| title | Azure built-in roles for Integration - Azure RBAC |
|---|---|
| description | This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Integration category. It lists Actions, NotActions, DataActions, and NotDataActions. |
| ms.service | role-based-access-control |
| ms.topic | generated-reference |
| ms.workload | identity |
| author | rolyon |
| manager | pmwongera |
| ms.author | rolyon |
| ms.date | 02/23/2026 |
| ms.custom | generated |
This article lists the Azure built-in roles in the Integration category.
Can customize the developer portal, edit its content, and publish it.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiManagement/service/portalRevisions/read Lists a collection of developer portal revision entities. or Gets developer portal revision specified by its identifier. Microsoft.ApiManagement/service/portalRevisions/write Creates a new developer portal revision. or Updates the description of specified portal revision or makes it current. Microsoft.ApiManagement/service/contentTypes/read Returns list of content types or Returns content type Microsoft.ApiManagement/service/contentTypes/delete Removes content type. Microsoft.ApiManagement/service/contentTypes/write Creates new content type Microsoft.ApiManagement/service/contentTypes/contentItems/read Returns list of content items or Returns content item details Microsoft.ApiManagement/service/contentTypes/contentItems/write Creates new content item or Updates specified content item Microsoft.ApiManagement/service/contentTypes/contentItems/delete Removes specified content item. NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Can customize the developer portal, edit its content, and publish it.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c031e6a8-4391-4de0-8d69-4706a7ed3729",
"name": "c031e6a8-4391-4de0-8d69-4706a7ed3729",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/portalRevisions/read",
"Microsoft.ApiManagement/service/portalRevisions/write",
"Microsoft.ApiManagement/service/contentTypes/read",
"Microsoft.ApiManagement/service/contentTypes/delete",
"Microsoft.ApiManagement/service/contentTypes/write",
"Microsoft.ApiManagement/service/contentTypes/contentItems/read",
"Microsoft.ApiManagement/service/contentTypes/contentItems/write",
"Microsoft.ApiManagement/service/contentTypes/contentItems/delete"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Developer Portal Content Editor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Can manage service and the APIs
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiManagement/service/* Create and manage API Management service Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Can manage service and the APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/312a565d-c81f-4fd8-895a-4e21e48d571c",
"name": "312a565d-c81f-4fd8-895a-4e21e48d571c",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Can manage service but not the APIs
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiManagement/service/*/read Read API Management Service instances Microsoft.ApiManagement/service/backup/action Backup API Management Service to the specified container in a user provided storage account Microsoft.ApiManagement/service/delete Delete API Management Service instance Microsoft.ApiManagement/service/managedeployments/action Change SKU/units, add/remove regional deployments of API Management Service Microsoft.ApiManagement/service/read Read metadata for an API Management Service instance Microsoft.ApiManagement/service/restore/action Restore API Management Service from the specified container in a user provided storage account Microsoft.ApiManagement/service/updatecertificate/action Upload TLS/SSL certificate for an API Management Service Microsoft.ApiManagement/service/updatehostname/action Setup, update or remove custom domain names for an API Management Service Microsoft.ApiManagement/service/write Create or Update API Management Service instance Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket NotActions Microsoft.ApiManagement/service/users/keys/read Get keys associated with user DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Can manage service but not the APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e022efe7-f5ba-4159-bbe4-b44f577e9b61",
"name": "e022efe7-f5ba-4159-bbe4-b44f577e9b61",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*/read",
"Microsoft.ApiManagement/service/backup/action",
"Microsoft.ApiManagement/service/delete",
"Microsoft.ApiManagement/service/managedeployments/action",
"Microsoft.ApiManagement/service/read",
"Microsoft.ApiManagement/service/restore/action",
"Microsoft.ApiManagement/service/updatecertificate/action",
"Microsoft.ApiManagement/service/updatehostname/action",
"Microsoft.ApiManagement/service/write",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.ApiManagement/service/users/keys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Operator Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Read-only access to service and APIs
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiManagement/service/*/read Read API Management Service instances Microsoft.ApiManagement/service/read Read metadata for an API Management Service instance Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket NotActions Microsoft.ApiManagement/service/users/keys/read Get keys associated with user DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Read-only access to service and APIs",
"id": "/providers/Microsoft.Authorization/roleDefinitions/71522526-b88f-4d52-b57f-d31fc3546d0d",
"name": "71522526-b88f-4d52-b57f-d31fc3546d0d",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/*/read",
"Microsoft.ApiManagement/service/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [
"Microsoft.ApiManagement/service/users/keys/read"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiManagement/service/tags/read Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. Microsoft.ApiManagement/service/tags/apiLinks/* Microsoft.ApiManagement/service/tags/operationLinks/* Microsoft.ApiManagement/service/tags/productLinks/* Microsoft.ApiManagement/service/products/read Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. Microsoft.ApiManagement/service/products/apiLinks/* Microsoft.ApiManagement/service/read Read metadata for an API Management Service instance Microsoft.ApiManagement/service/authorizationServers/read Lists a collection of authorization servers defined within a service instance. or Gets the details of the authorization server without secrets. Microsoft.Authorization/*/read Read roles and role assignments NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Has read access to tags and products and write access to allow: assigning APIs to products, assigning tags to products and APIs. This role should be assigned on the service scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9565a273-41b9-4368-97d2-aeb0c976a9b3",
"name": "9565a273-41b9-4368-97d2-aeb0c976a9b3",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/tags/read",
"Microsoft.ApiManagement/service/tags/apiLinks/*",
"Microsoft.ApiManagement/service/tags/operationLinks/*",
"Microsoft.ApiManagement/service/tags/productLinks/*",
"Microsoft.ApiManagement/service/products/read",
"Microsoft.ApiManagement/service/products/apiLinks/*",
"Microsoft.ApiManagement/service/read",
