Role-based access control (RBAC) has several built-in roles for Azure resources that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources. If the built-in roles don't meet the specific needs of your organization, you can create your own custom roles for Azure resources.
This article lists the built-in roles for Azure resources, which are always evolving. To get the latest roles, use Get-AzRoleDefinition or az role definition list. If you are looking for administrator roles for Azure Active Directory, see Administrator role permissions in Azure Active Directory.
Built-in role descriptions
The following table provides a brief description of each built-in role. Click the role name to see the list of
Actions, NotActions, DataActions, and NotDataActions for each role. | Built-in role | Description |
|---|---|
| Owner | Lets you manage everything, including access to resources. |
| Contributor | Lets you manage everything except granting access to resources. |
| Reader | Lets you view everything, but not make any changes. |
| AcrDelete | acr delete |
| AcrImageSigner | acr image signer |
| AcrPull | acr pull |
| AcrPush | acr push |
| AcrQuarantineReader | acr quarantine data reader |
| AcrQuarantineWriter | acr quarantine data writer |
| API Management Service Contributor | Can manage service and the APIs |
| API Management Service Operator Role | Can manage service but not the APIs |
| API Management Service Reader Role | Read-only access to service and APIs |
| Application Insights Component Contributor | Can manage Application Insights components |
| Application Insights Snapshot Debugger | Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the Owner or Contributor roles. |
| Automation Job Operator | Create and Manage Jobs using Automation Runbooks. |
| Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs |
| Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. |
| Avere Contributor | Can create and manage an Avere vFXT cluster. |
| Avere Operator | Used by the Avere vFXT cluster to manage the cluster |
| Azure Event Hubs Data Owner | Allows for full access to Azure Event Hubs resources. |
| Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. |
| Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. |
| Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. |
| Azure Kubernetes Service Cluster User Role | List cluster user credential action. |
| Azure Maps Data Reader (Preview) | Grants access to read map related data from an Azure maps account. |
| Azure Service Bus Data Owner | Allows for full access to Azure Service Bus resources. |
| Azure Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. |
| Azure Service Bus Data Sender | Allows for send access to Azure Service Bus resources. |
| Azure Stack Registration Owner | Lets you manage Azure Stack registrations. |
| Backup Contributor | Lets you manage backup service, but can't create vaults and give access to others |
| Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others |
| Backup Reader | Can view backup services, but can't make changes |
| Billing Reader | Allows read access to billing data |
| BizTalk Contributor | Lets you manage BizTalk services, but not access to them. |
| Blockchain Member Node Access (Preview) | Allows for access to Blockchain Member nodes |
| Blueprint Contributor | Can manage blueprint definitions, but not assign them. |
| Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. |
| CDN Endpoint Contributor | Can manage CDN endpoints, but can’t grant access to other users. |
| CDN Endpoint Reader | Can view CDN endpoints, but can’t make changes. |
| CDN Profile Contributor | Can manage CDN profiles and their endpoints, but can’t grant access to other users. |
| CDN Profile Reader | Can view CDN profiles and their endpoints, but can’t make changes. |
| Classic Network Contributor | Lets you manage classic networks, but not access to them. |
| Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. |
| Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts |
| Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. |
| Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. |
| Cognitive Services Data Reader (Preview) | Lets you read Cognitive Services data. |
| Cognitive Services User | Lets you read and list keys of Cognitive Services. |
| Cosmos DB Account Reader Role | Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. |
| Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. |
| CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account |
| Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) |
| Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) |
| Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. |
| Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. |
| Data Factory Contributor | Create and manage data factories, as well as child resources within them. |
| Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. |
| Data Purger | Can purge analytics data |
| DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. |
| DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. |
| DocumentDB Account Contributor | Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. |
| EventGrid EventSubscription Contributor | Lets you manage EventGrid event subscription operations. |
| EventGrid EventSubscription Reader | Lets you read EventGrid event subscriptions. |
| HDInsight Cluster Operator | Lets you read and modify HDInsight cluster configurations. |
| HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package |
| Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. |
| Key Vault Contributor | Lets you manage key vaults, but not access to them. |
| Lab Creator | Lets you create, manage, delete your managed labs under your Azure Lab Accounts. |
| Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources. |
| Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. |
| Logic App Contributor | Lets you manage logic apps, but not change access to them. |
| Logic App Operator | Lets you read, enable, and disable logic apps, but not edit or update them. |
| Managed Application Operator Role | Lets you read and perform actions on Managed Application resources |
| Managed Applications Reader | Lets you read resources in a managed app and request JIT access. |
| Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity |
| Managed Identity Operator | Read and Assign User Assigned Identity |
| Management Group Contributor | Management Group Contributor Role |
| Management Group Reader | Management Group Reader Role |
| Monitoring Contributor | Can read all monitoring data and edit monitoring settings. See also Get started with roles, permissions, and security with Azure Monitor. |
| Monitoring Metrics Publisher | Enables publishing metrics against Azure resources |
| Monitoring Reader | Can read all monitoring data (metrics, logs, etc.). See also Get started with roles, permissions, and security with Azure Monitor. |
| Network Contributor | Lets you manage networks, but not access to them. |
| New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. |
| Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. |
| Redis Cache Contributor | Lets you manage Redis caches, but not access to them. |
| Resource Policy Contributor (Preview) | (Preview) Backfilled users from EA, with rights to create/modify resource policy, create support ticket and read resources/hierarchy. |
| Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. |
| Search Service Contributor | Lets you manage Search services, but not access to them. |
| Security Admin | In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations |
| Security Manager (Legacy) | This is a legacy role. Please use Security Administrator instead |
| Security Reader | In Security Center only: Can view recommendations and alerts, view security policies, view security states, but cannot make changes |
| Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment |
| Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations |
| Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations |
| Spatial Anchors Account Contributor | Lets you manage spatial anchors in your account, but not delete them |
| Spatial Anchors Account Owner | Lets you manage spatial anchors in your account, including deleting them |
| Spatial Anchors Account Reader | Lets you locate and read properties of spatial anchors in your account |
| SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. |
| SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can’t give access to others. |
| SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. |
| SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. |
| Storage Account Contributor | Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. |
| Storage Account Key Operator Service Role | Permits listing and regenerating storage account access keys. |
| Storage Blob Data Contributor | Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
| Storage Blob Data Owner | Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
| Storage Blob Data Reader | Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
| Storage Blob Delegator | Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see Create a user delegation SAS. |
| Storage File Data SMB Share Contributor | Allows for read, write, and delete access in Azure Storage file shares over SMB |
| Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB |
| Storage File Data SMB Share Reader | Allows for read access to Azure File Share over SMB |
| Storage Queue Data Contributor | Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
| Storage Queue Data Message Processor | Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
| Storage Queue Data Message Sender | Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
| Storage Queue Data Reader | Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
| Support Request Contributor | Lets you create and manage Support requests |
| Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. |
| User Access Administrator | Lets you manage user access to Azure resources. |
| Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator |
| Virtual Machine Contributor | Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. |
| Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. |
| Web Plan Contributor | Lets you manage the web plans for websites, but not access to them. |
| Website Contributor | Lets you manage websites (not web plans), but not access to them. |
No comments:
Post a Comment