title | description | ms.service | ms.topic | ms.workload | author | manager | ms.author | ms.date | ms.custom |
---|---|---|---|---|---|---|---|---|---|
Azure built-in roles for Databases - Azure RBAC |
This article lists the Azure built-in roles for Azure role-based access control (Azure RBAC) in the Databases category. It lists Actions, NotActions, DataActions, and NotDataActions. |
role-based-access-control |
reference |
identity |
rolyon |
amycolannino |
rolyon |
04/25/2024 |
generated |
This article lists the Azure built-in roles in the Databases category.
Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers.
[!div class="mx-tableFixed"]
Actions Description Microsoft.AzureArcData/sqlServerInstances/read Retrieves a SQL Server Instance resource Microsoft.AzureArcData/sqlServerInstances/write Updates a SQL Server Instance resource NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508",
"name": "e8113dce-c529-4d33-91fa-e9b972617508",
"permissions": [
{
"actions": [
"Microsoft.AzureArcData/sqlServerInstances/read",
"Microsoft.AzureArcData/sqlServerInstances/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected SQL Server Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.DocumentDB/*/read Read any collection Microsoft.DocumentDB/databaseAccounts/readonlykeys/action Reads the database account readonly keys. Microsoft.Insights/MetricDefinitions/read Read metric definitions Microsoft.Insights/Metrics/read Read metrics Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Can read Azure Cosmos DB Accounts data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Insights/MetricDefinitions/read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Account Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.
[!div class="mx-tableFixed"]
Actions Description Microsoft.DocumentDb/databaseAccounts/* Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Authorization/*/read Read roles and role assignments Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Not alertable. NotActions Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/* Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* Microsoft.DocumentDB/databaseAccounts/regenerateKey/* Microsoft.DocumentDB/databaseAccounts/listKeys/* Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write Create or update a SQL Role Definition Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete Delete a SQL Role Definition Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write Create or update a SQL Role Assignment Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete Delete a SQL Role Assignment Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write Create or update a Mongo Role Definition Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete Delete a MongoDB Role Definition Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write Create or update a MongoDB User Definition Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete Delete a MongoDB User Definition DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa",
"name": "230815da-be43-4aae-9cb4-875f7bd000aa",
"permissions": [
{
"actions": [
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [
"Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/*",
"Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
"Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
"Microsoft.DocumentDB/databaseAccounts/listKeys/*",
"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Can submit restore request for a Cosmos DB database or a container for an account
[!div class="mx-tableFixed"]
Actions Description Microsoft.DocumentDB/databaseAccounts/backup/action Submit a request to configure backup Microsoft.DocumentDB/databaseAccounts/restore/action Submit a restore request NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Can submit restore request for a Cosmos DB database or a container for an account",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/databaseAccounts/backup/action",
"Microsoft.DocumentDB/databaseAccounts/restore/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosBackupOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Can perform restore action for Cosmos DB database account with continuous backup mode
[!div class="mx-tableFixed"]
Actions Description Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action Submit a restore request Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read Read a restorable database account or List all the restorable database accounts NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosRestoreOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.DocumentDb/databaseAccounts/* Create and manage Azure Cosmos DB accounts Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Not alertable. NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DocumentDB accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
"name": "5bd9cd88-fe45-4216-938b-f97437e15450",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DocumentDB Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lets you manage Redis caches, but not access to them.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Cache/register/action Registers the 'Microsoft.Cache' resource provider with a subscription Microsoft.Cache/redis/* Create and manage Redis caches Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Support/* Create and update a support ticket NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Redis caches, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17",
"name": "e0f68234-74aa-48ed-b826-c38b57376e17",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cache/register/action",
"Microsoft.Cache/redis/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Redis Cache Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Sql/locations/*/read Microsoft.Sql/servers/databases/* Create and manage SQL databases Microsoft.Sql/servers/read Return the list of servers or gets the properties for the specified server. Microsoft.Support/* Create and update a support ticket Microsoft.Insights/metrics/read Read metrics Microsoft.Insights/metricDefinitions/read Read metric definitions NotActions Microsoft.Sql/servers/databases/ledgerDigestUploads/write Enable uploading ledger digests Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action Disable uploading ledger digests Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/managedInstances/securityAlertPolicies/* Microsoft.Sql/managedInstances/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/auditingSettings/* Edit audit settings Microsoft.Sql/servers/databases/auditRecords/read Retrieve the database blob audit records Microsoft.Sql/servers/databases/currentSensitivityLabels/* Microsoft.Sql/servers/databases/dataMaskingPolicies/* Edit data masking policies Microsoft.Sql/servers/databases/extendedAuditingSettings/* Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/securityAlertPolicies/* Edit security alert policies Microsoft.Sql/servers/databases/securityMetrics/* Edit security metrics Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql/servers/vulnerabilityAssessments/* DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/databases/*",
"Microsoft.Sql/servers/read",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/servers/databases/ledgerDigestUploads/write",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL DB Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.
