You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/role-based-access-control/built-in-roles.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -221,8 +221,12 @@ The following table provides a brief description of each built-in role. Click th
221
221
> | <aname='azure-red-hat-openshift-network-operator'></a>[Azure Red Hat OpenShift Network Operator](./built-in-roles/containers.md#azure-red-hat-openshift-network-operator)| Install and upgrade the networking components on an OpenShift cluster. | be7a6435-15ae-4171-8f30-4a343eff9e8f |
222
222
> | <aname='azure-red-hat-openshift-service-operator'></a>[Azure Red Hat OpenShift Service Operator](./built-in-roles/containers.md#azure-red-hat-openshift-service-operator)| Maintain machine health, network configuration, monitoring, and other features that are specific to an OpenShift cluster's continued functionality as a managed service. | 4436bae4-7702-4c84-919b-c4069ff25ee2 |
223
223
> | <aname='connected-cluster-managed-identity-checkaccess-reader'></a>[Connected Cluster Managed Identity CheckAccess Reader](./built-in-roles/containers.md#connected-cluster-managed-identity-checkaccess-reader)| Built-in role that allows a Connected Cluster managed identity to call the checkAccess API | 65a14201-8f6c-4c28-bec4-12619c5a9aaa |
224
+
> | <aname='container-registry-cache-rule-administrator'></a>[Container Registry Cache Rule Administrator](./built-in-roles/containers.md#container-registry-cache-rule-administrator)| Create, Read, Update, and Delete Cache Rules in Container Registry. This role doesn't grant permissions to manage Credential Sets. | df87f177-bb12-4db1-9793-a413691eff94 |
225
+
> | <aname='container-registry-cache-rule-reader'></a>[Container Registry Cache Rule Reader](./built-in-roles/containers.md#container-registry-cache-rule-reader)| Read the configuration of Cache Rules in Container Registry. This permission doesn't grant permission to read Credential Sets. | c357b964-0002-4b64-a50d-7a28f02edc52 |
224
226
> | <aname='container-registry-configuration-reader-and-data-access-configuration-reader'></a>[Container Registry Configuration Reader and Data Access Configuration Reader](./built-in-roles/containers.md#container-registry-configuration-reader-and-data-access-configuration-reader)| Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks. | 69b07be0-09bf-439a-b9a6-e73de851bd59 |
225
227
> | <aname='container-registry-contributor-and-data-access-configuration-administrator'></a>[Container Registry Contributor and Data Access Configuration Administrator](./built-in-roles/containers.md#container-registry-contributor-and-data-access-configuration-administrator)| Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks. | 3bc748fc-213d-45c1-8d91-9da5725539b9 |
228
+
> | <aname='container-registry-credential-set-administrator'></a>[Container Registry Credential Set Administrator](./built-in-roles/containers.md#container-registry-credential-set-administrator)| Create, Read, Update, and Delete Credential Sets in Container Registry. This role doesn't affect the needed permissions for storing content inside Azure Key Vault. This role also doesn't grant permissions to manage Cache Rules. | f094fb07-0703-4400-ad6a-e16dd8000e14 |
229
+
> | <aname='container-registry-credential-set-reader'></a>[Container Registry Credential Set Reader](./built-in-roles/containers.md#container-registry-credential-set-reader)| Read the configuration of Credential Sets in Container Registry. This permission doesn't allow permission to see content inside Azure Key vault only the content inside Container Registry. This permission doesn't grant permission to read Cache Rules. | 29093635-9924-4f2c-913b-650a12949526 |
226
230
> | <aname='container-registry-data-importer-and-data-reader'></a>[Container Registry Data Importer and Data Reader](./built-in-roles/containers.md#container-registry-data-importer-and-data-reader)| Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules. | 577a9874-89fd-4f24-9dbd-b5034d0ad23a |
227
231
> | <aname='container-registry-repository-catalog-lister'></a>[Container Registry Repository Catalog Lister](./built-in-roles/containers.md#container-registry-repository-catalog-lister)| Allows for listing all repositories in an Azure Container Registry. This role is in preview and subject to change. | bfdb9389-c9a5-478a-bb2f-ba9ca092c3c7 |
228
232
> | <aname='container-registry-repository-contributor'></a>[Container Registry Repository Contributor](./built-in-roles/containers.md#container-registry-repository-contributor)| Allows for read, write, and delete access to Azure Container Registry repositories, but excluding catalog listing. This role is in preview and subject to change. | 2efddaa5-3f1f-4df3-97df-af3f13818f4c |
@@ -2756,10 +2756,96 @@ Built-in role that allows a Connected Cluster managed identity to call the check
2756
2756
}
2757
2757
```
2758
2758
2759
+
## Container Registry Cache Rule Administrator
2760
+
2761
+
Create, Read, Update, and Delete Cache Rules in Container Registry. This role doesn't grant permissions to manage Credential Sets.
