Skip to content

Commit a0518e1

Browse files
Merge pull request #265717 from rolyon/rolyon-rbac-roles-feb2024
[Azure RBAC] Update roles and operations for February 2024
2 parents 0d0d6be + 5bf3bc3 commit a0518e1

File tree

4 files changed

+235
-2
lines changed

4 files changed

+235
-2
lines changed

articles/role-based-access-control/built-in-roles.md

Lines changed: 107 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,7 @@ ms.workload: identity
88
author: rolyon
99
manager: amycolannino
1010
ms.author: rolyon
11-
ms.date: 01/30/2024
11+
ms.date: 02/07/2024
1212
ms.custom: generated
1313
---
1414

@@ -248,6 +248,7 @@ The following table provides a brief description of each built-in role. Click th
248248
> | [Attestation Contributor](#attestation-contributor) | Can read write or delete the attestation provider instance | bbf86eb8-f7b4-4cce-96e4-18cddf81d86e |
249249
> | [Attestation Reader](#attestation-reader) | Can read the attestation provider properties | fd1bd22b-8476-40bc-a0bc-69b95687b9f3 |
250250
> | [Key Vault Administrator](#key-vault-administrator) | Perform all data plane operations on a key vault and all objects in it, including certificates, keys, and secrets. Cannot manage key vault resources or manage role assignments. Only works for key vaults that use the 'Azure role-based access control' permission model. | 00482a5a-887f-4fb3-b363-3b7fe8e74483 |
251+
> | [Key Vault Certificate User](#key-vault-certificate-user) | Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model. | db79e9a7-68ee-4b58-9aeb-b90e7c24fcba |
251252
> | [Key Vault Certificates Officer](#key-vault-certificates-officer) | Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | a4417e6f-fecd-4de8-b567-7b0420556985 |
252253
> | [Key Vault Contributor](#key-vault-contributor) | Manage key vaults, but does not allow you to assign roles in Azure RBAC, and does not allow you to access secrets, keys, or certificates. | f25e0fa2-a7c8-4377-a976-54943a77a395 |
253254
> | [Key Vault Crypto Officer](#key-vault-crypto-officer) | Perform any action on the keys of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model. | 14b46e9e-c2b7-41b4-b07b-48a6ebf60603 |
@@ -304,6 +305,7 @@ The following table provides a brief description of each built-in role. Click th
304305
> | [Cost Management Contributor](#cost-management-contributor) | Can view costs and manage cost configuration (e.g. budgets, exports) | 434105ed-43f6-45c7-a02f-909b2ba83430 |
305306
> | [Cost Management Reader](#cost-management-reader) | Can view cost data and configuration (e.g. budgets, exports) | 72fafb9e-0641-4937-9268-a91bfd8191a3 |
306307
> | [Hierarchy Settings Administrator](#hierarchy-settings-administrator) | Allows users to edit and delete Hierarchy Settings | 350f8d15-c687-4448-8ae1-157740a3936d |
308+
> | [Kubernetes Agentless Operator](#kubernetes-agentless-operator) | Grants Microsoft Defender for Cloud access to Azure Kubernetes Services | d5a2ae44-610b-4500-93be-660a0c5f5ca6 |
307309
> | [Kubernetes Cluster - Azure Arc Onboarding](#kubernetes-cluster---azure-arc-onboarding) | Role definition to authorize any user/service to create connectedClusters resource | 34e09817-6cbe-4d01-b1a2-e0eac5743d41 |
308310
> | [Kubernetes Extension Contributor](#kubernetes-extension-contributor) | Can create, update, get, list and delete Kubernetes Extensions, and get extension async operations | 85cb6faf-e071-4c9b-8136-154b5a04f717 |
309311
> | [Managed Application Contributor Role](#managed-application-contributor-role) | Allows for creating managed application resources. | 641177b8-a67a-45b9-a033-47bc880bb21e |
@@ -12955,6 +12957,53 @@ Perform all data plane operations on a key vault and all objects in it, includin
1295512957
}
1295612958
```
1295712959

12960+
### Key Vault Certificate User
12961+
12962+
Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.
12963+
12964+
[Learn more](/azure/key-vault/general/rbac-guide)
12965+
12966+
> [!div class="mx-tableFixed"]
12967+
> | Actions | Description |
12968+
> | --- | --- |
12969+
> | *none* | |
12970+
> | **NotActions** | |
12971+
> | *none* | |
12972+
> | **DataActions** | |
12973+
> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/certificates/read | List certificates in a specified key vault, or get information about a certificate. |
12974+
> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/getSecret/action | Gets the value of a secret. |
12975+
> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/secrets/readMetadata/action | List or view the properties of a secret, but not its value. |
12976+
> | [Microsoft.KeyVault](resource-provider-operations.md#microsoftkeyvault)/vaults/keys/read | List keys in the specified vault, or read properties and public material of a key. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Private keys and symmetric keys are never exposed. |
12977+
> | **NotDataActions** | |
12978+
> | *none* | |
12979+
12980+
```json
12981+
{
12982+
"assignableScopes": [
12983+
"/"
12984+
],
12985+
"description": "Read certificate contents. Only works for key vaults that use the 'Azure role-based access control' permission model.",
12986+
"id": "/providers/Microsoft.Authorization/roleDefinitions/db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
12987+
"name": "db79e9a7-68ee-4b58-9aeb-b90e7c24fcba",
12988+
"permissions": [
12989+
{
12990+
"actions": [],
12991+
"notActions": [],
12992+
"dataActions": [
12993+
"Microsoft.KeyVault/vaults/certificates/read",
12994+
"Microsoft.KeyVault/vaults/secrets/getSecret/action",
12995+
"Microsoft.KeyVault/vaults/secrets/readMetadata/action",
12996+
"Microsoft.KeyVault/vaults/keys/read"
12997+
],
12998+
"notDataActions": []
12999+
}
13000+
],
13001+
"roleName": "Key Vault Certificate User",
13002+
"roleType": "BuiltInRole",
13003+
"type": "Microsoft.Authorization/roleDefinitions"
13004+
}
13005+
```
13006+
1295813007
### Key Vault Certificates Officer
1295913008

1296013009
Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.
@@ -13840,6 +13889,7 @@ Microsoft Sentinel Responder
1384013889
> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/automationRules/* | |
1384113890
> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/cases/* | |
1384213891
> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/incidents/* | |
13892+
> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/entities/runPlaybook/action | Run playbook on entity |
1384313893
> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/appendTags/action | Append tags to Threat Intelligence Indicator |
1384413894
> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/indicators/query/action | Query Threat Intelligence Indicators |
1384513895
> | [Microsoft.SecurityInsights](resource-provider-operations.md#microsoftsecurityinsights)/threatIntelligence/bulkTag/action | Bulk Tags Threat Intelligence |
@@ -13888,6 +13938,7 @@ Microsoft Sentinel Responder
1388813938
"Microsoft.SecurityInsights/automationRules/*",
1388913939
"Microsoft.SecurityInsights/cases/*",
1389013940
"Microsoft.SecurityInsights/incidents/*",
13941+
"Microsoft.SecurityInsights/entities/runPlaybook/action",
1389113942
"Microsoft.SecurityInsights/threatIntelligence/indicators/appendTags/action",
1389213943
"Microsoft.SecurityInsights/threatIntelligence/indicators/query/action",
1389313944
"Microsoft.SecurityInsights/threatIntelligence/bulkTag/action",
@@ -16435,6 +16486,61 @@ Allows users to edit and delete Hierarchy Settings
1643516486
}
1643616487
```
1643716488

