Clarify permissions needed for changing RBAC model#143
Clarify permissions needed for changing RBAC model#143FabianGonzalez-MS wants to merge 1 commit into
Conversation
Added requirement for 'Microsoft.KeyVault/vaults/write' permission when using User Access Administrator role.
|
@FabianGonzalez-MS : Thanks for your contribution! The author(s) and reviewer(s) have been notified to review your proposed change. |
prmerger-automator
Bot
added
azure-key-vault/svc
Change sent to author
general/subsvc
labels
|
Can you review the proposed changes? IMPORTANT: When the changes are ready for publication, adding a #label:"aq-pr-triaged" |
|
|
||
| > [!NOTE] | ||
| > Changing the permission model requires unrestricted 'Microsoft.Authorization/roleAssignments/write' permission, which is part of the [Owner](/azure/role-based-access-control/built-in-roles#owner) and [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) roles. Classic subscription administrator roles like 'Service Administrator' and 'Co-Administrator', or restricted 'Key Vault Data Access Administrator' cannot be used to change permission model. | ||
| > Changing the permission model requires unrestricted 'Microsoft.Authorization/roleAssignments/write' permission, which is part of the [Owner](/azure/role-based-access-control/built-in-roles#owner) and [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) roles. If using the latter, you will also need 'Microsoft.KeyVault/vaults/write' permission, which is part of [Key Vault Contributor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security#key-vault-contributor) role. |
There was a problem hiding this comment.
| > Changing the permission model requires unrestricted 'Microsoft.Authorization/roleAssignments/write' permission, which is part of the [Owner](/azure/role-based-access-control/built-in-roles#owner) and [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) roles. If using the latter, you will also need 'Microsoft.KeyVault/vaults/write' permission, which is part of [Key Vault Contributor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security#key-vault-contributor) role. | |
| > Changing the permission model requires unrestricted 'Microsoft.Authorization/roleAssignments/write' permission, which is part of the [Owner](/azure/role-based-access-control/built-in-roles#owner) and [User Access Administrator](/azure/role-based-access-control/built-in-roles#user-access-administrator) roles. If using the latter, you will also need 'Microsoft.KeyVault/vaults/write' permission, which is part of [Key Vault Contributor](/azure/role-based-access-control/built-in-roles/security#key-vault-contributor) role. |
|
Learn Build status updates of commit dae9af2:
|
| File | Status | Preview URL | Details |
|---|---|---|---|
| articles/key-vault/general/rbac-guide.md | Details |
articles/key-vault/general/rbac-guide.md
- Line 116, Column 416: [Warning: hard-coded-locale - See documentation]
Link 'https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security#key-vault-contributor' contains locale code 'en-us'. For localizability, remove 'en-us' from links to most Microsoft sites. - Line 116, Column 416: [Suggestion: docs-link-absolute - See documentation]
Absolute link 'https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles/security#key-vault-contributor' will be broken in isolated environments. Replace with a relative link.
For more details, please refer to the build report.
Note: Your PR may contain errors or warnings or suggestions unrelated to the files you changed. This happens when external dependencies like GitHub alias, Microsoft alias, cross repo links are updated. Please use these instructions to resolve them.
msmbaldwin
left a comment
msmbaldwin
left a comment
There was a problem hiding this comment.
Thanks for the clarification — the technical content is correct, but a couple of markdown issues to fix before this can merge:
-
Broken NOTE blockquote — the new sentence beginning "Classic subscription administrator roles..." is missing its leading
>, so it renders outside the> [!NOTE]block. Add>to that line. -
Link path — the Key Vault Contributor link uses a bare
https://learn.microsoft.com/en-us/...URL. Use a relative path to match the other two links in the same note:
[Key Vault Contributor](/azure/role-based-access-control/built-in-roles/security#key-vault-contributor)
Once these are addressed, add a comment containing #sign-off (without the backticks) to submit for publication.
|
Recreated as https://github.com/MicrosoftDocs/azure-security-docs-pr/pull/3019 #please-close |
Incorporates contribution from #143 by @FabianGonzalez-MS, with the reviewer suggestion from @v-regandowner applied (relative link, single blockquote). - Note that the User Access Administrator role also needs 'Microsoft.KeyVault/vaults/write' (part of Key Vault Contributor) to change the permission model. Files modified: - articles/key-vault/general/rbac-guide.md Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
3 participants
Added requirement for 'Microsoft.KeyVault/vaults/write' permission when using User Access Administrator role.