2762
+
2763
+
> [!div class="mx-tableFixed"]
2764
+
> | Actions | Description |
2765
+
> | --- | --- |
2766
+
> |[Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/cacheRules/read | Gets the properties of the specified cache rule or lists all the cache rules for the specified container registry |
2767
+
> |[Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/cacheRules/write | Creates or updates a cache rule for a container registry with the specified parameters |
2768
+
> |[Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/cacheRules/delete | Deletes a cache rule from a container registry |
2769
+
> |[Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/cacheRules/operationStatuses/read | Gets a cache rule async operation status |
2770
+
> |**NotActions**||
2771
+
> |*none*||
2772
+
> |**DataActions**||
2773
+
> |*none*||
2774
+
> |**NotDataActions**||
2775
+
> |*none*||
2776
+
2777
+
```json
2778
+
{
2779
+
"assignableScopes": [
2780
+
"/"
2781
+
],
2782
+
"description": "Create, Read, Update, and Delete Cache Rules in Container Registry. This role doesn't grant permissions to manage Credential Sets.",
Read the configuration of Cache Rules in Container Registry. This permission doesn't grant permission to read Credential Sets.
2807
+
2808
+
> [!div class="mx-tableFixed"]
2809
+
> | Actions | Description |
2810
+
> | --- | --- |
2811
+
> |[Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/cacheRules/read | Gets the properties of the specified cache rule or lists all the cache rules for the specified container registry |
2812
+
> |**NotActions**||
2813
+
> |*none*||
2814
+
> |**DataActions**||
2815
+
> |*none*||
2816
+
> |**NotDataActions**||
2817
+
> |*none*||
2818
+
2819
+
```json
2820
+
{
2821
+
"assignableScopes": [
2822
+
"/"
2823
+
],
2824
+
"description": "Read the configuration of Cache Rules in Container Registry. This permission doesn't grant permission to read Credential Sets.",
## Container Registry Configuration Reader and Data Access Configuration Reader
2760
2844
2761
2845
Provides permissions to list container registries and registry configuration properties. Provides permissions to list data access configuration such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.
@@ -2851,6 +2937,8 @@ Provides permissions to list container registries and registry configuration pro
2851
2937
2852
2938
Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.
@@ -2994,10 +3082,96 @@ Provides permissions to create, list, and update container registries and regist
2994
3082
}
2995
3083
```
2996
3084
3085
+
## Container Registry Credential Set Administrator
3086
+
3087
+
Create, Read, Update, and Delete Credential Sets in Container Registry. This role doesn't affect the needed permissions for storing content inside Azure Key Vault. This role also doesn't grant permissions to manage Cache Rules.
