You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/ai-studio/concepts/rbac-ai-studio.md
+13-2Lines changed: 13 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,7 +24,7 @@ In this article, you learn how to manage access (authorization) to an Azure AI h
24
24
25
25
## Azure AI hub resource vs Azure AI project
26
26
27
-
In the Azure AI Studio, there are two levels of access: the Azure AI hub resource and the Azure AI project. The resource is home to the infrastructure (including virtual network setup, customer-managed keys, managed identities, and policies) as well as where you configure your Azure AI services. Azure AI hub resource access can allow you to modify the infrastructure, create new Azure AI hub resources, and create projects. Azure AI projects are a subset of the Azure AI hub resource that act as workspaces that allow you to build and deploy AI systems. Within a project you can develop flows, deploy models, and manage project assets. Project access lets you develop AI end-to-end while taking advantage of the infrastructure setup on the Azure AI hub resource.
27
+
In the Azure AI Studio, there are two levels of access: the Azure AI hub and the Azure AI project. The AI hub is home to the infrastructure (including virtual network setup, customer-managed keys, managed identities, and policies) as well as where you configure your Azure AI services. Azure AI hub access can allow you to modify the infrastructure, create new Azure AI hub resources, and create projects. Azure AI projects are a subset of the Azure AI hub resource that act as workspaces that allow you to build and deploy AI systems. Within a project you can develop flows, deploy models, and manage project assets. Project access lets you develop AI end-to-end while taking advantage of the infrastructure setup on the Azure AI hub resource.
28
28
29
29
:::image type="content" source="../media/concepts/azureai-hub-project-relationship.png" alt-text="Diagram of the relationship between AI Studio resources." lightbox="../media/concepts/azureai-hub-project-relationship.png":::
30
30
@@ -114,7 +114,6 @@ The Azure AI hub resource has dependencies on other Azure services. The followin
114
114
|`Microsoft.Insights/Components/Write`| Write to an application insights component configuration. |
115
115
|`Microsoft.OperationalInsights/workspaces/write`| Create a new workspace or links to an existing workspace by providing the customer ID from the existing workspace. |
116
116
117
-
118
117
## Sample enterprise RBAC setup
119
118
The following is an example of how to set up role-based access control for your Azure AI Studio for an enterprise.
120
119
@@ -151,6 +150,18 @@ If the built-in roles are insufficient, you can create custom roles. Custom role
151
150
> [!NOTE]
152
151
> You must be an owner of the resource at that level to create custom roles within that resource.
153
152
153
+
## Scenario: Use a customer-managed key
154
+
155
+
When using a customer-managed key (CMK), an Azure Key Vault is used to store the key. The user or service principal used to create the workspace must have owner or contributor access to the key vault.
156
+
157
+
If your Azure AI hub is configured with a **user-assigned managed identity**, the identity must be granted the following roles. These roles allow the managed identity to create the Azure Storage, Azure Cosmos DB, and Azure Search resources used when using a customer-managed key:
158
+
159
+
-`Microsoft.Storage/storageAccounts/write`
160
+
-`Microsoft.Search/searchServices/write`
161
+
-`Microsoft.DocumentDB/databaseAccounts/write`
162
+
163
+
Within the key vault, the user or service principal must have create, get, delete, and purge access to the key through a key vault access policy. For more information, see [Azure Key Vault security](/azure/key-vault/general/security-features#controlling-access-to-key-vault-data).
164
+
154
165
## Next steps
155
166
156
167
-[How to create an Azure AI hub resource](../how-to/create-azure-ai-resource.md)
Copy file name to clipboardExpand all lines: articles/machine-learning/how-to-assign-roles.md
+7Lines changed: 7 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -224,6 +224,13 @@ You can make custom roles compatible with both V1 and V2 APIs by including both
224
224
225
225
When using a customer-managed key (CMK), an Azure Key Vault is used to store the key. The user or service principal used to create the workspace must have owner or contributor access to the key vault.
226
226
227
+
If your workspace is configured with a **user-assigned managed identity**, the identity must be granted the following roles. These roles allow the managed identity to create the Azure Storage, Azure Cosmos DB, and Azure Search resources used when using a customer-managed key:
228
+
229
+
-`Microsoft.Storage/storageAccounts/write`
230
+
-`Microsoft.Search/searchServices/write`
231
+
-`Microsoft.DocumentDB/databaseAccounts/write`
232
+
233
+
227
234
Within the key vault, the user or service principal must have create, get, delete, and purge access to the key through a key vault access policy. For more information, see [Azure Key Vault security](/azure/key-vault/general/security-features#controlling-access-to-key-vault-data).
228
235
229
236
### User-assigned managed identity with Azure Machine Learning compute cluster
![prmerger-automator[bot]](https://avatars.githubusercontent.com/u/22479449?v=4&size=40){kind=avatar}
0 commit comments