Merge pull request #279820 from rolyon/rolyon-rbac-roles-compute-gallery

prmerger-automator[bot] · web-flow · commit bcb715cdeed6 · 2024-07-08T17:58:52.000Z
[Azure RBAC] Compute Gallery roles
diff --git a/articles/role-based-access-control/built-in-roles.md b/articles/role-based-access-control/built-in-roles.md
@@ -37,6 +37,8 @@ The following table provides a brief description of each built-in role. Click th
 > | Built-in role | Description | ID |
 > | --- | --- | --- |
 > | <a name='classic-virtual-machine-contributor'></a>[Classic Virtual Machine Contributor](./built-in-roles/compute.md#classic-virtual-machine-contributor) | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they're connected to. | d73bb868-a0df-4d4d-bd69-98a00b01fccb |
+> | <a name='compute-gallery-artifacts-publisher'></a>[Compute Gallery Artifacts Publisher](./built-in-roles/compute.md#compute-gallery-artifacts-publisher) | This is the role for publishing gallery artifacts. | 85a2d0d9-2eba-4c9c-b355-11c2cc0788ab |
+> | <a name='compute-gallery-sharing-admin'></a>[Compute Gallery Sharing Admin](./built-in-roles/compute.md#compute-gallery-sharing-admin) | This role allows user to share gallery to another subscription/tenant or share it to the public. | 1ef6a3be-d0ac-425d-8c01-acb62866290b |
 > | <a name='data-operator-for-managed-disks'></a>[Data Operator for Managed Disks](./built-in-roles/compute.md#data-operator-for-managed-disks) | Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication. | 959f8984-c045-4866-89c7-12bf9737be2e |
 > | <a name='desktop-virtualization-application-group-contributor'></a>[Desktop Virtualization Application Group Contributor](./built-in-roles/compute.md#desktop-virtualization-application-group-contributor) | Contributor of the Desktop Virtualization Application Group. | 86240b0e-9422-4c43-887b-b61143f32ba8 |
 > | <a name='desktop-virtualization-application-group-reader'></a>[Desktop Virtualization Application Group Reader](./built-in-roles/compute.md#desktop-virtualization-application-group-reader) | Reader of the Desktop Virtualization Application Group. | aebf23d0-b568-4e86-b8f9-fe83a2c6ab55 |
diff --git a/articles/role-based-access-control/built-in-roles/compute.md b/articles/role-based-access-control/built-in-roles/compute.md
@@ -87,6 +87,108 @@ Lets you manage classic virtual machines, but not access to them, and not the vi
 }
 ```
 
+## Compute Gallery Artifacts Publisher
+
+This is the role for publishing gallery artifacts.
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/galleries/* |  |
+> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/locations/capsOperations/read | Gets the status of an asynchronous Caps operation |
+> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/locations/communityGalleries/* |  |
+> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/locations/sharedGalleries/* |  |
+> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/images/* |  |
+> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/virtualMachines/write | Creates a new virtual machine or updates an existing virtual machine |
+> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/disks/write | Creates a new Disk or updates an existing one |
+> | [Microsoft.Authorization](../permissions/management-and-governance.md#microsoftauthorization)/*/read | Read roles and role assignments |
+> | [Microsoft.Insights](../permissions/monitor.md#microsoftinsights)/alertRules/* | Create and manage a classic metric alert |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/deployments/* | Create and manage a deployment |
+> | [Microsoft.Resources](../permissions/management-and-governance.md#microsoftresources)/subscriptions/resourceGroups/read | Gets or lists resource groups. |
+> | **NotActions** |  |
+> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/galleries/share/action | Shares a Gallery to different scopes |
+> | **DataActions** |  |
+> | *none* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "This is the role for publishing gallery artifacts.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/85a2d0d9-2eba-4c9c-b355-11c2cc0788ab",
+  "name": "85a2d0d9-2eba-4c9c-b355-11c2cc0788ab",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.Compute/galleries/*",
+        "Microsoft.Compute/locations/capsOperations/read",
+        "Microsoft.Compute/locations/communityGalleries/*",
+        "Microsoft.Compute/locations/sharedGalleries/*",
+        "Microsoft.Compute/images/*",
+        "Microsoft.Compute/virtualMachines/write",
+        "Microsoft.Compute/disks/write",
+        "Microsoft.Authorization/*/read",
+        "Microsoft.Insights/alertRules/*",
+        "Microsoft.Resources/deployments/*",
+        "Microsoft.Resources/subscriptions/resourceGroups/read"
+      ],
+      "notActions": [
+        "Microsoft.Compute/galleries/share/action"
+      ],
+      "dataActions": [],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Compute Gallery Artifacts Publisher",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
+## Compute Gallery Sharing Admin
+
+This role allows user to share gallery to another subscription/tenant or share it to the public.
+
+[Learn more](/azure/virtual-machines/create-gallery)
+
+> [!div class="mx-tableFixed"]
+> | Actions | Description |
+> | --- | --- |
+> | [Microsoft.Compute](../permissions/compute.md#microsoftcompute)/galleries/share/action | Shares a Gallery to different scopes |
+> | **NotActions** |  |
+> | *none* |  |
+> | **DataActions** |  |
+> | *none* |  |
+> | **NotDataActions** |  |
+> | *none* |  |
+
+```json
+{
+  "assignableScopes": [
+    "/"
+  ],
+  "description": "This role allows user to share gallery to another subscription/tenant or share it to the public.",
+  "id": "/providers/Microsoft.Authorization/roleDefinitions/1ef6a3be-d0ac-425d-8c01-acb62866290b",
+  "name": "1ef6a3be-d0ac-425d-8c01-acb62866290b",
+  "permissions": [
+    {
+      "actions": [
+        "Microsoft.Compute/galleries/share/action"
+      ],
+      "notActions": [],
+      "dataActions": [],
+      "notDataActions": []
+    }
+  ],
+  "roleName": "Compute Gallery Sharing Admin",
+  "roleType": "BuiltInRole",
+  "type": "Microsoft.Authorization/roleDefinitions"
+}
+```
+
 ## Data Operator for Managed Disks
 
 Provides permissions to upload data to empty managed disks, read, or export data of managed disks (not attached to running VMs) and snapshots using SAS URIs and Azure AD authentication.
