You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The following shows an example of the properties in a role definition when displayed using the [Azure portal](role-definitions-list.md#azure-portal), [Azure CLI](role-definitions-list.md#azure-cli), or the [REST API](role-definitions-list.md#rest-api):
36
38
37
39
```
38
40
roleName
39
41
name
42
+
id
43
+
roleType
40
44
type
41
45
description
46
+
assignableScopes []
42
47
actions []
43
48
notActions []
44
49
dataActions []
45
50
notDataActions []
46
-
assignableScopes []
51
+
condition
52
+
conditionVersion
53
+
createdOn
54
+
updatedOn
55
+
createdBy
56
+
updatedBy
47
57
```
48
58
49
59
The following table describes what the role properties mean.
50
60
51
61
| Property | Description |
52
62
| --- | --- |
53
-
|`Name`</br>`roleName`| The display name of the role. |
54
-
|`Id`</br>`name`| The unique ID of the role. Built-in roles have the same role ID across clouds. |
63
+
|`Name`</br>`roleName`| Display name of the role. |
64
+
|`Id`</br>`name`| Unique ID of the role. Built-in roles have the same role ID across clouds. |
65
+
|`id`| Fully-qualified unique ID of the role. |
55
66
|`IsCustom`</br>`roleType`| Indicates whether this is a custom role. Set to `true` or `CustomRole` for custom roles. Set to `false` or `BuiltInRole` for built-in roles. |
56
-
|`Description`</br>`description`| The description of the role. |
57
-
|`Actions`</br>`actions`| An array of strings that specifies the control plane actions that the role allows to be performed. |
58
-
|`NotActions`</br>`notActions`| An array of strings that specifies the control plane actions that are excluded from the allowed `Actions`. |
59
-
|`DataActions`</br>`dataActions`| An array of strings that specifies the data plane actions that the role allows to be performed to your data within that object. |
60
-
|`NotDataActions`</br>`notDataActions`| An array of strings that specifies the data plane actions that are excluded from the allowed `DataActions`. |
61
-
|`AssignableScopes`</br>`assignableScopes`| An array of strings that specifies the scopes that the role is available for assignment. |
67
+
|`type`| Type of object. Set to `Microsoft.Authorization/roleDefinitions`. |
68
+
|`Description`</br>`description`| Description of the role. |
69
+
|`Actions`</br>`actions`| Array of strings that specifies the control plane actions that the role allows to be performed. |
70
+
|`NotActions`</br>`notActions`| Array of strings that specifies the control plane actions that are excluded from the allowed `Actions`. |
71
+
|`DataActions`</br>`dataActions`| Array of strings that specifies the data plane actions that the role allows to be performed to your data within that object. |
72
+
|`NotDataActions`</br>`notDataActions`| Array of strings that specifies the data plane actions that are excluded from the allowed `DataActions`. |
73
+
|`AssignableScopes`</br>`assignableScopes`| Array of strings that specifies the scopes that the role is available for assignment. |
74
+
|`Condition`<br/>`condition`| For built-in roles, condition statement based on one or more actions in role definition. |
75
+
|`ConditionVersion`<br/>`conditionVersion`| Condition version number. Defaults to 2.0 and is the only supported version. |
76
+
|`createdOn`| Date and time role was created. |
77
+
|`updatedOn`| Date and time role was last updated. |
78
+
|`createdBy`| For custom roles, principal that created role. |
79
+
|`updatedBy`| For custom roles, principal that updated role. |
62
80
63
81
### Actions format
64
82
@@ -87,7 +105,7 @@ Contributor role as displayed in [Azure PowerShell](role-definitions-list.md#azu
87
105
"Name": "Contributor",
88
106
"Id": "b24988ac-6180-42a0-ab88-20f7382dd24c",
89
107
"IsCustom": false,
90
-
"Description": "Lets you manage everything except access to resources.",
108
+
"Description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
91
109
"Actions": [
92
110
"*"
93
111
],
@@ -96,46 +114,62 @@ Contributor role as displayed in [Azure PowerShell](role-definitions-list.md#azu
"description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, or share image galleries.",
Only data plane actions can be added to the `DataActions` and `NotDataActions` properties. Resource providers identify which actions are data actions, by setting the `isDataAction` property to `true`. To see a list of the actions where `isDataAction` is `true`, see [Resource provider operations](resource-provider-operations.md). Roles that do not have data actions are not required to have `DataActions` and `NotDataActions` properties within the role definition.
Since Alice has a wildcard (`*`) action at a subscription scope, their permissions inherit down to enable them to perform all control plane actions. Alice can read, write, and delete containers. However, Alice cannot perform data plane actions without taking additional steps. For example, by default, Alice cannot read the blobs inside a container. To read the blobs, Alice would have to retrieve the storage access keys and use them to access the blobs.
0 commit comments