"Microsoft.ApiManagement/service/authorizationServers/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Workspace API Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiManagement/service/users/read Lists a collection of registered users in the specified service instance. or Gets the details of the user specified by its identifier. Microsoft.ApiManagement/service/tags/read Lists a collection of tags defined within a service instance. or Gets the details of the tag specified by its identifier. Microsoft.ApiManagement/service/tags/apiLinks/* Microsoft.ApiManagement/service/tags/operationLinks/* Microsoft.ApiManagement/service/tags/productLinks/* Microsoft.ApiManagement/service/products/read Lists a collection of products in the specified service instance. or Gets the details of the product specified by its identifier. Microsoft.ApiManagement/service/products/apiLinks/* Microsoft.ApiManagement/service/groups/read Lists a collection of groups defined within a service instance. or Gets the details of the group specified by its identifier. Microsoft.ApiManagement/service/groups/users/* Microsoft.ApiManagement/service/read Read metadata for an API Management Service instance Microsoft.ApiManagement/service/authorizationServers/read Lists a collection of authorization servers defined within a service instance. or Gets the details of the authorization server without secrets. Microsoft.Authorization/*/read Read roles and role assignments NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Has the same access as API Management Service Workspace API Developer as well as read access to users and write access to allow assigning users to groups. This role should be assigned on the service scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da",
"name": "d59a3e9c-6d52-4a5a-aeed-6bf3cf0e31da",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/users/read",
"Microsoft.ApiManagement/service/tags/read",
"Microsoft.ApiManagement/service/tags/apiLinks/*",
"Microsoft.ApiManagement/service/tags/operationLinks/*",
"Microsoft.ApiManagement/service/tags/productLinks/*",
"Microsoft.ApiManagement/service/products/read",
"Microsoft.ApiManagement/service/products/apiLinks/*",
"Microsoft.ApiManagement/service/groups/read",
"Microsoft.ApiManagement/service/groups/users/*",
"Microsoft.ApiManagement/service/read",
"Microsoft.ApiManagement/service/authorizationServers/read",
"Microsoft.Authorization/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Service Workspace API Product Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiManagement/service/workspaces/*/read Microsoft.ApiManagement/service/workspaces/apis/* Microsoft.ApiManagement/service/workspaces/apiVersionSets/* Microsoft.ApiManagement/service/workspaces/policies/* Microsoft.ApiManagement/service/workspaces/schemas/* Microsoft.ApiManagement/service/workspaces/products/* Microsoft.ApiManagement/service/workspaces/policyFragments/* Microsoft.ApiManagement/service/workspaces/namedValues/* Microsoft.ApiManagement/service/workspaces/tags/* Microsoft.ApiManagement/service/workspaces/backends/* Microsoft.ApiManagement/service/workspaces/certificates/* Microsoft.ApiManagement/service/workspaces/diagnostics/* Microsoft.ApiManagement/service/workspaces/loggers/* Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/diagnosticSettings/*/read Microsoft.insights/logs/read Reading data from all your logs Microsoft.insights/logs/ApiManagementGatewayLogs/read Read data from the ApiManagementGatewayLogs table NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Has read access to entities in the workspace and read and write access to entities for editing APIs. This role should be assigned on the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/56328988-075d-4c6a-8766-d93edd6725b6",
"name": "56328988-075d-4c6a-8766-d93edd6725b6",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*/read",
"Microsoft.ApiManagement/service/workspaces/apis/*",
"Microsoft.ApiManagement/service/workspaces/apiVersionSets/*",
"Microsoft.ApiManagement/service/workspaces/policies/*",
"Microsoft.ApiManagement/service/workspaces/schemas/*",
"Microsoft.ApiManagement/service/workspaces/products/*",
"Microsoft.ApiManagement/service/workspaces/policyFragments/*",
"Microsoft.ApiManagement/service/workspaces/namedValues/*",
"Microsoft.ApiManagement/service/workspaces/tags/*",
"Microsoft.ApiManagement/service/workspaces/backends/*",
"Microsoft.ApiManagement/service/workspaces/certificates/*",
"Microsoft.ApiManagement/service/workspaces/diagnostics/*",
"Microsoft.ApiManagement/service/workspaces/loggers/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/diagnosticSettings/*/read",
"Microsoft.insights/logs/read",
"Microsoft.insights/logs/ApiManagementGatewayLogs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace API Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiManagement/service/workspaces/*/read Microsoft.ApiManagement/service/workspaces/products/* Microsoft.ApiManagement/service/workspaces/subscriptions/* Microsoft.ApiManagement/service/workspaces/groups/* Microsoft.ApiManagement/service/workspaces/tags/* Microsoft.ApiManagement/service/workspaces/notifications/* Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/diagnosticSettings/*/read Microsoft.insights/logs/read Reading data from all your logs Microsoft.insights/logs/ApiManagementGatewayLogs/read Read data from the ApiManagementGatewayLogs table NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Has read access to entities in the workspace and read and write access to entities for publishing APIs. This role should be assigned on the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/73c2c328-d004-4c5e-938c-35c6f5679a1f",
"name": "73c2c328-d004-4c5e-938c-35c6f5679a1f",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*/read",
"Microsoft.ApiManagement/service/workspaces/products/*",
"Microsoft.ApiManagement/service/workspaces/subscriptions/*",
"Microsoft.ApiManagement/service/workspaces/groups/*",
"Microsoft.ApiManagement/service/workspaces/tags/*",
"Microsoft.ApiManagement/service/workspaces/notifications/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/diagnosticSettings/*/read",
"Microsoft.insights/logs/read",
"Microsoft.insights/logs/ApiManagementGatewayLogs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace API Product Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiManagement/service/workspaces/* Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/diagnosticSettings/*/read Microsoft.insights/logs/read Reading data from all your logs Microsoft.insights/logs/ApiManagementGatewayLogs/read Read data from the ApiManagementGatewayLogs table NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Can manage the workspace and view, but not modify its members. This role should be assigned on the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0c34c906-8d99-4cb7-8bb7-33f5b0a1a799",
"name": "0c34c906-8d99-4cb7-8bb7-33f5b0a1a799",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/diagnosticSettings/*/read",
"Microsoft.insights/logs/read",
"Microsoft.insights/logs/ApiManagementGatewayLogs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Has read-only access to entities in the workspace. This role should be assigned on the workspace scope.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiManagement/service/workspaces/*/read Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/diagnosticSettings/*/read Microsoft.insights/logs/read Reading data from all your logs Microsoft.insights/logs/ApiManagementGatewayLogs/read Read data from the ApiManagementGatewayLogs table NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Has read-only access to entities in the workspace. This role should be assigned on the workspace scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2",
"name": "ef1c2c96-4a77-49e8-b9a4-6179fe1d2fd2",
"permissions": [
{
"actions": [
"Microsoft.ApiManagement/service/workspaces/*/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/diagnosticSettings/*/read",
"Microsoft.insights/logs/read",
"Microsoft.insights/logs/ApiManagementGatewayLogs/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "API Management Workspace Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Grants permission for all management operations, except purge, for App Configuration resources. This role does not grant access to data plane resources such as key-values, snapshots, and feature flags.
