feedback

Author: Blackmist

articles/ai-studio/concepts/rbac-ai-studio.md

@@ -23,8 +23,11 @@ In this article, you learn how to manage access (authorization) to an Azure AI h
 > Applying some roles might limit UI functionality in Azure AI Studio for other users. For example, if a user's role does not have the ability to create a compute instance, the option to create a compute instance will not be available in studio. This behavior is expected, and prevents the user from attempting operations that would return an access denied error. 
 
 ## Azure AI hub resource vs Azure AI project
+
 In the Azure AI Studio, there are two levels of access: the Azure AI hub resource and the Azure AI project. The resource is home to the infrastructure (including virtual network setup, customer-managed keys, managed identities, and policies) as well as where you configure your Azure AI services. Azure AI hub resource access can allow you to modify the infrastructure, create new Azure AI hub resources, and create projects. Azure AI projects are a subset of the Azure AI hub resource that act as workspaces that allow you to build and deploy AI systems. Within a project you can develop flows, deploy models, and manage project assets. Project access lets you develop AI end-to-end while taking advantage of the infrastructure setup on the Azure AI hub resource.
 
+:::image type="content" source="../media/concepts/azureai-hub-project-relationship.png" alt-text="Diagram of the relationship between AI Studio resources." lightbox="../media/concepts/azureai-hub-project-relationship.png":::
+
 ## Default roles for the Azure AI hub resource 
 
 The Azure AI Studio has built-in roles that are available by default. In addition to the Reader, Contributor, and Owner roles, the Azure AI Studio has a new role called Azure AI Developer. This role can be assigned to enable users to create connections, compute, and projects, but not let them create new Azure AI hub resources or change permissions of the existing Azure AI hub resource.
@@ -91,18 +94,20 @@ Here's a table of the built-in roles and their permissions for the Azure AI proj
 | Azure AI Developer |     User can perform most actions, including create deployments, but can't assign permissions to project users. |
 | Reader |     Read only access to the Azure AI project. |
 
-When a user gets access to a project, two more roles are automatically assigned to the project user. The first role is Reader on the Azure AI hub resource. The second role is the Inference Deployment Operator role, which allows the user to create deployments on the resource group that the project is in. This role is composed of these two permissions: ```"Microsoft.Authorization/*/read"``` and    ```"Microsoft.Resources/deployments/*"```.
+When a user is granted access to a project (for example, through the AI Studio permission management), two more roles are automatically assigned to the user. The first role is Reader on the Azure AI hub resource. The second role is the Inference Deployment Operator role, which allows the user to create deployments on the resource group that the project is in. This role is composed of these two permissions: ```"Microsoft.Authorization/*/read"``` and    ```"Microsoft.Resources/deployments/*"```.
 
 In order to complete end-to-end AI development and deployment, users only need these two autoassigned roles and either the Contributor or Azure AI Developer role on a *project*.
 
-## Dependency service permissions
+The minimum permissions needed to create an AI project resource is a role that has the allowed action of `Microsoft.MachineLearningServices/workspaces/hubs/join` on the AI hub resource. The Azure AI Developer built-in role has this permission.
+
+## Dependency service RBAC permissions
 
-Azure AI hub and project resources have dependencies on other Azure services. The following table lists the permissions required for these services when you create an Azure AI hub resource or project:
+The Azure AI hub resource has dependencies on other Azure services. The following table lists the *minimum* permissions required for these services when you create an Azure AI hub resource. They aren't needed by the user that creates an AI project from the AI hub:
 
 | Permission | Description |
 |------------|-------------|
 | `Microsoft.Storage/storageAccounts/write` | Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. |
-| `Microsoft.KeyVault/vaults/write` | Creates a new key vault or updates the properties of an existing key vault. Certain properties may require more permissions. |
+| `Microsoft.KeyVault/vaults/write` | Creates a new key vault or updates the properties of an existing key vault. Certain properties might require more permissions. |
 | `Microsoft.CognitiveServices/accounts/write` | Writes API Accounts. |
 | `Microsoft.Insights/Components/Write` | Writing to an application insights component configuration. |
 | `Microsoft.OperationalInsights/workspaces/write` | Creates a new workspace or links to an existing workspace by providing the customer ID from the existing workspace. |