16489+
### Kubernetes Agentless Operator
16490+
16491+
Grants Microsoft Defender for Cloud access to Azure Kubernetes Services
16492+
16493+
[Learn more](/azure/defender-for-cloud/defender-for-containers-architecture)
16494+
16495+
> [!div class="mx-tableFixed"]
16496+
> | Actions | Description |
16497+
> | --- | --- |
16498+
> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/write | Create or update trusted access role bindings for managed cluster |
16499+
> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/read | Get trusted access role bindings for managed cluster |
16500+
> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/trustedAccessRoleBindings/delete | Delete trusted access role bindings for managed cluster |
16501+
> | [Microsoft.ContainerService](resource-provider-operations.md#microsoftcontainerservice)/managedClusters/read | Get a managed cluster |
16502+
> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/features/read | Gets the features of a subscription. |
16503+
> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/providers/features/read | Gets the feature of a subscription in a given resource provider. |
16504+
> | [Microsoft.Features](resource-provider-operations.md#microsoftfeatures)/providers/features/register/action | Registers the feature for a subscription in a given resource provider. |
16505+
> | [Microsoft.Security](resource-provider-operations.md#microsoftsecurity)/pricings/securityoperators/read | Gets the security operators for the scope |
16506+
> | **NotActions** | |
16507+
> | *none* | |
16508+
> | **DataActions** | |
16509+
> | *none* | |
16510+
> | **NotDataActions** | |
16511+
> | *none* | |
16512+
16513+
```json
16514+
{
16515+
"assignableScopes": [
16516+
"/"
16517+
],
16518+
"description": "Grants Microsoft Defender for Cloud access to Azure Kubernetes Services",
16519+
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a2ae44-610b-4500-93be-660a0c5f5ca6",
16520+
"name": "d5a2ae44-610b-4500-93be-660a0c5f5ca6",
16521+
"permissions": [
16522+
{
16523+
"actions": [
16524+
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/write",
16525+
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/read",
16526+
"Microsoft.ContainerService/managedClusters/trustedAccessRoleBindings/delete",
16527+
"Microsoft.ContainerService/managedClusters/read",
16528+
"Microsoft.Features/features/read",
16529+
"Microsoft.Features/providers/features/read",
16530+
"Microsoft.Features/providers/features/register/action",
16531+
"Microsoft.Security/pricings/securityoperators/read"
16532+
],
16533+
"notActions": [],
16534+
"dataActions": [],
16535+
"notDataActions": []
16536+
}
16537+
],
16538+
"roleName": "Kubernetes Agentless Operator",
16539+
"roleType": "BuiltInRole",
16540+
"type": "Microsoft.Authorization/roleDefinitions"
16541+
}
16542+
```
16543+
1643816544
### Kubernetes Cluster - Azure Arc Onboarding
1643916545

1644016546
Role definition to authorize any user/service to create connectedClusters resource

articles/role-based-access-control/includes/resource-provider-operations/integration.md

Lines changed: 79 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -541,6 +541,85 @@ Azure service: core
541541
> | Microsoft.AppConfiguration/configurationStores/snapshots/write | Creates or updates a snapshot in the configuration store. |
542542
> | Microsoft.AppConfiguration/configurationStores/snapshots/archive/action | Modifies archival state for an existing snapshot in the configuration store. |
543543
544+
### Microsoft.AVS
545+
546+
Azure service: [Azure VMware Solution](/azure/azure-vmware/introduction)
547+
548+
> [!div class="mx-tableFixed"]
549+
> | Action | Description |
550+
> | --- | --- |
551+
> | Microsoft.AVS/register/action | Register Subscription for Microsoft.AVS resource provider. |
552+
> | Microsoft.AVS/unregister/action | Unregister Subscription for Microsoft.AVS resource provider. |
553+
> | Microsoft.AVS/checkNameAvailability/read | Checks if the privateCloud Name is available |
554+
> | Microsoft.AVS/locations/checkNameAvailability/read | Checks if the privateCloud Name is available |
555+
> | Microsoft.AVS/locations/checkQuotaAvailability/read | Checks if quota is available for the subscription |
556+
> | Microsoft.AVS/locations/checkTrialAvailability/read | Checks if trial is available for the subscription |
557+
> | Microsoft.AVS/operations/read | Lists operations available on Microsoft.AVS resource provider. |
558+
> | Microsoft.AVS/privateClouds/register/action | Registers the Microsoft Microsoft.AVS resource provider and enables creation of Private Clouds. |
559+
> | Microsoft.AVS/privateClouds/write | Creates or updates a PrivateCloud resource. |
560+
> | Microsoft.AVS/privateClouds/read | Gets the settings for the specified PrivateCloud. |
561+
> | Microsoft.AVS/privateClouds/delete | Delete a specific PrivateCloud. |
562+
> | Microsoft.AVS/privateClouds/addOns/read | Read addOns. |
563+
> | Microsoft.AVS/privateClouds/addOns/write | Write addOns. |
564+
> | Microsoft.AVS/privateClouds/addOns/delete | Delete addOns. |
565+
> | Microsoft.AVS/privateClouds/addOns/operationStatuses/read | Read addOns operationStatuses. |
566+
> | Microsoft.AVS/privateClouds/authorizations/read | Gets the authorization settings for a PrivateCloud cluster. |
567+
> | Microsoft.AVS/privateClouds/authorizations/write | Create or update a PrivateCloud authorization resource. |
568+
> | Microsoft.AVS/privateClouds/authorizations/delete | Delete a specific PrivateCloud authorization. |
569+
> | Microsoft.AVS/privateClouds/clusters/read | Gets the cluster settings for a PrivateCloud cluster. |
570+
> | Microsoft.AVS/privateClouds/clusters/write | Create or update a PrivateCloud cluster resource. |
571+
> | Microsoft.AVS/privateClouds/clusters/delete | Delete a specific PrivateCloud cluster. |
572+
> | Microsoft.AVS/privateClouds/clusters/datastores/read | Get the datastore properties in a private cloud cluster. |
573+
> | Microsoft.AVS/privateClouds/clusters/datastores/write | Create or update datastore in private cloud cluster. |
574+
> | Microsoft.AVS/privateClouds/clusters/datastores/delete | Delete datastore in private cloud cluster. |
575+
> | Microsoft.AVS/privateclouds/clusters/datastores/operationresults/read | Read privateClouds/clusters/datastores operationresults. |
576+
> | Microsoft.AVS/privateClouds/clusters/datastores/operationstatuses/read | Read privateClouds/clusters/datastores operationstatuses. |
577+
> | Microsoft.AVS/privateclouds/clusters/operationresults/read | Reads privateClouds/clusters operationresults. |
578+
> | Microsoft.AVS/privateClouds/clusters/operationstatuses/read | Reads privateClouds/clusters operationstatuses. |
579+
> | Microsoft.AVS/privateClouds/globalReachConnections/delete | Delete globalReachConnections. |
580+
> | Microsoft.AVS/privateClouds/globalReachConnections/write | Write globalReachConnections. |
581+
> | Microsoft.AVS/privateClouds/globalReachConnections/read | Read globalReachConnections. |
582+