[!div class="mx-tableFixed"]
Actions Description Microsoft.AppConfiguration/* Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. NotActions Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action Purge the specified deleted configuration store. DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Grants permission for all management operations, except purge, for App Configuration resources. This role does not grant access to data plane resources such as key-values, snapshots, and feature flags.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fe86443c-f201-4fc4-9d2a-ac61149fbda0",
"name": "fe86443c-f201-4fc4-9d2a-ac61149fbda0",
"permissions": [
{
"actions": [
"Microsoft.AppConfiguration/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
"Microsoft.AppConfiguration/locations/deletedConfigurationStores/purge/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Configuration Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows full access to App Configuration data.
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.AppConfiguration/configurationStores/*/read Microsoft.AppConfiguration/configurationStores/*/write Microsoft.AppConfiguration/configurationStores/*/delete Microsoft.AppConfiguration/configurationStores/*/action NotDataActions Microsoft.AppConfiguration/configurationStores/useSasAuth/action
{
"assignableScopes": [
"/"
],
"description": "Allows full access to App Configuration data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
"name": "5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppConfiguration/configurationStores/*/read",
"Microsoft.AppConfiguration/configurationStores/*/write",
"Microsoft.AppConfiguration/configurationStores/*/delete",
"Microsoft.AppConfiguration/configurationStores/*/action"
],
"notDataActions": [
"Microsoft.AppConfiguration/configurationStores/useSasAuth/action"
]
}
],
"roleName": "App Configuration Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows read access to App Configuration data.
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.AppConfiguration/configurationStores/*/read NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows read access to App Configuration data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/516239f1-63e1-4d78-a4de-a74fb236a071",
"name": "516239f1-63e1-4d78-a4de-a74fb236a071",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.AppConfiguration/configurationStores/*/read"
],
"notDataActions": []
}
],
"roleName": "App Configuration Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Grants permission for read operations for App Configuration resources. This role does not grant access to data plane resources such as key-values, snapshots, and feature flags.
[!div class="mx-tableFixed"]
Actions Description Microsoft.AppConfiguration/*/read Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/read Read a classic metric alert Microsoft.Resources/deployments/read Gets or lists deployments. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Grants permission for read operations for App Configuration resources. This role does not grant access to data plane resources such as key-values, snapshots, and feature flags.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/175b81b9-6e0d-490a-85e4-0d422273c10c",
"name": "175b81b9-6e0d-490a-85e4-0d422273c10c",
"permissions": [
{
"actions": [
"Microsoft.AppConfiguration/*/read",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "App Configuration Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Grants reader access to AI projects, reader access to AI accounts, and data actions for an AI project. Applies for new Foundry resources.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiCenter/services/*/read Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAnalysisState/action Updates analysis results for specified API definition. Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action Exports API definition file. NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows managing API compliance in Azure API Center service.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ede9aaa3-4627-494e-be13-4aa7c256148d",
"name": "ede9aaa3-4627-494e-be13-4aa7c256148d",
"permissions": [
{
"actions": [
"Microsoft.ApiCenter/services/*/read",
"Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAnalysisState/action",
"Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure API Center Compliance Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows for access to Azure API Center data plane read operations.
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.ApiCenter/services/*/read Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action Exports API definition file. Microsoft.ApiCenter/services/workspaces/search/action Search workspace for relevant results. NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows for access to Azure API Center data plane read operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c7244dfb-f447-457d-b2ba-3999044d1706",
"name": "c7244dfb-f447-457d-b2ba-3999044d1706",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.ApiCenter/services/*/read",
"Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action",
"Microsoft.ApiCenter/services/workspaces/search/action"
],
"notDataActions": []
}
],
"roleName": "Azure API Center Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows managing Azure API Center service.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiCenter/services/* Microsoft.ApiCenter/deletedServices/* Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. NotActions Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAnalysisState/action Updates analysis results for specified API definition. DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows managing Azure API Center service.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/dd24193f-ef65-44e5-8a7e-6fa6e03f7713",
"name": "dd24193f-ef65-44e5-8a7e-6fa6e03f7713",
"permissions": [
{
"actions": [
"Microsoft.ApiCenter/services/*",
"Microsoft.ApiCenter/deletedServices/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [
"Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/updateAnalysisState/action"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure API Center Service Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows read-only access to Azure API Center service.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ApiCenter/services/*/read Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action Exports API definition file. Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows read-only access to Azure API Center service.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6cba8790-29c5-48e5-bab1-c7541b01cb04",
"name": "6cba8790-29c5-48e5-bab1-c7541b01cb04",
"permissions": [
{
"actions": [
"Microsoft.ApiCenter/services/*/read",
"Microsoft.ApiCenter/services/workspaces/apis/versions/definitions/exportSpecification/action",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure API Center Service Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows for listen access to Azure Relay resources.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Relay/*/wcfRelays/read Microsoft.Relay/*/hybridConnections/read NotActions none DataActions Microsoft.Relay/*/listen/action NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows for listen access to Azure Relay resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/26e0b698-aa6d-4085-9386-aadae190014d",
"name": "26e0b698-aa6d-4085-9386-aadae190014d",
"permissions": [
{
"actions": [
"Microsoft.Relay/*/wcfRelays/read",
"Microsoft.Relay/*/hybridConnections/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*/listen/action"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Listener",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows for full access to Azure Relay resources.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Relay/* NotActions none DataActions Microsoft.Relay/* NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Relay resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2787bf04-f1f5-4bfe-8383-c8a24483ee38",
"name": "2787bf04-f1f5-4bfe-8383-c8a24483ee38",
"permissions": [
{
"actions": [
"Microsoft.Relay/*"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows for send access to Azure Relay resources.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Relay/*/wcfRelays/read Microsoft.Relay/*/hybridConnections/read NotActions none DataActions Microsoft.Relay/*/send/action NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows for send access to Azure Relay resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/26baccc8-eea7-41f1-98f4-1762cc7f685d",
"name": "26baccc8-eea7-41f1-98f4-1762cc7f685d",
"permissions": [
{
"actions": [
"Microsoft.Relay/*/wcfRelays/read",
"Microsoft.Relay/*/hybridConnections/read"
],
"notActions": [],
"dataActions": [
