Role-based access control (RBAC) has several built-in roles for Azure resources that you can assign to users, groups, service principals, and managed identities. Role assignments are the way you control access to Azure resources. If the built-in roles don't meet the specific needs of your organization, you can create your own custom roles for Azure resources.
This article lists the built-in roles for Azure resources, which are always evolving. To get the latest roles, use Get-AzRoleDefinition or az role definition list. If you are looking for administrator roles for Azure Active Directory, see Administrator role permissions in Azure Active Directory.
Built-in role descriptions
The following table provides a brief description of each built-in role. Click the role name to see the list of
Actions
, NotActions
, DataActions
, and NotDataActions
for each role. Built-in role | Description |
---|---|
Owner | Lets you manage everything, including access to resources. |
Contributor | Lets you manage everything except granting access to resources. |
Reader | Lets you view everything, but not make any changes. |
AcrDelete | acr delete |
AcrImageSigner | acr image signer |
AcrPull | acr pull |
AcrPush | acr push |
AcrQuarantineReader | acr quarantine data reader |
AcrQuarantineWriter | acr quarantine data writer |
API Management Service Contributor | Can manage service and the APIs |
API Management Service Operator Role | Can manage service but not the APIs |
API Management Service Reader Role | Read-only access to service and APIs |
Application Insights Component Contributor | Can manage Application Insights components |
Application Insights Snapshot Debugger | Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Note that these permissions are not included in the Owner or Contributor roles. |
Automation Job Operator | Create and Manage Jobs using Automation Runbooks. |
Automation Operator | Automation Operators are able to start, stop, suspend, and resume jobs |
Automation Runbook Operator | Read Runbook properties - to be able to create Jobs of the runbook. |
Avere Contributor | Can create and manage an Avere vFXT cluster. |
Avere Operator | Used by the Avere vFXT cluster to manage the cluster |
Azure Event Hubs Data Owner | Allows for full access to Azure Event Hubs resources. |
Azure Event Hubs Data Receiver | Allows receive access to Azure Event Hubs resources. |
Azure Event Hubs Data Sender | Allows send access to Azure Event Hubs resources. |
Azure Kubernetes Service Cluster Admin Role | List cluster admin credential action. |
Azure Kubernetes Service Cluster User Role | List cluster user credential action. |
Azure Maps Data Reader (Preview) | Grants access to read map related data from an Azure maps account. |
Azure Service Bus Data Owner | Allows for full access to Azure Service Bus resources. |
Azure Service Bus Data Receiver | Allows for receive access to Azure Service Bus resources. |
Azure Service Bus Data Sender | Allows for send access to Azure Service Bus resources. |
Azure Stack Registration Owner | Lets you manage Azure Stack registrations. |
Backup Contributor | Lets you manage backup service, but can't create vaults and give access to others |
Backup Operator | Lets you manage backup services, except removal of backup, vault creation and giving access to others |
Backup Reader | Can view backup services, but can't make changes |
Billing Reader | Allows read access to billing data |
BizTalk Contributor | Lets you manage BizTalk services, but not access to them. |
Blockchain Member Node Access (Preview) | Allows for access to Blockchain Member nodes |
Blueprint Contributor | Can manage blueprint definitions, but not assign them. |
Blueprint Operator | Can assign existing published blueprints, but cannot create new blueprints. NOTE: this only works if the assignment is done with a user-assigned managed identity. |
CDN Endpoint Contributor | Can manage CDN endpoints, but can’t grant access to other users. |
CDN Endpoint Reader | Can view CDN endpoints, but can’t make changes. |
CDN Profile Contributor | Can manage CDN profiles and their endpoints, but can’t grant access to other users. |
CDN Profile Reader | Can view CDN profiles and their endpoints, but can’t make changes. |
Classic Network Contributor | Lets you manage classic networks, but not access to them. |
Classic Storage Account Contributor | Lets you manage classic storage accounts, but not access to them. |
Classic Storage Account Key Operator Service Role | Classic Storage Account Key Operators are allowed to list and regenerate keys on Classic Storage Accounts |
Classic Virtual Machine Contributor | Lets you manage classic virtual machines, but not access to them, and not the virtual network or storage account they’re connected to. |
Cognitive Services Contributor | Lets you create, read, update, delete and manage keys of Cognitive Services. |
Cognitive Services Data Reader (Preview) | Lets you read Cognitive Services data. |
Cognitive Services User | Lets you read and list keys of Cognitive Services. |
Cosmos DB Account Reader Role | Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts. |
Cosmos DB Operator | Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings. |
CosmosBackupOperator | Can submit restore request for a Cosmos DB database or a container for an account |
Cost Management Contributor | Can view costs and manage cost configuration (e.g. budgets, exports) |
Cost Management Reader | Can view cost data and configuration (e.g. budgets, exports) |
Data Box Contributor | Lets you manage everything under Data Box Service except giving access to others. |
Data Box Reader | Lets you manage Data Box Service except creating order or editing order details and giving access to others. |
Data Factory Contributor | Create and manage data factories, as well as child resources within them. |
Data Lake Analytics Developer | Lets you submit, monitor, and manage your own jobs but not create or delete Data Lake Analytics accounts. |
Data Purger | Can purge analytics data |
DevTest Labs User | Lets you connect, start, restart, and shutdown your virtual machines in your Azure DevTest Labs. |
DNS Zone Contributor | Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. |
DocumentDB Account Contributor | Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB. |
EventGrid EventSubscription Contributor | Lets you manage EventGrid event subscription operations. |
EventGrid EventSubscription Reader | Lets you read EventGrid event subscriptions. |
HDInsight Cluster Operator | Lets you read and modify HDInsight cluster configurations. |
HDInsight Domain Services Contributor | Can Read, Create, Modify and Delete Domain Services related operations needed for HDInsight Enterprise Security Package |
Intelligent Systems Account Contributor | Lets you manage Intelligent Systems accounts, but not access to them. |
