removed PII and clarified role assignments

Author: HeidiSteen

articles/search/search-security-rbac.md

@@ -8,14 +8,14 @@ author: HeidiSteen
 ms.author: heidist
 ms.service: cognitive-search
 ms.topic: how-to
-ms.date: 01/05/2024
+ms.date: 04/29/2024
 ms.custom:
   - subject-rbac-steps
   - references_regions
   - ignite-2023
 ---
 
-# Connect to Azure AI Search using Azure role-based access control (Azure RBAC)
+# Connect to Azure AI Search using Azure role-based access control
 
 Azure provides a global [role-based access control authorization system](../role-based-access-control/role-assignments-portal.yml) for all services running on the platform. In Azure AI Search, you can use Azure roles for:
 
@@ -26,7 +26,7 @@ Azure provides a global [role-based access control authorization system](../role
 Per-user access over search results (sometimes referred to as row-level security or document-level security) isn't supported. As a workaround, [create security filters](search-security-trimming-for-azure-search.md) that trim results by user identity, removing documents for which the requestor shouldn't have access.
 
 > [!NOTE]
-> In Azure AI Search, "control plane" refers to operations supported in the [Management REST API](/rest/api/searchmanagement/) or equivalent client libraries. The "data plane" refers to operations against the search service endpoint, such as indexing or queries, or any other operation specified in the [Search REST API](/rest/api/searchservice/) or equivalent client libraries.
+> A quick note about terminology. "Control plane" refers to operations supported in the [Management REST API](/rest/api/searchmanagement/) or equivalent client libraries. "Data plane" refers to operations against the search service endpoint, such as indexing or queries, or any other operation specified in the [Search REST API](/rest/api/searchservice/) or equivalent client libraries.
 
 ## Built-in roles used in Search
 
@@ -37,9 +37,9 @@ The following roles are built in. If these roles are insufficient, [create a cus
 | [Owner](../role-based-access-control/built-in-roles.md#owner) | Control & Data | Full access to the control plane of the search resource, including the ability to assign Azure roles. Only the Owner role can enable or disable authentication options or manage roles for other users. Subscription administrators are members by default. </br></br>On the data plane, this role has the same access as the Search Service Contributor role. It includes access to all data plane actions except the ability to query or index documents.|
 | [Contributor](../role-based-access-control/built-in-roles.md#contributor) | Control & Data |  Same level of control plane access as Owner, minus the ability to assign roles or change authentication options. </br></br>On the data plane, this role has the same access as the Search Service Contributor role. It includes access to all data plane actions except the ability to query or index documents.|
 | [Reader](../role-based-access-control/built-in-roles.md#reader) | Control & Data | Read access across the entire service, including search metrics, content metrics (storage consumed, number of objects), and the object definitions of data plane resources (indexes, indexers, and so on). However, it can't read API keys or read content within indexes. |
-| [Search Service Contributor](../role-based-access-control/built-in-roles.md#search-service-contributor) | Control & Data | Read-write access to object definitions (indexes, synonym maps, indexers, data sources, and skillsets). See [`Microsoft.Search/searchServices/*`](../role-based-access-control/resource-provider-operations.md#microsoftsearch) for the permissions list. This role can't access content in an index, so no querying or indexing, but it can create, delete, and list indexes, return index definitions and statistics, and test analyzers. This role is for search service administrators who need to manage the search service and its objects, but without content access. |
-| [Search Index Data Contributor](../role-based-access-control/built-in-roles.md#search-index-data-contributor) | Data | Read-write access to content in all indexes on the search service. This role is for developers or index owners who need to import, refresh, or query the documents collection of an index. |
-| [Search Index Data Reader](../role-based-access-control/built-in-roles.md#search-index-data-reader) | Data |  Read-only access to all search indexes on the search service. This role is for apps and users who run queries. |
+| [Search Service Contributor](../role-based-access-control/built-in-roles.md#search-service-contributor) | Control & Data | Read-write access to object definitions (indexes, synonym maps, indexers, data sources, and skillsets). This role is for developers who create objects and for search service administrators who need to manage the search service and its objects, but without content access. Use this role to create, delete, and list indexes, return index definitions, return service information (statistics and quotas), test analyzers, create and manage synonym maps, indexers, data sources, and skillsets. This role can't access content in an index, so no querying or indexing, but it can. See [`Microsoft.Search/searchServices/*`](../role-based-access-control/resource-provider-operations.md#microsoftsearch) for the permissions list. |
+| [Search Index Data Contributor](../role-based-access-control/built-in-roles.md#search-index-data-contributor) | Data | Read-write access to content in all indexes on the search service. This role is for developers or index owners who need to import, refresh, or query the documents collection of an index. This role doesn't support object creation. |
+| [Search Index Data Reader](../role-based-access-control/built-in-roles.md#search-index-data-reader) | Data |  Read-only access for querying all search indexes on the search service. This role is for apps and users who run queries. You can't assign roles to specific indexes, so this role is for all indexes. This role doesn't provide read access to object definitions. For example, you can't read search service statistics or read an index definition.  |
 