"Microsoft.Relay/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Relay Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications
[!div class="mx-tableFixed"]
Actions Description Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action Permission to perform creation and event subscription creation on a resources system topic Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/action Permission to perform creation and event subscription creation on a healthresources system topic Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResources/action Permission to perform creation and event subscription creation on a maintenanceresources system topic Microsoft.ResourceNotifications/systemTopics/subscribeToComputeResources/action Permission to perform creation and event subscription creation on a computeresources system topic Microsoft.ResourceNotifications/systemTopics/subscribeToComputeScheduleResources/action Permission to perform creation and event subscription creation on a computescheduleresources system topic Microsoft.ResourceNotifications/systemTopics/subscribeToContainerServiceEventResources/action Permission to perform creation and event subscription creation on a containerserviceeventresources system topic Microsoft.ResourceNotifications/systemTopics/subscribeToImpactReportingResources/action Permission to perform creation and event subscription creation on a impactreportingresources system topic Microsoft.ResourceNotifications/systemTopics/subscribeToAksResources/action Permission to perform creation and event subscription creation on a aksresources system topic Microsoft.EventGrid/eventSubscriptions/write Create or update an eventSubscription Microsoft.EventGrid/systemTopics/eventSubscriptions/write Create or update a SystemTopic eventSubscription NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you create system topics and event subscriptions on all system topics exposed currently and in the future by Azure Resource Notifications",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0b962ed2-6d56-471c-bd5f-3477d83a7ba4",
"name": "0b962ed2-6d56-471c-bd5f-3477d83a7ba4",
"permissions": [
{
"actions": [
"Microsoft.ResourceNotifications/systemTopics/subscribeToResources/action",
"Microsoft.ResourceNotifications/systemTopics/subscribeToHealthResources/action",
"Microsoft.ResourceNotifications/systemTopics/subscribeToMaintenanceResources/action",
"Microsoft.ResourceNotifications/systemTopics/subscribeToComputeResources/action",
"Microsoft.ResourceNotifications/systemTopics/subscribeToComputeScheduleResources/action",
"Microsoft.ResourceNotifications/systemTopics/subscribeToContainerServiceEventResources/action",
"Microsoft.ResourceNotifications/systemTopics/subscribeToImpactReportingResources/action",
"Microsoft.ResourceNotifications/systemTopics/subscribeToAksResources/action",
"Microsoft.EventGrid/eventSubscriptions/write",
"Microsoft.EventGrid/systemTopics/eventSubscriptions/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Resource Notifications System Topics Subscriber",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows for full access to Azure Service Bus resources.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ServiceBus/* NotActions none DataActions Microsoft.ServiceBus/* NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows for full access to Azure Service Bus resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/090c5cfd-751d-490a-894a-3ce6f1109419",
"name": "090c5cfd-751d-490a-894a-3ce6f1109419",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows for receive access to Azure Service Bus resources.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ServiceBus/*/queues/read Microsoft.ServiceBus/*/topics/read Microsoft.ServiceBus/*/topics/subscriptions/read NotActions none DataActions Microsoft.ServiceBus/*/receive/action NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows for receive access to Azure Service Bus resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
"name": "4f6d3b9b-027b-4f4c-9142-0e5a2a2247e0",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*/queues/read",
"Microsoft.ServiceBus/*/topics/read",
"Microsoft.ServiceBus/*/topics/subscriptions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*/receive/action"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Receiver",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows for send access to Azure Service Bus resources.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ServiceBus/*/queues/read Microsoft.ServiceBus/*/topics/read Microsoft.ServiceBus/*/topics/subscriptions/read NotActions none DataActions Microsoft.ServiceBus/*/send/action NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows for send access to Azure Service Bus resources.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
"name": "69a216fc-b8fb-44d8-bc22-1f3c2cd27a39",
"permissions": [
{
"actions": [
"Microsoft.ServiceBus/*/queues/read",
"Microsoft.ServiceBus/*/topics/read",
"Microsoft.ServiceBus/*/topics/subscriptions/read"
],
"notActions": [],
"dataActions": [
"Microsoft.ServiceBus/*/send/action"
],
"notDataActions": []
}
],
"roleName": "Azure Service Bus Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you manage BizTalk services, but not access to them.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.BizTalkServices/BizTalk/* Create and manage BizTalk services Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage BizTalk services, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5e3c6656-6cfa-4708-81fe-0de47ac73342",
"name": "5e3c6656-6cfa-4708-81fe-0de47ac73342",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.BizTalkServices/BizTalk/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "BizTalk Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Create and manage DeID batch jobs. This role is in preview and subject to change.
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthDataAIServices/DeidServices/Batch/write Creates batches Microsoft.HealthDataAIServices/DeidServices/Batch/delete Deletes a batch Microsoft.HealthDataAIServices/DeidServices/Batch/read Reads a batch NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Create and manage DeID batch jobs. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/8a90fa6b-6997-4a07-8a95-30633a7c97b9",
"name": "8a90fa6b-6997-4a07-8a95-30633a7c97b9",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthDataAIServices/DeidServices/Batch/write",
"Microsoft.HealthDataAIServices/DeidServices/Batch/delete",
"Microsoft.HealthDataAIServices/DeidServices/Batch/read"
],
"notDataActions": []
}
],
"roleName": "DeID Batch Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Read DeID batch jobs. This role is in preview and subject to change.
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthDataAIServices/DeidServices/Batch/read Reads a batch NotDataActions Microsoft.HealthDataAIServices/DeidServices/Batch/write Creates batches Microsoft.HealthDataAIServices/DeidServices/Batch/delete Deletes a batch
{
"assignableScopes": [
"/"
],
"description": "Read DeID batch jobs. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b73a14ee-91f5-41b7-bd81-920e12466be9",
"name": "b73a14ee-91f5-41b7-bd81-920e12466be9",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthDataAIServices/DeidServices/Batch/read"
],
"notDataActions": [
"Microsoft.HealthDataAIServices/DeidServices/Batch/write",
"Microsoft.HealthDataAIServices/DeidServices/Batch/delete"
]
}
],
"roleName": "DeID Batch Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Full access to DeID data. This role is in preview and subject to change
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthDataAIServices/DeidServices/* NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Full access to DeID data. This role is in preview and subject to change",
"id": "/providers/Microsoft.Authorization/roleDefinitions/78e4b983-1a0b-472e-8b7d-8d770f7c5890",
"name": "78e4b983-1a0b-472e-8b7d-8d770f7c5890",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthDataAIServices/DeidServices/*"
],
"notDataActions": []
}
],
"roleName": "DeID Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Execute requests against DeID realtime endpoint. This role is in preview and subject to change.
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthDataAIServices/DeidServices/Realtime/action Allows access to the realtime endpoint NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Execute requests against DeID realtime endpoint. This role is in preview and subject to change.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e",
"name": "bb6577c4-ea0a-40b2-8962-ea18cb8ecd4e",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthDataAIServices/DeidServices/Realtime/action"
],
"notDataActions": []
}
],
"roleName": "DeID Realtime Data User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Full access to DICOM data.
