Skip to content

Commit ee9d2e3

Browse files
megvanhuygenmegvanhuygen
authored
Merge pull request #108586 from rolyon/rolyon-rbac-roles-march-update
[Azure RBAC] Updates to roles and operations for March v2
2 parents ff29f15 + e60c6ad commit ee9d2e3

File tree

2 files changed

+174
-104
lines changed

2 files changed

+174
-104
lines changed

articles/role-based-access-control/built-in-roles.md

Lines changed: 58 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -12,7 +12,7 @@ ms.devlang:
1212
ms.topic: reference
1313
ms.tgt_pltfrm:
1414
ms.workload: identity
15-
ms.date: 03/12/2020
15+
ms.date: 03/22/2020
1616
ms.author: rolyon
1717
ms.reviewer: bagovind
1818

@@ -182,6 +182,7 @@ The following table provides a brief description and the unique ID of each built
182182
> | [Site Recovery Operator](#site-recovery-operator) | Lets you failover and failback but not perform other Site Recovery management operations | 494ae006-db33-4328-bf46-533a6560a3ca |
183183
> | [Site Recovery Reader](#site-recovery-reader) | Lets you view Site Recovery status but not perform other management operations | dbaa88c4-0c30-4179-9fb3-46319faa6149 |
184184
> | [Support Request Contributor](#support-request-contributor) | Lets you create and manage Support requests | cfd33db0-3dd1-45e3-aa9d-cdbdf3b6f24e |
185+
> | [Tag Contributor](#tag-contributor) | Lets you manage tags on entities, without providing access to the entities themselves. | 4a9ae827-6dc8-4573-8ac7-8239d42aa03f |
185186
> | **Other** | | |
186187
> | [BizTalk Contributor](#biztalk-contributor) | Lets you manage BizTalk services, but not access to them. | 5e3c6656-6cfa-4708-81fe-0de47ac73342 |
187188
> | [Scheduler Job Collections Contributor](#scheduler-job-collections-contributor) | Lets you manage Scheduler job collections, but not access to them. | 188a0f2f-5c9e-469b-ae67-2aa5ce574b94 |
@@ -6700,6 +6701,7 @@ Can read, write, delete and re-onboard Azure Connected Machines.
67006701
> | Microsoft.HybridCompute/machines/write | Writes an Azure Arc machines |
67016702
> | Microsoft.HybridCompute/machines/delete | Deletes an Azure Arc machines |
67026703
> | Microsoft.HybridCompute/machines/reconnect/action | Reconnects an Azure Arc machines |
6704+
> | Microsoft.HybridCompute/machines/extensions/write | Installs or Updates an Azure Arc extensions |
67036705
> | Microsoft.HybridCompute/*/read | |
67046706
> | **NotActions** | |
67056707
> | *none* | |
@@ -6723,6 +6725,7 @@ Can read, write, delete and re-onboard Azure Connected Machines.
67236725
"Microsoft.HybridCompute/machines/write",
67246726
"Microsoft.HybridCompute/machines/delete",
67256727
"Microsoft.HybridCompute/machines/reconnect/action",
6728+
"Microsoft.HybridCompute/machines/extensions/write",
67266729
"Microsoft.HybridCompute/*/read"
67276730
],
67286731
"notActions": [],
@@ -7806,6 +7809,60 @@ Lets you create and manage Support requests
78067809
}
78077810
```
78087811

7812+
### Tag Contributor
7813+
7814+
Lets you manage tags on entities, without providing access to the entities themselves.
7815+
7816+
> [!div class="mx-tableFixed"]
7817+
> | | |
7818+
> | --- | --- |
7819+
> | **Actions** | |
7820+
> | Microsoft.Authorization/*/read | Read roles and role assignments |
7821+
> | Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
7822+
> | Microsoft.Resources/subscriptions/resourceGroups/resources/read | Gets the resources for the resource group. |
7823+
> | Microsoft.Resources/subscriptions/resources/read | Gets resources of a subscription. |
7824+
> | Microsoft.Resources/deployments/* | Create and manage resource group deployments |
7825+
> | Microsoft.Insights/alertRules/* | Create and manage Insights alert rules |
7826+
> | Microsoft.Support/* | Create and manage support tickets |
7827+
> | Microsoft.Resources/tags/* | |
7828+
> | **NotActions** | |
7829+
> | *none* | |
7830+
> | **DataActions** | |
7831+
> | *none* | |
7832+
> | **NotDataActions** | |
7833+
> | *none* | |
7834+
7835+
```json
7836+
{
7837+
"assignableScopes": [
7838+
"/"
7839+
],
7840+
"description": "Lets you manage tags on entities, without providing access to the entities themselves.",
7841+
"id": "/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleDefinitions/4a9ae827-6dc8-4573-8ac7-8239d42aa03f",
7842+
"name": "4a9ae827-6dc8-4573-8ac7-8239d42aa03f",
7843+
"permissions": [
7844+
{
7845+
"actions": [
7846+
"Microsoft.Authorization/*/read",
7847+
"Microsoft.Resources/subscriptions/resourceGroups/read",
7848+
"Microsoft.Resources/subscriptions/resourceGroups/resources/read",
7849+
"Microsoft.Resources/subscriptions/resources/read",
7850+
"Microsoft.Resources/deployments/*",
7851+
"Microsoft.Insights/alertRules/*",
7852+
"Microsoft.Support/*",
7853+
"Microsoft.Resources/tags/*"
7854+
],
7855+
"notActions": [],
7856+
"dataActions": [],
7857+
"notDataActions": []
7858+
}
7859+
],
7860+
"roleName": "Tag Contributor",
7861+
"roleType": "BuiltInRole",
7862+
"type": "Microsoft.Authorization/roleDefinitions"
7863+
}
7864+
```
7865+
78097866
## Other
78107867

78117868

0 commit comments

Comments
 (0)