Key Vault Contributor | Lets you manage key vaults, but not access to them. |
Lab Creator | Lets you create, manage, delete your managed labs under your Azure Lab Accounts. |
Log Analytics Contributor | Log Analytics Contributor can read all monitoring data and edit monitoring settings. Editing monitoring settings includes adding the VM extension to VMs; reading storage account keys to be able to configure collection of logs from Azure Storage; creating and configuring Automation accounts; adding solutions; and configuring Azure diagnostics on all Azure resources. |
Log Analytics Reader | Log Analytics Reader can view and search all monitoring data as well as and view monitoring settings, including viewing the configuration of Azure diagnostics on all Azure resources. |
Logic App Contributor | Lets you manage logic apps, but not change access to them. |
Logic App Operator | Lets you read, enable, and disable logic apps, but not edit or update them. |
Managed Application Operator Role | Lets you read and perform actions on Managed Application resources |
Managed Applications Reader | Lets you read resources in a managed app and request JIT access. |
Managed Identity Contributor | Create, Read, Update, and Delete User Assigned Identity |
Managed Identity Operator | Read and Assign User Assigned Identity |
Management Group Contributor | Management Group Contributor Role |
Management Group Reader | Management Group Reader Role |
Monitoring Contributor | Can read all monitoring data and edit monitoring settings. See also Get started with roles, permissions, and security with Azure Monitor. |
Monitoring Metrics Publisher | Enables publishing metrics against Azure resources |
Monitoring Reader | Can read all monitoring data (metrics, logs, etc.). See also Get started with roles, permissions, and security with Azure Monitor. |
Network Contributor | Lets you manage networks, but not access to them. |
New Relic APM Account Contributor | Lets you manage New Relic Application Performance Management accounts and applications, but not access to them. |
Reader and Data Access | Lets you view everything but will not let you delete or create a storage account or contained resource. It will also allow read/write access to all data contained in a storage account via access to storage account keys. |
Redis Cache Contributor | Lets you manage Redis caches, but not access to them. |
Resource Policy Contributor (Preview) | (Preview) Backfilled users from EA, with rights to create/modify resource policy, create support ticket and read resources/hierarchy. |
Scheduler Job Collections Contributor | Lets you manage Scheduler job collections, but not access to them. |
Search Service Contributor | Lets you manage Search services, but not access to them. |
Security Admin | In Security Center only: Can view security policies, view security states, edit security policies, view alerts and recommendations, dismiss alerts and recommendations |
Security Manager (Legacy) | This is a legacy role. Please use Security Administrator instead |
Security Reader | In Security Center only: Can view recommendations and alerts, view security policies, view security states, but cannot make changes |
Site Recovery Contributor | Lets you manage Site Recovery service except vault creation and role assignment |
Site Recovery Operator | Lets you failover and failback but not perform other Site Recovery management operations |
Site Recovery Reader | Lets you view Site Recovery status but not perform other management operations |
Spatial Anchors Account Contributor | Lets you manage spatial anchors in your account, but not delete them |
Spatial Anchors Account Owner | Lets you manage spatial anchors in your account, including deleting them |
Spatial Anchors Account Reader | Lets you locate and read properties of spatial anchors in your account |
SQL DB Contributor | Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers. |
SQL Managed Instance Contributor | Lets you manage SQL Managed Instances and required network configuration, but can’t give access to others. |
SQL Security Manager | Lets you manage the security-related policies of SQL servers and databases, but not access to them. |
SQL Server Contributor | Lets you manage SQL servers and databases, but not access to them, and not their security -related policies. |
Storage Account Contributor | Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization. |
Storage Account Key Operator Service Role | Permits listing and regenerating storage account access keys. |
Storage Blob Data Contributor | Read, write, and delete Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
Storage Blob Data Owner | Provides full access to Azure Storage blob containers and data, including assigning POSIX access control. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
Storage Blob Data Reader | Read and list Azure Storage containers and blobs. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
Storage Blob Delegator | Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. For more information, see Create a user delegation SAS. |
Storage File Data SMB Share Contributor | Allows for read, write, and delete access in Azure Storage file shares over SMB |
Storage File Data SMB Share Elevated Contributor | Allows for read, write, delete and modify NTFS permission access in Azure Storage file shares over SMB |
Storage File Data SMB Share Reader | Allows for read access to Azure File Share over SMB |
Storage Queue Data Contributor | Read, write, and delete Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
Storage Queue Data Message Processor | Peek, retrieve, and delete a message from an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
Storage Queue Data Message Sender | Add messages to an Azure Storage queue. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
Storage Queue Data Reader | Read and list Azure Storage queues and queue messages. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. |
Support Request Contributor | Lets you create and manage Support requests |
Traffic Manager Contributor | Lets you manage Traffic Manager profiles, but does not let you control who has access to them. |
User Access Administrator | Lets you manage user access to Azure resources. |
Virtual Machine Administrator Login | View Virtual Machines in the portal and login as administrator |
Virtual Machine Contributor | Lets you manage virtual machines, but not access to them, and not the virtual network or storage account they're connected to. |
Virtual Machine User Login | View Virtual Machines in the portal and login as a regular user. |
Web Plan Contributor | Lets you manage the web plans for websites, but not access to them. |
Website Contributor | Lets you manage websites (not web plans), but not access to them. |
No comments:
Post a Comment