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthcareApis/workspaces/dicomservices/resources/* NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Full access to DICOM data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/58a3b984-7adf-4c20-983a-32417c86fbc8",
"name": "58a3b984-7adf-4c20-983a-32417c86fbc8",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/workspaces/dicomservices/resources/*"
],
"notDataActions": []
}
],
"roleName": "DICOM Data Owner",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Read and search DICOM data.
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthcareApis/workspaces/dicomservices/resources/read Read DICOM resources (includes searching and change feed). NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Read and search DICOM data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a",
"name": "e89c7a3c-2f64-4fa1-a847-3e4c9ba4283a",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/workspaces/dicomservices/resources/read"
],
"notDataActions": []
}
],
"roleName": "DICOM Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Durable Task role for all data access operations.
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.DurableTask/* NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Durable Task role for all data access operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/0ad04412-c4d5-4796-b79c-f76d14c8d402",
"name": "0ad04412-c4d5-4796-b79c-f76d14c8d402",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.DurableTask/*"
],
"notDataActions": []
}
],
"roleName": "Durable Task Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Read all Durable Task Scheduler data.
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.DurableTask/schedulers/taskhubs/orchestrations/read Gets or list orchestrations metadata, including payloads Microsoft.DurableTask/schedulers/taskhubs/orchestrations/metadata/read Gets or lists orchestration metadata, but not payloads NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Read all Durable Task Scheduler data.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d6a5505f-6ebb-45a4-896e-ac8274cfc0ac",
"name": "d6a5505f-6ebb-45a4-896e-ac8274cfc0ac",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.DurableTask/schedulers/taskhubs/orchestrations/read",
"Microsoft.DurableTask/schedulers/taskhubs/orchestrations/metadata/read"
],
"notDataActions": []
}
],
"roleName": "Durable Task Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Used by worker applications to interact with the Durable Task service
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.DurableTask/schedulers/taskhubs/orchestrations/execute/action Get orchestration and activity work-items and post results NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Used by worker applications to interact with the Durable Task service",
"id": "/providers/Microsoft.Authorization/roleDefinitions/80d0d6b0-f522-40a4-8886-a5a11720c375",
"name": "80d0d6b0-f522-40a4-8886-a5a11720c375",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.DurableTask/schedulers/taskhubs/orchestrations/execute/action"
],
"notDataActions": []
}
],
"roleName": "Durable Task Worker",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you manage EventGrid operations.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.EventGrid/* Create and manage Event Grid resources Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage EventGrid operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/1e241071-0855-49ea-94dc-649edcd759de",
"name": "1e241071-0855-49ea-94dc-649edcd759de",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows send access to event grid events.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.EventGrid/topics/read Read a topic Microsoft.EventGrid/domains/read Read a domain Microsoft.EventGrid/partnerNamespaces/read Read a partner namespace Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.EventGrid/namespaces/read Read a namespace NotActions none DataActions Microsoft.EventGrid/events/send/action Send events to topics NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows send access to event grid events.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/d5a91429-5739-47e2-a06b-3470a27159e7",
"name": "d5a91429-5739-47e2-a06b-3470a27159e7",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/topics/read",
"Microsoft.EventGrid/domains/read",
"Microsoft.EventGrid/partnerNamespaces/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.EventGrid/namespaces/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventGrid/events/send/action"
],
"notDataActions": []
}
],
"roleName": "EventGrid Data Sender",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you manage EventGrid event subscription operations.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.EventGrid/eventSubscriptions/* Create and manage regional event subscriptions Microsoft.EventGrid/topicTypes/eventSubscriptions/read List global event subscriptions by topic type Microsoft.EventGrid/locations/eventSubscriptions/read List regional event subscriptions Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read List regional event subscriptions by topictype Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage EventGrid event subscription operations.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
"name": "428e0ff0-5e57-4d9c-a221-2c70d0e0a443",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/eventSubscriptions/*",
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
"Microsoft.EventGrid/locations/eventSubscriptions/read",
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid EventSubscription Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you read EventGrid event subscriptions.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.EventGrid/eventSubscriptions/read Read an eventSubscription Microsoft.EventGrid/topicTypes/eventSubscriptions/read List global event subscriptions by topic type Microsoft.EventGrid/locations/eventSubscriptions/read List regional event subscriptions Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read List regional event subscriptions by topictype Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you read EventGrid event subscriptions.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/2414bbcf-6497-4faf-8c65-045460748405",
"name": "2414bbcf-6497-4faf-8c65-045460748405",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/eventSubscriptions/read",
"Microsoft.EventGrid/topicTypes/eventSubscriptions/read",
"Microsoft.EventGrid/locations/eventSubscriptions/read",
"Microsoft.EventGrid/locations/topicTypes/eventSubscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "EventGrid EventSubscription Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you publish messages on topicspaces.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.EventGrid/*/read Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. NotActions none DataActions Microsoft.EventGrid/topicSpaces/publish/action Publish to a topic space NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you publish messages on topicspaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a12b0b94-b317-4dcd-84a8-502ce99884c6",
"name": "a12b0b94-b317-4dcd-84a8-502ce99884c6",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventGrid/topicSpaces/publish/action"
],
"notDataActions": []
}
],
"roleName": "EventGrid TopicSpaces Publisher",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you subscribe messages on topicspaces.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.EventGrid/*/read Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. NotActions none DataActions Microsoft.EventGrid/topicSpaces/subscribe/action Subscribe to a topic space NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you subscribe messages on topicspaces.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4b0f2fd7-60b4-4eca-896f-4435034f8bf5",
"name": "4b0f2fd7-60b4-4eca-896f-4435034f8bf5",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.EventGrid/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [
"Microsoft.EventGrid/topicSpaces/subscribe/action"
],
"notDataActions": []
}
],
"roleName": "EventGrid TopicSpaces Subscriber",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Role allows user or principal to perform bulk operations
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthcareApis/services/fhir/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/services/fhir/resources/write Write FHIR resources (includes create and update). Microsoft.HealthcareApis/services/fhir/resources/delete Delete FHIR resources (soft delete). Microsoft.HealthcareApis/services/fhir/resources/export/action Export operation ($export). Microsoft.HealthcareApis/services/fhir/resources/reindex/action Allows user to run Reindex job to index any search parameters that haven't yet been indexed. Microsoft.HealthcareApis/services/fhir/resources/import/action Import FHIR resources in batch. Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action Hard Delete (including version history). Microsoft.HealthcareApis/services/fhir/resources/bulkOperator/action Allows user to perform bulk operations Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/workspaces/fhirservices/resources/write Write FHIR resources (includes create and update). Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete Delete FHIR resources (soft delete). Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action Export operation ($export). Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action Allows user to run Reindex job to index any search parameters that haven't yet been indexed. Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action Import FHIR resources in batch. Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action Hard Delete (including version history). Microsoft.HealthcareApis/workspaces/fhirservices/resources/bulkOperator/action Allows user to perform bulk operations NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to perform bulk operations",
"id": "/providers/Microsoft.Authorization/roleDefinitions/804db8d3-32c7-4ad4-a975-3f6f90d5f5f5",
"name": "804db8d3-32c7-4ad4-a975-3f6f90d5f5f5",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/services/fhir/resources/write",
"Microsoft.HealthcareApis/services/fhir/resources/delete",
"Microsoft.HealthcareApis/services/fhir/resources/export/action",
"Microsoft.HealthcareApis/services/fhir/resources/reindex/action",
"Microsoft.HealthcareApis/services/fhir/resources/import/action",
"Microsoft.HealthcareApis/services/fhir/resources/hardDelete/action",
"Microsoft.HealthcareApis/services/fhir/resources/bulkOperator/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/write",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/hardDelete/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/bulkOperator/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Bulk Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Role allows user or principal full access to FHIR Data
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthcareApis/services/fhir/resources/* Microsoft.HealthcareApis/workspaces/fhirservices/resources/* NotDataActions Microsoft.HealthcareApis/services/fhir/resources/smart/action Allows user to access FHIR Service according to SMART on FHIR specification. Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action Allows user to access FHIR Service according to SMART on FHIR specification.
