Adding new built-in rbac

Author: SoniaLopezBravo

articles/iot-operations/deploy-iot-ops/overview-deploy.md

@@ -72,11 +72,14 @@ The following table describes Azure IoT Operations deployment and management tas
 
 | Task | Required permission | Comments |
 | ---- | ------------------- | -------- |
-| Deploy Azure IoT Operations | **Contributor** role at the resource group level. |  |
-| Register resource providers | Microsoft.ExtendedLocation/register/action Microsoft.SecretSyncController/register/action Microsoft.Kubernetes/register/action Microsoft.KubernetesConfiguration/register/action Microsoft.IoTOperations/register/action Microsoft.DeviceRegistry/register/action| Only required to do once per subscription. |
-| Create a schema registry. | **Microsoft.Authorization/roleAssignments/write** permissions at the resource group level. |  |
-| Create secrets in Key Vault | **Key Vault Secrets Officer** role at the resource level. | Only required for secure settings deployment. |
-| Enable resource sync rules on an Azure IoT Operations instance | **Microsoft.Authorization/roleAssignments/write** permissions at the resource group level. | Resource sync rules are disabled by default, but can be enabled as part of the [az iot ops rsync](/cli/azure/iot/ops#az-iot-ops-rsync) command. |
+| Deploy Azure IoT Operations | [Azure IoT Operations Onboarding role](../secure-iot-ops/overview-built-in-rbac.md#azure-iot-operations-onboarding-role) | This role has all required permissions to read and write Azure IoT operations and Azure Device Registry resources. This role has `Microsoft.Authorization/roleAssignments/write` permissions.|
+| Register resource providers | [Contributor role](azure/role-based-access-control/built-in-roles/privileged#contributor) at subscription level| Only required to do once per subscription. You need to register the following resource providers: `Microsoft.ExtendedLocation`, `Microsoft.SecretSyncController`, `Microsoft.Kubernetes`, `Microsoft.KubernetesConfiguration`, `Microsoft.IoTOperations`, and `Microsoft.DeviceRegistry`. |
+| Create secrets in Key Vault | [Key Vault Secrets Officer role](azure/role-based-access-control/built-in-roles/security#key-vault-secrets-officer) at the resource level | Only required for secure settings deployment. |
+| Create and manage storage accounts | Storage Account Contributor role | Required for Azure IoT Operations deployment. |
+| Create a resource group | Resource Group Contributor role | Required to create a resource group for storing Azure IoT Operations resources. |
+| Onboard a cluster to Azure Arc | Kubernetes Cluster Azure Arc Onboarding role | Arc-enabled clusters are required to deploy Azure IoT Operations. |
+| Manage deployment of Azure resource bridge| Azure Resource Bridge Deployment role | Required to deploy Azure IoT Operations. |
+| Provide permissions to deployment| Azure Arc Enabled Kubernetes Cluster User role | Required to grant permission of deployment to the Azure Arc-enabled Kubernetes cluster. |
 
 > [!TIP]
 > You must enable resource sync rules on the Azure IoT Operations instance to use the automatic asset discovery capabilities of the Akri services. To learn more, see [What is OPC UA asset discovery (preview)?](../discover-manage-assets/overview-akri.md).

articles/iot-operations/reference/custom-rbac.md

@@ -1,5 +1,5 @@
 ---
-title: Custom RBAC for your resources
+title: Custom RBAC for Your Resources
 description: Use the Azure portal to secure access to Azure IoT Operations resources such as data flows and assets by using Azure role-based access control.
 author: dominicbetts
 ms.author: dobett
@@ -11,24 +11,32 @@ ms.date: 04/16/2025
 
 # Custom RBAC for your Azure IoT Operations resources
 
-To define custom roles that grant specific permissions to users, you can use Azure RBAC. For example, you can define an **Onboarding** role that grants sufficient permissions to a user to complete the Azure Arc connect process and deploy Azure IoT Operations securely.
-
-This article includes a list of example that you can download and use in your environment. These custom roles are JSON files that list the specific permissions and scope for the role.
+To define custom roles that grant specific permissions to users, you can use Azure RBAC. This article includes a list of example that you can download and use in your environment. These custom roles are JSON files that list the specific permissions and scope for the role.
 