 > [!NOTE]
 > If you disable Azure role-based access, built-in roles for the control plane (Owner, Contributor, Reader) continue to be available. Disabling Azure RBAC removes just the data-related permissions associated with those roles. In a disabled-RBAC scenario, Search Service Contributor is equivalent to control-plane Contributor.
@@ -193,11 +193,11 @@ Make sure that you [register your client application with Microsoft Entra ID](se
 
 1. On the Overview page, select the **Indexes** tab:
 
-   + Contributors can view and create any object, but can't query an index using Search Explorer.
+   + Search Service Contributors can view and create any object, but can't load documents or query an index. To verify permissions, [create a search index](search-how-to-create-search-index.md#create-an-index).
 
-   + Search Index Data Readers can use Search Explorer to query the index. You can use any API version to check for access. You should be able to send queries and view results, but you shouldn't be able to view the index definition.
+   + Search Index Data Contributors can load and query documents. To verify permissions, run the [Import data wizard](search-get-started-portal.md).
 
-   + Search Service Contributors can select **New Index** to create a new index. Saving a new index verifies write access on the service.
+   + Search Index Data Readers can query the index. To verfiy permissions, use [Search explorer](search-explorer.md). You should be able to send queries and view results, but you shouldn't be able to view the index definition.
 
 ### [**REST API**](#tab/test-rest)
 
@@ -253,9 +253,9 @@ For more information on how to acquire a token for a specific environment, see [
 
 1. Use [Azure.Identity for .NET](/dotnet/api/overview/azure/identity-readme) for token authentication. Microsoft recommends [`DefaultAzureCredential()`](/dotnet/api/azure.identity.defaultazurecredential) for most scenarios.
 
-   + When obtaining the OAuth token, the scope is "https://search.azure.com/.default". The SDK requires the audience to be "https://search.azure.com". The ".default" is a Microsoft Entra convention.
+   + When obtaining the OAuth token, the scope is `https://search.azure.com/.default`. The SDK requires the audience to be `https://search.azure.com` The `.default` is a Microsoft Entra convention.
 
-   + The SDK validates that the user has the "user_impersonation" scope, which must be granted by your app, but the SDK itself just asks for "https://search.azure.com/.default".
+   + The SDK validates that the user has the "user_impersonation" scope, which must be granted by your app, but the SDK itself just asks for `https://search.azure.com/.default`.
 
 1. Here's an example of a client connection using `DefaultAzureCredential()`.
 
@@ -362,7 +362,7 @@ The portal doesn't currently support role assignments at this level of granulari
 
 In PowerShell, use [New-AzRoleAssignment](/powershell/module/az.resources/new-azroleassignment), providing the Azure user or group name, and the scope of the assignment.
 
-1. Load the Azure and AzureAD modules and connect to your Azure account:
+1. Load the `Azure` and `AzureAD` modules and connect to your Azure account:
 
    ```powershell
    Import-Module -Name Az

articles/search/search-what-is-azure-search.md

@@ -109,11 +109,10 @@ Customers often ask how Azure AI Search compares with other search-related solut
 
 Key strengths include:
 
-+ Store, index, and search vector embeddings for sentences, images, graphs, and more. 
-+ Find information that’s semantically similar to search queries, even if the search terms aren’t exact matches. 
++ Support for vector and nonvector (text) indexing and queries. With vector similarity search, you can find information that’s semantically similar to search queries, even if the search terms aren’t exact matches. 
 + Use hybrid search for the best of keyword and vector search.
-+ Relevance tuning through semantic ranking and scoring profiles.
-+ Data integration (crawlers) at the indexing layer.
++ Ranking and relevance tuning through semantic ranking and scoring profiles.
++ Azure data integration (crawlers) at the indexing layer.
 + Azure AI integration for transformations that make content text and vector searchable.
 + Microsoft Entra security for trusted connections, and Azure Private Link for private connections in no-internet scenarios.
 + [Full search experience](search-features-list.md): Linguistic and custom text analysis in 56 languages. Faceting, autocomplete queries and suggested results, and synonyms.