Skip to content

Commit 6e61e58

Browse files
Y-SindoY-Sindo
committed
update
1 parent 861120d commit 6e61e58

1 file changed

Lines changed: 3 additions & 8 deletions

File tree

articles/azure-web-pubsub/concept-wildcard-group-roles.md

Lines changed: 3 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -11,7 +11,7 @@ ms.custom:
1111

1212
# Use wildcard group role patterns
1313

14-
Azure Web PubSub now supports wildcard pattern matching in client "group" roles so you can authorize a client for many related groups with a single role string. This reduces token size, simplifies permission management, and improves performance versus enumerating many concrete group roles.
14+
Azure Web PubSub now supports wildcard pattern matching in client "group" roles so you can authorize a client for many related groups with a single role string.
1515

1616
You can continue to use the existing literal roles:
1717

@@ -32,8 +32,6 @@ Use pattern roles when:
3232
- A user or device must access a large but bounded dynamic set of groups (for example: all groups for a specific tenant or project)
3333
- You want to keep access tokens small (avoid listing dozens or hundreds of explicit group roles)
3434

35-
Avoid over-broad patterns (like `**`) unless absolutely required; follow the principle of least privilege.
36-
3735
## Pattern syntax
3836

3937
| Symbol | Meaning |
@@ -42,10 +40,9 @@ Avoid over-broad patterns (like `**`) unless absolutely required; follow the pri
4240
| `*` | Matches zero or more characters except `/` |
4341
| `**` | Matches zero or more characters including `/` (crosses segment boundaries) |
4442
| `\` | Escape character for `\`, `*`, `?` |
45-
| `/` | acts as a segment separator and is never matched by `?` or `*` (only by `**`). |
43+
| `/` | Acts as a hierarchy separator and is never matched by `?` or `*` (only by `**`). |
4644

4745
Additional rules:
48-
- Use `**` sparingly; prefer narrower patterns (`clientA/*/chat`).
4946
- Up to five total `*` characters (including those forming `**`) are allowed in a single pattern.
5047

5148
### Examples
@@ -121,6 +118,7 @@ WebPubSubClientAccessToken token = service.getClientAccessToken(opt);
121118
## Security guidance
122119

123120
- Prefer the narrowest pattern that satisfies the scenario.
121+
- Minimize the use of `*` to reduce over-permissioning risks.
124122

125123
## Frequently asked questions
126124

@@ -133,6 +131,3 @@ Yes. A literal role always applies exactly; patterns add broader coverage.
133131

134132
> [!div class="nextstepaction"]
135133
> [Generate client access URL and use roles](howto-generate-client-access-url.md)
136-
137-
> [!div class="nextstepaction"]
138-
> [Authorize access with Microsoft Entra ID](concept-azure-ad-authorization.md)

0 commit comments

Comments
 (0)