Merge pull request #265810 from pauljewellmsft/ga-abac-env

American-Dipper · web-flow · commit bb132dc58cb4 · 2024-04-01T15:08:16.000-07:00
[ABAC] Environment attributes / Premium account perf tier GA
diff --git a/articles/role-based-access-control/conditions-format.md b/articles/role-based-access-control/conditions-format.md
@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: conceptual
-ms.date: 11/15/2023
+ms.date: 04/01/2024
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to learn about the conditions so that I write more complex conditions.
 ---
@@ -247,7 +247,7 @@ Depending on the selected actions, the attribute might be found in different pla
 > [!div class="mx-tableFixed"]
 > | Attribute source | Description | Code |
 > | --- | --- | --- |
-> | [Environment](#environment-attributes) | Attribute is associated with the environment of the request, such as the network origin of the request or the current date and time.</br>***(Environment attributes are currently in preview.)*** | `@Environment` |
+> | [Environment](#environment-attributes) | Attribute is associated with the environment of the request, such as the network origin of the request or the current date and time.</br> | `@Environment` |
 > | [Principal](#principal-attributes) | Attribute is a custom security attribute assigned to the principal, such as a user or enterprise application (service principal). | `@Principal` |
 > | [Request](#request-attributes) | Attribute is part of the action request, such as setting the blob index tag. | `@Request` |
 > | [Resource](#resource-attributes) | Attribute is a property of the resource, such as a container name. | `@Resource` |
@@ -261,10 +261,6 @@ For a complete list of the storage attributes you can use in conditions, see:
 
 Environment attributes are associated with the circumstances under which the access request is made, such as the date and time of day or the network environment. The network environment might be whether access is over a specific private endpoint or a virtual network subnet, or perhaps over any private link.
 
-> [!IMPORTANT]
-> Environment attributes are currently in PREVIEW.
-> See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-
 The following table lists the supported environment attributes for conditions.
 
 | Display name | Description | Attribute | Type |
diff --git a/articles/role-based-access-control/conditions-overview.md b/articles/role-based-access-control/conditions-overview.md
@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: overview
-ms.date: 12/01/2023
+ms.date: 04/01/2024
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to learn how to constrain access within a role assignment by using conditions.
 ---
@@ -100,11 +100,11 @@ For more information about the format of conditions, see [Azure role assignment
 
 ## Status of condition features
 
-Some features of conditions are still in preview. The following table lists the status of condition features:
+The following table lists the status of condition features:
 
 | Feature | Status | Date |
 | --- | --- | --- |
-| Use [environment attributes](conditions-format.md#environment-attributes) in a condition | Preview | April 2023 |
+| Use [environment attributes](conditions-format.md#environment-attributes) in a condition | GA | April 2024 |
 | Add conditions using the [condition editor in the Azure portal](conditions-role-assignments-portal.md) | GA | October 2022 |
 | Add conditions using [Azure PowerShell](conditions-role-assignments-powershell.md), [Azure CLI](conditions-role-assignments-cli.md), or [REST API](conditions-role-assignments-rest.md) | GA | October 2022 |
 | Use [resource and request attributes](conditions-format.md#attributes) for specific combinations of Azure storage resources, access attribute types, and storage account performance tiers. For more information, see [Status of condition features in Azure Storage](../storage/blobs/storage-auth-abac.md#status-of-condition-features-in-azure-storage). | GA | October 2022 |
diff --git a/articles/role-based-access-control/conditions-role-assignments-portal.md b/articles/role-based-access-control/conditions-role-assignments-portal.md
@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: conceptual
-ms.date: 11/15/2023
+ms.date: 04/01/2024
 ms.author: rolyon
 ms.custom: subject-rbac-steps
 ---
@@ -105,7 +105,7 @@ Once you have the Add role assignment condition page open, you can review the ba
 
 1. In the **Attribute source** list, select where the attribute can be found.
 
-    - **Environment** (preview) indicates that the attribute is associated with the network environment over which the resource is accessed such as a private link, or the current date and time.
+    - **Environment** indicates that the attribute is associated with the network environment over which the resource is accessed such as a private link, or the current date and time.
     - **Resource** indicates that the attribute is on the resource, such as container name.
     - **Request** indicates that the attribute is part of the action request, such as setting the blob index tag.
     - **Principal** indicates that the attribute is a Microsoft Entra custom security attribute principal, such as a user, enterprise application (service principal), or managed identity.
diff --git a/articles/storage/blobs/storage-auth-abac-examples.md b/articles/storage/blobs/storage-auth-abac-examples.md
@@ -1409,6 +1409,8 @@ Here are the settings to add this condition using the Azure portal.
 > | Operator | [ForAllOfAnyValues:StringEqualsIgnoreCase](../../role-based-access-control/conditions-format.md#forallofanyvalues) |
 > | Value | {'metadata', 'snapshots', 'versions'} |
 
+:::image type="content" source="./media/storage-auth-abac-examples/blob-include-list-allow-portal.png" alt-text="Screenshot of condition editor in Azure portal showing a condition to allow a user to list blobs in a container and include metadata, snapshot, and version information." lightbox="./media/storage-auth-abac-examples/blob-include-list-allow-portal.png":::
+
 # [Portal: Code editor](#tab/portal-code-editor)
 
 To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
@@ -1467,6 +1469,8 @@ Here are the settings to add this condition using the Azure portal.
 > | Operator | [ForAllOfAllValues:StringNotEquals](../../role-based-access-control/conditions-format.md#forallofallvalues) |
 > | Value | {'metadata'} |
 