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal full access to FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5a1fc7df-4bf1-4951-a576-89034ee01acd",
"name": "5a1fc7df-4bf1-4951-a576-89034ee01acd",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/*",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/*"
],
"notDataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/smart/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action"
]
}
],
"roleName": "FHIR Data Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Role allows user or principal to convert data from legacy format to FHIR
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthcareApis/services/fhir/resources/convertData/action Data convert operation ($convert-data) Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action Data convert operation ($convert-data) NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to convert data from legacy format to FHIR",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a1705bd2-3a8f-45a5-8683-466fcfd5cc24",
"name": "a1705bd2-3a8f-45a5-8683-466fcfd5cc24",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/convertData/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Converter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Role allows user or principal to read and export FHIR Data
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthcareApis/services/fhir/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/services/fhir/resources/export/action Export operation ($export). Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action Export operation ($export). NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read and export FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3db33094-8700-4567-8da5-1501d4e7e843",
"name": "3db33094-8700-4567-8da5-1501d4e7e843",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/services/fhir/resources/export/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Exporter",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Role allows user or principal to read and import FHIR Data
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action Import FHIR resources in batch. NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read and import FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4465e953-8ced-4406-a58e-0f6e3f3b530b",
"name": "4465e953-8ced-4406-a58e-0f6e3f3b530b",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Importer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Role allows user or principal to read FHIR Data
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthcareApis/services/fhir/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history). NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4c8d0bbc-75d3-4935-991f-5f3c56d81508",
"name": "4c8d0bbc-75d3-4935-991f-5f3c56d81508",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Role allows user or principal to read and write FHIR Data
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthcareApis/services/fhir/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/services/fhir/resources/write Write FHIR resources (includes create and update). Microsoft.HealthcareApis/services/fhir/resources/delete Delete FHIR resources (soft delete). Microsoft.HealthcareApis/services/fhir/resources/export/action Export operation ($export). Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action Validate operation ($validate). Microsoft.HealthcareApis/services/fhir/resources/reindex/action Allows user to run Reindex job to index any search parameters that haven't yet been indexed. Microsoft.HealthcareApis/services/fhir/resources/convertData/action Data convert operation ($convert-data) Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action Allows user to perform Create Update Delete operations on profile resources. Microsoft.HealthcareApis/services/fhir/resources/import/action Import FHIR resources in batch. Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/workspaces/fhirservices/resources/write Write FHIR resources (includes create and update). Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete Delete FHIR resources (soft delete). Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action Export operation ($export). Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action Validate operation ($validate). Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action Allows user to run Reindex job to index any search parameters that haven't yet been indexed. Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action Data convert operation ($convert-data) Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action Allows user to perform Create Update Delete operations on profile resources. Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action Import FHIR resources in batch. NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Role allows user or principal to read and write FHIR Data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3f88fce4-5892-4214-ae73-ba5294559913",
"name": "3f88fce4-5892-4214-ae73-ba5294559913",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/services/fhir/resources/write",
"Microsoft.HealthcareApis/services/fhir/resources/delete",
"Microsoft.HealthcareApis/services/fhir/resources/export/action",
"Microsoft.HealthcareApis/services/fhir/resources/resourceValidate/action",
"Microsoft.HealthcareApis/services/fhir/resources/reindex/action",
"Microsoft.HealthcareApis/services/fhir/resources/convertData/action",
"Microsoft.HealthcareApis/services/fhir/resources/editProfileDefinitions/action",
"Microsoft.HealthcareApis/services/fhir/resources/import/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/write",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/delete",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/export/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/resourceValidate/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/reindex/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/convertData/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/editProfileDefinitions/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/import/action"
],
"notDataActions": []
}
],
"roleName": "FHIR Data Writer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Role allows user to access FHIR Service according to SMART on FHIR specification
[!div class="mx-tableFixed"]
Actions Description none NotActions none DataActions Microsoft.HealthcareApis/services/fhir/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/services/fhir/resources/readById/action Read FHIR resource by Id Microsoft.HealthcareApis/services/fhir/resources/search/action Search FHIR Resource Microsoft.HealthcareApis/services/fhir/resources/smart/action Allows user to access FHIR Service according to SMART on FHIR specification. Microsoft.HealthcareApis/workspaces/fhirservices/resources/read Read FHIR resources (includes searching and versioned history). Microsoft.HealthcareApis/workspaces/fhirservices/resources/readById/action Read FHIR resource by Id Microsoft.HealthcareApis/workspaces/fhirservices/resources/search/action Search FHIR Resource Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action Allows user to access FHIR Service according to SMART on FHIR specification. NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Role allows user to access FHIR Service according to SMART on FHIR specification",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4ba50f17-9666-485c-a643-ff00808643f0",
"name": "4ba50f17-9666-485c-a643-ff00808643f0",
"permissions": [
{
"actions": [],
"notActions": [],
"dataActions": [
"Microsoft.HealthcareApis/services/fhir/resources/read",
"Microsoft.HealthcareApis/services/fhir/resources/readById/action",
"Microsoft.HealthcareApis/services/fhir/resources/search/action",
"Microsoft.HealthcareApis/services/fhir/resources/smart/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/read",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/readById/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/search/action",
