Alice has been assigned the Owner role at the subscription scope. To better understand how control plane and data plane actions work, let's consider a specific example. Authorization for data plane API calls is handled by either a resource provider or Azure Resource Manager. Roles that do not have data actions are not required to have DataActions and NotDataActions properties within the role definition.Īuthorization for all control plane API calls is handled by Azure Resource Manager. To see a list of the actions where isDataAction is true, see Resource provider operations. Resource providers identify which actions are data actions, by setting the isDataAction property to true. Only data plane actions can be added to the DataActions and NotDataActions properties. "type": "Microsoft.Authorization/roleDefinitions" "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read" "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action" "Microsoft.Storage/storageAccounts/blobServices/containers/read", Set to false or BuiltInRole for built-in roles.Īn array of strings that specifies the control plane actions that the role allows to be performed.Īn array of strings that specifies the control plane actions that are excluded from the allowed Actions.Īn array of strings that specifies the data plane actions that the role allows to be performed to your data within that object.Īn array of strings that specifies the data plane actions that are excluded from the allowed DataActions.Īn array of strings that specifies the scopes that the role is available for assignment.Īctions are specified with strings that have the following format: Set to true or CustomRole for custom roles. Built-in roles have the same role ID across clouds. The following table describes what the role properties mean. ![]() The following shows an example of the properties in a role definition when displayed using the Azure portal, Azure CLI, or the REST API: roleName The following shows an example of the properties in a role definition when displayed using Azure PowerShell: Name It can also list the actions that are excluded from allowed actions or actions related to underlying data. A role definition lists the actions that can be performed, such as read, write, and delete. Role definitionĪ role definition is a collection of permissions. ![]() This article describes the details of role definitions and provides some examples. If you are trying to understand how an Azure role works or if you are creating your own Azure custom role, it's helpful to understand how roles are defined.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |