You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/batch/batch-aad-auth.md
+49-1Lines changed: 49 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -13,7 +13,7 @@ ms.service: batch
13
13
ms.topic: article
14
14
ms.tgt_pltfrm:
15
15
ms.workload: big-compute
16
-
ms.date: 08/15/2019
16
+
ms.date: 01/13/2020
17
17
ms.author: lahugh
18
18
---
19
19
@@ -140,6 +140,54 @@ Your application should now appear in your access control settings with an RBAC
140
140
141
141
142
142
143
+
### Assign a custom job submission role
144
+
145
+
A custom job submission role grants permission for a user to submit jobs and tasks without permission to modify pools. This prevents users from performing operations that affect cost, such as creating pools or modifying nodes.
146
+
147
+
This is done by adding RBAC operations, to which roles can be granted permissions. The new operations are:
148
+
149
+
- Pools (read, create/update, delete), including node management
150
+
- Jobs (read, create/update, delete), including task management
151
+
- Job Schedules (read, create/update, delete)
152
+
153
+
Custom job submission roles are for users authenticated by AAD, not the Batch account credentials (shared key). Note that the Batch account credentials give full permission to the Batch account. Also note that jobs using autopool require pool-level permissions.
154
+
155
+
Here's an example of a custom role definition:
156
+
157
+
```json
158
+
{
159
+
"properties":{
160
+
"roleName":"Azure Batch Custom Job Submitter",
161
+
"type":"CustomRole",
162
+
"description":"Allows a user to submit jobs to Azure Batch but not manage pools",
0 commit comments