> | Microsoft.AVS/privateClouds/globalReachConnections/operationStatuses/read | Read globalReachConnections operationStatuses. |
583+
> | Microsoft.AVS/privateClouds/hcxEnterpriseSites/read | Gets the hcxEnterpriseSites for a PrivateCloud. |
584+
> | Microsoft.AVS/privateClouds/hcxEnterpriseSites/write | Create or update a hcxEnterpriseSites. |
585+
> | Microsoft.AVS/privateClouds/hcxEnterpriseSites/delete | Delete a specific hcxEnterpriseSites. |
586+
> | Microsoft.AVS/privateClouds/hostInstances/read | Gets the hostInstances for a PrivateCloud. |
587+
> | Microsoft.AVS/privateClouds/hostInstances/write | Create or update a hostInstances. |
588+
> | Microsoft.AVS/privateClouds/hostInstances/delete | Delete a specific hostInstances. |
589+
> | Microsoft.AVS/privateClouds/operationresults/read | Reads privateClouds operationresults. |
590+
> | Microsoft.AVS/privateClouds/operationstatuses/read | Reads privateClouds operationstatuses. |
591+
> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/delete | Delete dhcpConfigurations. |
592+
> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/write | Write dhcpConfigurations. |
593+
> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/read | Read dhcpConfigurations. |
594+
> | Microsoft.AVS/privateClouds/workloadNetworks/dhcpConfigurations/operationStatuses/read | Read dhcpConfigurations operationStatuses. |
595+
> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/delete | Delete dnsServices. |
596+
> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/write | Write dnsServices. |
597+
> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/read | Read dnsServices. |
598+
> | Microsoft.AVS/privateClouds/workloadNetworks/dnsServices/operationStatuses/read | Read dnsServices operationStatuses. |
599+
> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/delete | Delete dnsZones. |
600+
> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/write | Write dnsZones. |
601+
> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/read | Read dnsZones. |
602+
> | Microsoft.AVS/privateClouds/workloadNetworks/dnsZones/operationStatuses/read | Read dnsZones operationStatuses. |
603+
> | Microsoft.AVS/privateClouds/workloadNetworks/gateways/read | Read gateways. |
604+
> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/delete | Delete portMirroringProfiles. |
605+
> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/write | Write portMirroringProfiles. |
606+
> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/read | Read portMirroringProfiles. |
607+
> | Microsoft.AVS/privateClouds/workloadNetworks/portMirroringProfiles/operationStatuses/read | Read portMirroringProfiles operationStatuses. |
608+
> | Microsoft.AVS/privateClouds/workloadNetworks/segments/delete | Delete segments. |
609+
> | Microsoft.AVS/privateClouds/workloadNetworks/segments/write | Write segments. |
610+
> | Microsoft.AVS/privateClouds/workloadNetworks/segments/read | Read segments. |
611+
> | Microsoft.AVS/privateClouds/workloadNetworks/segments/operationStatuses/read | Read segments operationStatuses. |
612+
> | Microsoft.AVS/privateClouds/workloadNetworks/virtualMachines/read | Read virtualMachines. |
613+
> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/delete | Delete vmGroups. |
614+
> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/write | Write vmGroups. |
615+
> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/read | Read vmGroups. |
616+
> | Microsoft.AVS/privateClouds/workloadNetworks/vmGroups/operationStatuses/read | Read vmGroups operationStatuses. |
617+
> | **DataAction** | **Description** |
618+
> | Microsoft.AVS/privateClouds/listAdminCredentials/action | Lists the AdminCredentials for privateClouds. |
619+
> | Microsoft.AVS/privateClouds/rotateVcenterPassword/action | Rotate Vcenter password for the PrivateCloud. |
620+
> | Microsoft.AVS/privateClouds/rotateNsxtPassword/action | Rotate Nsxt CloudAdmin password for the PrivateCloud. |
621+
> | Microsoft.AVS/privateClouds/rotateNsxtCloudAdminPassword/action | Rotate Nsxt CloudAdmin password for the PrivateCloud. |
622+
544623
### Microsoft.AzureStack
545624

546625
Azure service: [Azure Stack](/azure-stack/)

0 commit comments

Comments
 (0)