+:::image type="content" source="./media/storage-auth-abac-examples/blob-include-list-metadata-deny-portal.png" alt-text="Screenshot of condition editor in Azure portal showing a condition to restrict a user from listing blobs when metadata is included in the request." lightbox="./media/storage-auth-abac-examples/blob-include-list-metadata-deny-portal.png":::
+
 # [Portal: Code editor](#tab/portal-code-editor)
 
 To add the condition using the code editor, copy the condition code sample and paste it into the code editor. After entering your code, switch back to the visual editor to validate it.
diff --git a/articles/storage/blobs/storage-auth-abac.md b/articles/storage/blobs/storage-auth-abac.md
@@ -6,7 +6,7 @@ author: pauljewellmsft
 ms.author: pauljewell
 ms.service: azure-blob-storage
 ms.topic: conceptual
-ms.date: 01/26/2024
+ms.date: 04/01/2024
 ms.reviewer: nachakra
 ---
 
@@ -62,19 +62,18 @@ The [Azure role assignment condition format](../../role-based-access-control/con
 
 ## Status of condition features in Azure Storage
 
-Currently, Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access only to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using `request`, `resource`, and `principal` attributes in the standard storage account performance tier. It's either not available or in PREVIEW for other storage account performance tiers, resource types, and attributes.
+Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using `request`, `resource`, `environment`, and `principal` attributes in both the standard and premium storage account performance tiers. Currently, the container metadata resource attribute and the list blob include request attribute are in PREVIEW.
 
-See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
-
-The following table shows the current status of ABAC by storage account performance tier, storage resource type, and attribute type. Exceptions for specific attributes are also shown.
+The following table shows the current status of ABAC by storage resource type and attribute type. Exceptions for specific attributes are also shown.
 
-| Performance tier | Resource types | Attribute types    | Attributes                | Availability |
-|---|---|---|---|---|
-| Standard | Blobs<br/>Data Lake Storage Gen2<br/>Queues | request<br/>resource<br/>principal | All attributes except for the snapshot resource attribute for Data Lake Storage Gen2 | GA |
-| Standard | Data Lake Storage Gen2                      | resource                  | snapshot       | Preview |
-| Standard | Blobs<br/>Data Lake Storage Gen2<br/>Queues | environment | All attributes | Preview |
-| Premium  | Blobs<br/>Data Lake Storage Gen2<br/>Queues | environment<br/>principal<br/>request<br/>resource | All attributes | Preview |
+| Resource types | Attribute types    | Attributes                | Availability |
+|---|---|---|---|
+| Blobs<br/>Data Lake Storage Gen2<br/>Queues | request<br/>resource<br/>environment<br/>principal | All attributes except those explicitly noted in this table | GA |
+| Data Lake Storage Gen2                      | resource        | [snapshot](storage-auth-abac-attributes.md#snapshot)           | Preview |
+| Blobs<br/>Data Lake Storage Gen2            | resource        | [container metadata](storage-auth-abac-attributes.md#container-metadata) | Preview |
+| Blobs                                       | request         | [list blob include](storage-auth-abac-attributes.md#list-blob-include)  | Preview |
 
+See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
 
 > [!NOTE] 
 > Some storage features aren't supported for Data Lake Storage Gen2 storage accounts, which use a hierarchical namespace (HNS). To learn more, see [Blob storage feature support](storage-feature-support-in-storage-accounts.md).
@@ -84,6 +83,7 @@ The following table shows the current status of ABAC by storage account performa
 > - [Blob index tags [Keys]](storage-auth-abac-attributes.md#blob-index-tags-keys)
 > - [Blob index tags [Values in key]](storage-auth-abac-attributes.md#blob-index-tags-values-in-key)
 > - [Version ID](storage-auth-abac-attributes.md#version-id)
+> - [List blob include](storage-auth-abac-attributes.md#list-blob-include)
 
 ## Next steps
 
diff --git a/includes/storage-abac-preview.md b/includes/storage-abac-preview.md
@@ -5,12 +5,12 @@ services: storage
 author: pauljewellmsft
 ms.service: azure-storage
 ms.topic: "include"
-ms.date: 11/15/2023
+ms.date: 04/01/2024
 ms.author: pauljewell
 ms.custom: "include file"
 ---
 
 > [!IMPORTANT]
-> Currently, Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access only to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using `request`, `resource`, and `principal` attributes in the standard storage account performance tier. It is either not available or in PREVIEW for other storage account performance tiers, resource types, and attributes. For complete feature status information of ABAC for Azure Storage, see [Status of condition features in Azure Storage](../articles/storage/blobs/storage-auth-abac.md#status-of-condition-features-in-azure-storage).
+> Azure attribute-based access control (Azure ABAC) is generally available (GA) for controlling access to Azure Blob Storage, Azure Data Lake Storage Gen2, and Azure Queues using `request`, `resource`, `environment`, and `principal` attributes in both the standard and premium storage account performance tiers. Currently, the container metadata resource attribute and the list blob include request attribute are in PREVIEW. For complete feature status information of ABAC for Azure Storage, see [Status of condition features in Azure Storage](../articles/storage/blobs/storage-auth-abac.md#status-of-condition-features-in-azure-storage).
 >
 > See the [Supplemental Terms of Use for Microsoft Azure Previews](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) for legal terms that apply to Azure features that are in beta, preview, or otherwise not yet released into general availability.