[!div class="mx-tableFixed"]
Actions Description Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Network/networkSecurityGroups/* Microsoft.Network/routeTables/* Microsoft.Sql/locations/*/read Microsoft.Sql/locations/instanceFailoverGroups/* Microsoft.Sql/managedInstances/* Microsoft.Support/* Create and update a support ticket Microsoft.Network/virtualNetworks/subnets/* Microsoft.Network/virtualNetworks/* Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Insights/metrics/read Read metrics Microsoft.Insights/metricDefinitions/read Read metric definitions NotActions Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete Deletes a specific managed server Azure Active Directory only authentication object Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write Adds or updates a specific managed server Azure Active Directory only authentication object DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"permissions": [
{
"actions": [
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/routeTables/*",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/locations/instanceFailoverGroups/*",
"Microsoft.Sql/managedInstances/*",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Managed Instance Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lets you manage the security-related policies of SQL servers and databases, but not access to them.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Joins resource such as storage account or SQL database to a subnet. Not alertable. Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Sql/locations/administratorAzureAsyncOperation/read Gets the Managed instance azure async administrator operations result. Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write Change the managed instance Advanced Threat Protection settings for a given managed instance Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write Change the database Advanced Threat Protection settings for a given managed database Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write Change the managed instance Advanced Threat Protection settings for a given managed instance Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write Change the database Advanced Threat Protection settings for a given managed database Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/advancedThreatProtectionSettings/read Retrieve a list of server Advanced Threat Protection settings configured for a given server Microsoft.Sql/servers/advancedThreatProtectionSettings/write Change the server Advanced Threat Protection settings for a given server Microsoft.Sql/managedInstances/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* Microsoft.Sql/managedInstances/vulnerabilityAssessments/* Microsoft.Sql/managedInstances/serverConfigurationOptions/read Gets properties for the specified Azure SQL Managed Instance Server Configuration Option. Microsoft.Sql/managedInstances/serverConfigurationOptions/write Updates Azure SQL Managed Instance's Server Configuration Option properties for the specified instance. Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read Gets the status of Azure SQL Managed Instance Server Configuration Option Azure async operation. Microsoft.Sql/servers/advancedThreatProtectionSettings/read Retrieve a list of server Advanced Threat Protection settings configured for a given server Microsoft.Sql/servers/advancedThreatProtectionSettings/write Change the server Advanced Threat Protection settings for a given server Microsoft.Sql/servers/auditingSettings/* Create and manage SQL server auditing setting Microsoft.Sql/servers/extendedAuditingSettings/read Retrieve details of the extended server blob auditing policy configured on a given server Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read Retrieve a list of database Advanced Threat Protection settings configured for a given database Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write Change the database Advanced Threat Protection settings for a given database Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read Retrieve a list of database Advanced Threat Protection settings configured for a given database Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write Change the database Advanced Threat Protection settings for a given database Microsoft.Sql/servers/databases/auditingSettings/* Create and manage SQL server database auditing settings Microsoft.Sql/servers/databases/auditRecords/read Retrieve the database blob audit records Microsoft.Sql/servers/databases/currentSensitivityLabels/* Microsoft.Sql/servers/databases/dataMaskingPolicies/* Create and manage SQL server database data masking policies Microsoft.Sql/servers/databases/extendedAuditingSettings/read Retrieve details of the extended blob auditing policy configured on a given database Microsoft.Sql/servers/databases/read Return the list of databases or gets the properties for the specified database. Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* Microsoft.Sql/servers/databases/schemas/read Get a database schema. Microsoft.Sql/servers/databases/schemas/tables/columns/read Get a database column. Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/schemas/tables/read Get a database table. Microsoft.Sql/servers/databases/securityAlertPolicies/* Create and manage SQL server database security alert policies Microsoft.Sql/servers/databases/securityMetrics/* Create and manage SQL server database security metrics Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/transparentDataEncryption/* Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql/servers/devOpsAuditingSettings/* Microsoft.Sql/servers/firewallRules/* Microsoft.Sql/servers/read Return the list of servers or gets the properties for the specified server. Microsoft.Sql/servers/securityAlertPolicies/* Create and manage SQL server security alert policies Microsoft.Sql/servers/sqlvulnerabilityAssessments/* Microsoft.Sql/servers/vulnerabilityAssessments/* Microsoft.Support/* Create and update a support ticket Microsoft.Sql/servers/azureADOnlyAuthentications/* Microsoft.Sql/managedInstances/read Return the list of managed instances or gets the properties for the specified managed instance. Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* Microsoft.Security/sqlVulnerabilityAssessments/* Microsoft.Sql/managedInstances/administrators/read Gets a list of managed instance administrators. Microsoft.Sql/servers/administrators/read Gets a specific Azure Active Directory administrator object Microsoft.Sql/servers/databases/ledgerDigestUploads/* Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read Gets in-progress operations of ledger digest upload settings Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read Gets in-progress operations of ledger digest upload settings Microsoft.Sql/servers/externalPolicyBasedAuthorizations/* NotActions none DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/read",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/write",
"Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/read",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/transparentDataEncryption/*",
"Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/firewallRules/*",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Support/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/*",
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
"Microsoft.Security/sqlVulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/administrators/read",
"Microsoft.Sql/servers/administrators/read",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/*",
"Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read",
"Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Security Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Lets you manage SQL servers and databases, but not access to them, and not their security-related policies.
[!div class="mx-tableFixed"]
Actions Description Microsoft.Authorization/*/read Read roles and role assignments Microsoft.Insights/alertRules/* Create and manage a classic metric alert Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope Microsoft.Resources/deployments/* Create and manage a deployment Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups. Microsoft.Sql/locations/*/read Microsoft.Sql/servers/* Create and manage SQL servers Microsoft.Support/* Create and update a support ticket Microsoft.Insights/metrics/read Read metrics Microsoft.Insights/metricDefinitions/read Read metric definitions NotActions Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* Microsoft.Sql/managedInstances/databases/sensitivityLabels/* Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* Microsoft.Sql/managedInstances/securityAlertPolicies/* Microsoft.Sql/managedInstances/vulnerabilityAssessments/* Microsoft.Sql/servers/auditingSettings/* Edit SQL server auditing settings Microsoft.Sql/servers/databases/auditingSettings/* Edit SQL server database auditing settings Microsoft.Sql/servers/databases/auditRecords/read Retrieve the database blob audit records Microsoft.Sql/servers/databases/currentSensitivityLabels/* Microsoft.Sql/servers/databases/dataMaskingPolicies/* Edit SQL server database data masking policies Microsoft.Sql/servers/databases/extendedAuditingSettings/* Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* Microsoft.Sql/servers/databases/securityAlertPolicies/* Edit SQL server database security alert policies Microsoft.Sql/servers/databases/securityMetrics/* Edit SQL server database security metrics Microsoft.Sql/servers/databases/sensitivityLabels/* Microsoft.Sql/servers/databases/vulnerabilityAssessments/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* Microsoft.Sql/servers/devOpsAuditingSettings/* Microsoft.Sql/servers/extendedAuditingSettings/* Microsoft.Sql/servers/securityAlertPolicies/* Edit SQL server security alert policies Microsoft.Sql/servers/vulnerabilityAssessments/* Microsoft.Sql/servers/azureADOnlyAuthentications/delete Deletes a specific server Azure Active Directory only authentication object Microsoft.Sql/servers/azureADOnlyAuthentications/write Adds or updates a specific server Azure Active Directory only authentication object Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete Deletes a specific server external policy based authorization property Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write Adds or updates a specific server external policy based authorization property DataActions none NotDataActions none
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/*",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/write",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}