"Microsoft.HealthcareApis/workspaces/fhirservices/resources/smart/action"
],
"notDataActions": []
}
],
"roleName": "FHIR SMART User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you manage integration service environments, but not access to them.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Support/* Create and update a support ticket Microsoft.Logic/integrationServiceEnvironments/* NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage integration service environments, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
"name": "a41e2c5b-bd99-4a07-88f4-9bf657a760b8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Support/*",
"Microsoft.Logic/integrationServiceEnvironments/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Integration Service Environment Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Allows developers to create and update workflows, integration accounts and API connections in integration service environments.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Support/* Create and update a support ticket Microsoft.Logic/integrationServiceEnvironments/read Reads the integration service environment. Microsoft.Logic/integrationServiceEnvironments/*/join/action NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Allows developers to create and update workflows, integration accounts and API connections in integration service environments.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
"name": "c7aa55d3-1abb-444a-a5ca-5e51e485d6ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Support/*",
"Microsoft.Logic/integrationServiceEnvironments/read",
"Microsoft.Logic/integrationServiceEnvironments/*/join/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Integration Service Environment Developer",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you manage Intelligent Systems accounts, but not access to them.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.IntelligentSystems/accounts/* Create and manage intelligent systems accounts Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Intelligent Systems accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/03a6d094-3444-4b3d-88af-7477090a9e5e",
"name": "03a6d094-3444-4b3d-88af-7477090a9e5e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.IntelligentSystems/accounts/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Intelligent Systems Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you manage logic apps, but not change access to them.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.ClassicStorage/storageAccounts/listKeys/action Lists the access keys for the storage accounts. Microsoft.ClassicStorage/storageAccounts/read Return the storage account with the given account. Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Insights/metricAlerts/* Microsoft.Insights/diagnosticSettings/* Creates, updates, or reads the diagnostic setting for Analysis Server Microsoft.Insights/logdefinitions/* This permission is necessary for users who need access to Activity Logs via the portal. List log categories in Activity Log. Microsoft.Insights/metricDefinitions/* Read metric definitions (list of available metric types for a resource). Microsoft.Logic/* Manages Logic Apps resources. Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Storage/storageAccounts/listkeys/action Returns the access keys for the specified storage account. Microsoft.Storage/storageAccounts/read Returns the list of storage accounts or gets the properties for the specified storage account. Microsoft.Support/* Create and update a support ticket Microsoft.Web/connectionGateways/* Create and manages a Connection Gateway. Microsoft.Web/connections/* Create and manages a Connection. Microsoft.Web/customApis/* Creates and manages a Custom API. Microsoft.Web/serverFarms/join/action Joins an App Service Plan Microsoft.Web/serverFarms/read Get the properties on an App Service Plan Microsoft.Web/sites/functions/listSecrets/action List Function secrets. NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage logic app, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/87a39d53-fc1b-424a-814c-f7e04687dc9e",
"name": "87a39d53-fc1b-424a-814c-f7e04687dc9e",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.ClassicStorage/storageAccounts/listKeys/action",
"Microsoft.ClassicStorage/storageAccounts/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metricAlerts/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Insights/logdefinitions/*",
"Microsoft.Insights/metricDefinitions/*",
"Microsoft.Logic/*",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Support/*",
"Microsoft.Web/connectionGateways/*",
"Microsoft.Web/connections/*",
"Microsoft.Web/customApis/*",
"Microsoft.Web/serverFarms/join/action",
"Microsoft.Web/serverFarms/read",
"Microsoft.Web/sites/functions/listSecrets/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic App Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you read, enable, and disable logic apps, but not edit or update them.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/*/read Read Insights alert rules Microsoft.Insights/metricAlerts/*/read Microsoft.Insights/diagnosticSettings/*/read Gets diagnostic settings for Logic Apps Microsoft.Insights/metricDefinitions/*/read Gets the available metrics for Logic Apps. Microsoft.Logic/*/read Reads Logic Apps resources. Microsoft.Logic/workflows/disable/action Disables the workflow. Microsoft.Logic/workflows/enable/action Enables the workflow. Microsoft.Logic/workflows/validate/action Validates the workflow. Microsoft.Resources/deployments/operations/read Gets or lists deployment operations. Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket Microsoft.Web/connectionGateways/*/read Read Connection Gateways. Microsoft.Web/connections/*/read Read Connections. Microsoft.Web/customApis/*/read Read Custom API. Microsoft.Web/serverFarms/read Get the properties on an App Service Plan NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you read, enable and disable logic app.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
"name": "515c2055-d9d4-4321-b1b9-bd0c9a0f79fe",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*/read",
"Microsoft.Insights/metricAlerts/*/read",
"Microsoft.Insights/diagnosticSettings/*/read",
"Microsoft.Insights/metricDefinitions/*/read",
"Microsoft.Logic/*/read",
"Microsoft.Logic/workflows/disable/action",
"Microsoft.Logic/workflows/enable/action",
"Microsoft.Logic/workflows/validate/action",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/connectionGateways/*/read",
"Microsoft.Web/connections/*/read",
"Microsoft.Web/customApis/*/read",
"Microsoft.Web/serverFarms/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic App Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Resources/deployments/operations/read Gets or lists deployment operations. Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket Microsoft.Web/*/read Microsoft.Web/certificates/* Create and manage a certificate. Microsoft.Web/connectionGateways/* Create and manages a Connection Gateway. Microsoft.Web/connections/* Create and manages a Connection. Microsoft.Web/customApis/* Creates and manages a Custom API. Microsoft.Web/serverFarms/* Create and manage an App Service Plan. Microsoft.Web/sites/* Create and manage a web app. NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "You can manage all aspects of a Standard logic app and workflows. You can't change access or ownership.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/ad710c24-b039-4e85-a019-deb4a06e8570",
"name": "ad710c24-b039-4e85-a019-deb4a06e8570",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/*/read",
"Microsoft.Web/certificates/*",
"Microsoft.Web/connectionGateways/*",
"Microsoft.Web/connections/*",
"Microsoft.Web/customApis/*",
"Microsoft.Web/serverFarms/*",