 To learn more about custom roles in Azure RBAC, see [Azure custom roles](/azure/role-based-access-control/custom-roles).
 
-## Example custom roles
+Azure IoT operations also offers built-in roles designed to simplify and secure access management for Azure IoT Operations resources. For more information, see [Built-in RBAC roles for IoT Operations](../secure-iot-ops/built-in-rbac.md).
+
+## Examples of custom roles
+
+The following sections list the example Azure IoT Operations custom roles you can download and use.
+
+> [!NOTE]
+> The following custom roles are examples only. You need to review and modify the permissions in the JSON files to suit your specific requirements.
 
-The following sections list the example Azure IoT Operations custom roles you can download and use:
 
 ### Onboarding roles
 
+You can define an *Onboarding* role that grants sufficient permissions to a user to complete the Azure Arc connect process and deploy Azure IoT Operations securely.
+
 | Custom role | Description |
 | ----------- | ----------- |
 | [Onboarding](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Onboarding.json) | This is privileged role. The user can complete Azure Arc connect process and deploy Azure IoT Operations securely. |
 
 ### Viewer roles
 
+You can define different *Viewer* roles that grant read-only access to the Azure IoT Operations instance and its resources. These roles are useful for users who need to monitor the instance without making changes.
+
 | Custom role | Description |
 | ----------- | ----------- |
 | [Instance viewer](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Instance%20Viewer.json) | This role allows the user to view the Azure IoT Operations instance. |
@@ -41,6 +49,8 @@ The following sections list the example Azure IoT Operations custom roles you ca
 
 ### Administrator roles
 
+You can define different *Administrator* roles that grant full access to the Azure IoT Operations instance and its resources. These roles are useful for users who need to manage the instance and its resources.
+
 | Custom role | Description |
 | ----------- | ----------- |
 | [Instance administrator](https://github.com/Azure-Samples/explore-iot-operations/blob/main/samples/custom-rbac/Instance%20Administrator.json) | This is privileged role. The user can deploy an instance. The role includes permissions to create and update instances, brokers, authentications, listeners, dataflow profiles, dataflow endpoints, schema registries, and user assigned identities. The role also includes permission to delete instances. |

articles/iot-operations/secure-iot-ops/built-in-rbac.md

@@ -0,0 +1,47 @@
+---
+title: Built-in RBAC Roles for IoT Operations
+description: Learn about the built-in RBAC roles for Azure IoT Operations and how to use them to control access to resources.
+author: SoniaLopezBravo
+ms.author: sonialopez
+ms.topic: reference
+ms.date: 07/29/2025
+
+#CustomerIntent: As an IT administrator, I want to configure Azure RBAC built-in roles on resources in my Azure IoT Operations instance to control access to them.
+---
+
+# Built-in RBAC roles for IoT Operations
+
+Azure IoT Operations (AIO) offers two built-in roles designed to simplify and secure access management for AIO resources: Azure IoT Operations Administrator and Azure IoT Operations Onboarding. If your scenario requires more granular access, you can [create a custom RBAC role](../reference/custom-rbac.md).
+
+> [!IMPORTANT]
+> The built-in roles for AIO streamline access management for AIO resources, but don't automatically grant permissions for all required Azure dependencies. AIO relies on several Azure services, such as Azure Key Vault, Azure Storage, Azure Arc, and others. Always review and assign the necessary additional roles to ensure users have end-to-end access for successful AIO deployment and operation.
+
+## Azure IoT Operations Administrator role
+
+The Azure IoT Operations Administrator role provides comprehensive permissions to manage and operate all Azure IoT Operations components. Assign this role to users who need full access to use AIO resources. To support deployment and ongoing management of AIO, users require additional permissions. If a user only needs to use AIO, you can assign the Administrator role alone.
+
+When assigning this built-in role, you need to ensure that users have the following permissions:
+
+- Azure Edge Hardware Center Administrator: This role grants access to manage and take action as an edge order administrator. It is used for ordering and managing Azure Stack Edge devices. 
+- Azure Arc Enabled Kubernetes Cluster User Role: This role is used to manage Azure Arc-enabled Kubernetes clusters by providing permission to write deployments, manage subscriptions, and handle connected clusters and extensions. 
+- Key Vault Administrator: This role allows the user to manage all aspects of Azure Key Vaults, including creating, maintaining, viewing, and deleting keys, certificates, and secrets. 
+- Kubernetes Extension Contributor: This role allows users to manage Kubernetes extensions, including creating, updating, and deleting extensions. 
+- Managed Identity Contributor: This role allows the user to manage managed identities, including creating, updating, and deleting user-assigned managed identities.
+- Monitoring Contributor: This role allows the user to read all monitoring data and update monitoring settings.
+- Resource Group Contributor: This role grants permissions to manage resources within a resource group, including creating, updating, and deleting resources.
+- Secrets Store Extension Owner: This role allows the user to manage the Secrets Store extension, which synchronizes secrets from Azure Key Vault to Kubernetes clusters.
+- Storage Account Contributor: This role allows the user to manage storage accounts, including creating, updating, and deleting storage accounts, as well as managing access keys and other settings.
+
+## Azure IoT Operations Onboarding role
+
+AIO Onboarding is a specialized role that provides the necessary permissions to deploy Azure IoT Operations components.
+
+When assigning this built-in role, you need to ensure that users have the following permissions:
+
+- Azure Resource Bridge Deployment Role: This role is used to manage the deployment of the Azure Resource Bridge. It includes permissions to read, write, and delete various resources related to the Resource Bridge, such as appliances, locations, and telemetry configurations. 
+- Kubernetes Cluster – Azure Arc Onboarding: This role is used for onboarding Kubernetes clusters to Azure Arc.
+- Storage Account Contributor: This role allows the user to manage storage accounts, including creating, updating, and deleting storage accounts, as well as managing access keys and other settings.
+- Resource Group Contributor Role: This role grants permissions to manage resources within a resource group, including creating, updating, and deleting resources.
+- Azure Arc Enabled Kubernetes Cluster User Role: This role is used to manage Azure Arc-enabled Kubernetes clusters by providing permission to write deployments, manage subscriptions, and handle connected clusters and extensions.
+
+

