure your Redis client to use Microsoft Entra](cache-azure-active-directory-for-authentication.md#configure-your-redis-client-to-use-microsoft-entra).
+Most Azure Cache for Redis clients assume that a password and access key are used for authentication. You might need to update your client workflow to support authentication and authorization using a specific Microsoft Entra user name and password. To learn how to configure your client application to connect to your cache instance as a specific Redis user, see [Configure your Redis client to use Microsoft Entra ID](cache-azure-active-directory-for-authentication.md#configure-your-redis-client-to-use-microsoft-entra).
 
-## Next steps
+## Related content
 
 - [Use Microsoft Entra ID for cache authentication](cache-azure-active-directory-for-authentication.md)
+- [Azure role-based access control in the Azure portal](/azure/role-based-access-control/role-assignments-portal)