Skip to content

Commit d9175e6

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #278283 from pauljewellmsft/rbac-built-in-roles
Clarify built-in roles for data access
2 parents c182006 + f9a3301 commit d9175e6

File tree

1 file changed

+2
-2
lines changed

1 file changed

+2
-2
lines changed

articles/storage/common/authorization-resource-provider.md

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,7 @@ author: pauljewellmsft
66
ms.author: pauljewell
77
ms.service: azure-storage
88
ms.topic: conceptual
9-
ms.date: 12/12/2019
9+
ms.date: 06/14/2024
1010
ms.reviewer: ozgun
1111
ms.subservice: storage-common-concepts
1212
ms.custom: devx-track-arm-template
@@ -49,7 +49,7 @@ Built-in roles that grant permissions to call storage management operations incl
4949
| **User Access Administrator** | Can manage access to the storage account. | Yes, permits a security principal to assign any permissions to themselves and others. |
5050
| **Virtual Machine Contributor** | Can manage virtual machines, but not the storage account to which they are connected. | Yes, provides permissions to view and regenerate the storage account keys. |
5151

52-
The third column in the table indicates whether the built-in role supports the **Microsoft.Storage/storageAccounts/listkeys/action**. This action grants permissions to read and regenerate the storage account keys. Permissions to access Azure Storage management resources do not also include permissions to access data. However, if a user has access to the account keys, then they can use the account keys to access Azure Storage data via Shared Key authorization.
52+
The third column in the table indicates whether the built-in role supports the **Microsoft.Storage/storageAccounts/listkeys/action**. This action grants permissions to read and regenerate the storage account keys. Permissions to access Azure Storage management resources do not also include permissions to access data. Azure RBAC provides separate [built-in roles](../blobs/authorize-access-azure-active-directory.md#azure-built-in-roles-for-blobs) for authorizing data access. However, if a user has access to the account keys, then they can use the account keys to access Azure Storage data via Shared Key authorization.
5353

5454
### Custom roles for management operations
5555

0 commit comments

Comments
 (0)