articles/iot-operations/deploy-iot-ops/howto-enable-secure-settings.md renamed to articles/iot-operations/secure-iot-ops/howto-enable-secure-settings.md

@@ -1,5 +1,5 @@
 ---
-title: Enable secure settings
+title: Enable Secure Settings to a Test Instance 
 description: Enable secure settings in your Azure IoT Operations instance for developing a production-ready scenario.
 author: asergaz
 ms.author: sergaz

articles/iot-operations/secure-iot-ops/howto-manage-certificates.md

@@ -1,5 +1,5 @@
 ---
-title: Manage certificates
+title: Manage Certificates
 description: Azure IoT Operations uses TLS to encrypt communication. Learn how to manage certificates for internal and external communications, and how to bring your own certificate authority (CA) issuer for a production deployment.
 author: asergaz
 ms.author: sergaz

articles/iot-operations/toc.yml

@@ -37,9 +37,6 @@ items:
       - name: Upgrade
         href: deploy-iot-ops/howto-upgrade.md
         displayName: Kubernetes, version
-      - name: Enable secure settings
-        href: deploy-iot-ops/howto-enable-secure-settings.md
-        displayName: Kubernetes, cluster, secrets, management, user-assigned, managed identity
       - name: Production deployment guidelines
         href: deploy-iot-ops/concept-production-guidelines.md
         displayName: Kubernetes, cluster, security, networking, observability, schema registry
@@ -48,6 +45,9 @@ items:
         displayName: Kubernetes, cluster, single, multiple, node, multi, performance
     - name: Secure your deployment
       items:
+      - name: Built-in RBAC
+        href: secure-iot-ops/built-in-rbac.md
+        displayName: Azure RBAC, custom roles, resources, access control, permissions
       - name: Manage certificates
         href: secure-iot-ops/howto-manage-certificates.md
         displayName: TLS, X.509, certificate, root CA, self-signed, trusted CA, CA, issuer, cert-manager, trust-manager
@@ -60,6 +60,9 @@ items:
       - name: Secure your solution
         href: ../iot/iot-overview-security.md
         displayName: security, best practice, guidelines, defender
+      - name: Enable secure settings
+        href: secure-iot-ops/howto-enable-secure-settings.md
+        displayName: Kubernetes, cluster, secrets, management, user-assigned, managed identity
     - name: Discover and manage assets and devices
       items:
       - name: Asset and device management overview