"Microsoft.Web/sites/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic Apps Standard Contributor (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Resources/deployments/operations/read Gets or lists deployment operations. Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket Microsoft.Web/*/read Microsoft.Web/connections/* Create and manages a Connection. Microsoft.Web/customApis/* Creates and manages a Custom API. Microsoft.Web/sites/config/list/Action List Web App's security sensitive settings, such as publishing credentials, app settings and connection strings microsoft.web/sites/config/Write Update Web App's configuration settings microsoft.web/sites/config/web/appsettings/delete Delete Web Apps App Setting microsoft.web/sites/config/web/appsettings/write Create or Update Web App Single App setting microsoft.web/sites/deployWorkflowArtifacts/action Create the artifacts in a Logic App. microsoft.web/sites/hostruntime/* Get or list hostruntime artifacts for the web app or function app. microsoft.web/sites/listworkflowsconnections/action List logic app's connections by its ID in a Logic App. Microsoft.Web/sites/publish/Action Publish a Web App microsoft.web/sites/slots/config/appsettings/write Create or Update Web App Slot's Single App setting Microsoft.Web/sites/slots/config/list/Action List Web App Slot's security sensitive settings, such as publishing credentials, app settings and connection strings microsoft.web/sites/slots/config/web/appsettings/delete Delete Web App Slot's App Setting microsoft.web/sites/slots/deployWorkflowArtifacts/action Create the artifacts in a deployment slot in a Logic App. microsoft.web/sites/slots/listworkflowsconnections/action List logic app's connections by its ID in a deployment slot in a Logic App. Microsoft.Web/sites/slots/publish/Action Publish a Web App Slot microsoft.web/sites/workflows/* microsoft.web/sites/workflowsconfiguration/* NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "You can create and edit workflows, connections, and settings for a Standard logic app. You can't make changes outside the workflow scope.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/523776ba-4eb2-4600-a3c8-f2dc93da4bdb",
"name": "523776ba-4eb2-4600-a3c8-f2dc93da4bdb",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/*/read",
"Microsoft.Web/connections/*",
"Microsoft.Web/customApis/*",
"Microsoft.Web/sites/config/list/Action",
"microsoft.web/sites/config/Write",
"microsoft.web/sites/config/web/appsettings/delete",
"microsoft.web/sites/config/web/appsettings/write",
"microsoft.web/sites/deployWorkflowArtifacts/action",
"microsoft.web/sites/hostruntime/*",
"microsoft.web/sites/listworkflowsconnections/action",
"Microsoft.Web/sites/publish/Action",
"microsoft.web/sites/slots/config/appsettings/write",
"Microsoft.Web/sites/slots/config/list/Action",
"microsoft.web/sites/slots/config/web/appsettings/delete",
"microsoft.web/sites/slots/deployWorkflowArtifacts/action",
"microsoft.web/sites/slots/listworkflowsconnections/action",
"Microsoft.Web/sites/slots/publish/Action",
"microsoft.web/sites/workflows/*",
"microsoft.web/sites/workflowsconfiguration/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic Apps Standard Developer (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}You can enable and disable the logic app, resubmit workflow runs, as well as create connections. You can't edit workflows or settings.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Resources/deployments/operations/read Gets or lists deployment operations. Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket Microsoft.Web/*/read Microsoft.Web/sites/applySlotConfig/Action Apply web app slot configuration from target slot to the current web app microsoft.web/sites/hostruntime/* Get or list hostruntime artifacts for the web app or function app. Microsoft.Web/sites/restart/Action Restart a Web App Microsoft.Web/sites/slots/restart/Action Restart a Web App Slot Microsoft.Web/sites/slots/slotsswap/Action Swap Web App deployment slots Microsoft.Web/sites/slots/start/Action Start a Web App Slot Microsoft.Web/sites/slots/stop/Action Stop a Web App Slot Microsoft.Web/sites/slotsdiffs/Action Get differences in configuration between web app and slots Microsoft.Web/sites/slotsswap/Action Swap Web App deployment slots Microsoft.Web/sites/start/Action Start a Web App Microsoft.Web/sites/stop/Action Stop a Web App Microsoft.Web/sites/write Create a new Web App or update an existing one NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "You can enable and disable the logic app, resubmit workflow runs, as well as create connections. You can't edit workflows or settings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/b70c96e9-66fe-4c09-b6e7-c98e69c98555",
"name": "b70c96e9-66fe-4c09-b6e7-c98e69c98555",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/*/read",
"Microsoft.Web/sites/applySlotConfig/Action",
"microsoft.web/sites/hostruntime/*",
"Microsoft.Web/sites/restart/Action",
"Microsoft.Web/sites/slots/restart/Action",
"Microsoft.Web/sites/slots/slotsswap/Action",
"Microsoft.Web/sites/slots/start/Action",
"Microsoft.Web/sites/slots/stop/Action",
"Microsoft.Web/sites/slotsdiffs/Action",
"Microsoft.Web/sites/slotsswap/Action",
"Microsoft.Web/sites/start/Action",
"Microsoft.Web/sites/stop/Action",
"Microsoft.Web/sites/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic Apps Standard Operator (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Resources/deployments/operations/read Gets or lists deployment operations. Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results. Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket Microsoft.Web/*/read NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "You have read-only access to all resources in a Standard logic app and workflows, including the workflow runs and their history.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4accf36b-2c05-432f-91c8-5c532dff4c73",
"name": "4accf36b-2c05-432f-91c8-5c532dff4c73",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Web/*/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Logic Apps Standard Reader (Preview)",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Lets you manage Scheduler job collections, but not access to them.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Scheduler/jobcollections/* Create and manage job collections Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Scheduler job collections, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/188a0f2f-5c9e-469b-ae67-2aa5ce574b94",
"name": "188a0f2f-5c9e-469b-ae67-2aa5ce574b94",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Scheduler/jobcollections/*",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Scheduler Job Collections Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.ServicesHub/connectors/write Create or update a Services Hub Connector Microsoft.ServicesHub/connectors/read View or List Services Hub Connectors Microsoft.ServicesHub/connectors/delete Delete Services Hub Connectors Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action Lists the Assessment Entitlements for a given Services Hub Workspace Microsoft.ServicesHub/supportOfferingEntitlement/read View the Support Offering Entitlements for a given Services Hub Workspace Microsoft.ServicesHub/workspaces/read List the Services Hub Workspaces for a given User NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Services Hub Operator allows you to perform all read, write, and deletion operations related to Services Hub Connectors.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/82200a5b-e217-47a5-b665-6d8765ee745b",
"name": "82200a5b-e217-47a5-b665-6d8765ee745b",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/deployments/*",
"Microsoft.ServicesHub/connectors/write",
"Microsoft.ServicesHub/connectors/read",
"Microsoft.ServicesHub/connectors/delete",
"Microsoft.ServicesHub/connectors/checkAssessmentEntitlement/action",
"Microsoft.ServicesHub/supportOfferingEntitlement/read",
"Microsoft.ServicesHub/workspaces/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Services Hub Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}