3088
+
3089
+
> [!div class="mx-tableFixed"]
3090
+
> | Actions | Description |
3091
+
> | --- | --- |
3092
+
> |[Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/credentialSets/read | Gets the properties of the specified credential set or lists all the credential sets for the specified container registry |
3093
+
> |[Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/credentialSets/write | Creates or updates a credential set for a container registry with the specified parameters |
3094
+
> |[Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/credentialSets/delete | Deletes a credential set from a container registry |
3095
+
> |[Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/credentialSets/operationStatuses/read | Gets a credential set async operation status |
3096
+
> |**NotActions**||
3097
+
> |*none*||
3098
+
> |**DataActions**||
3099
+
> |*none*||
3100
+
> |**NotDataActions**||
3101
+
> |*none*||
3102
+
3103
+
```json
3104
+
{
3105
+
"assignableScopes": [
3106
+
"/"
3107
+
],
3108
+
"description": "Create, Read, Update, and Delete Credential Sets in Container Registry. This role doesn't affect the needed permissions for storing content inside Azure Key Vault. This role also doesn't grant permissions to manage Cache Rules.",
"roleName": "Container Registry Credential Set Administrator",
3125
+
"roleType": "BuiltInRole",
3126
+
"type": "Microsoft.Authorization/roleDefinitions"
3127
+
}
3128
+
```
3129
+
3130
+
## Container Registry Credential Set Reader
3131
+
3132
+
Read the configuration of Credential Sets in Container Registry. This permission doesn't allow permission to see content inside Azure Key vault only the content inside Container Registry. This permission doesn't grant permission to read Cache Rules.
3133
+
3134
+
> [!div class="mx-tableFixed"]
3135
+
> | Actions | Description |
3136
+
> | --- | --- |
3137
+
> |[Microsoft.ContainerRegistry](../permissions/containers.md#microsoftcontainerregistry)/registries/credentialSets/read | Gets the properties of the specified credential set or lists all the credential sets for the specified container registry |
3138
+
> |**NotActions**||
3139
+
> |*none*||
3140
+
> |**DataActions**||
3141
+
> |*none*||
3142
+
> |**NotDataActions**||
3143
+
> |*none*||
3144
+
3145
+
```json
3146
+
{
3147
+
"assignableScopes": [
3148
+
"/"
3149
+
],
3150
+
"description": "Read the configuration of Credential Sets in Container Registry. This permission doesn't allow permission to see content inside Azure Key vault only the content inside Container Registry. This permission doesn't grant permission to read Cache Rules.",
"roleName": "Container Registry Credential Set Reader",
3164
+
"roleType": "BuiltInRole",
3165
+
"type": "Microsoft.Authorization/roleDefinitions"
3166
+
}
3167
+
```
3168
+
2997
3169
## Container Registry Data Importer and Data Reader
2998
3170
2999
3171
Provides the ability to import images into a registry through the registry import operation. Provides the ability to list repositories, view images and tags, get manifests, and pull images. Does not provide permissions for importing images through configuring registry transfer pipelines such as import and export pipelines. Does not provide permissions for importing through configuring Artifact Cache or Sync rules.
@@ -3215,6 +3389,8 @@ Allows for read and write access to Azure Container Registry repositories, but e
3215
3389
3216
3390
Provides permissions to configure, read, list, trigger, or cancel Container Registry Tasks, Task Runs, Task Logs, Quick Runs, Quick Builds, and Task Agent Pools. Permissions granted for Tasks management can be used for full registry data plane permissions including reading/writing/deleting container images in registries. Permissions granted for Tasks management can also be used to run customer authored build directives and run scripts to build software artifacts.
@@ -3300,6 +3476,8 @@ Provides permissions to configure, read, list, trigger, or cancel Container Regi
3300
3476
3301
3477
Provides the ability to transfer, import, and export artifacts through configuring registry transfer pipelines that involve intermediary storage accounts and key vaults. Does not provide permissions to push or pull images. Does not provide permissions to create, manage, or list storage accounts or key vaults. Does not provide permissions to perform role assignments.
![learn-build-service-prod[bot]](https://avatars.githubusercontent.com/in/237442?v=4&size=40){kind=avatar}
0 commit comments