which role to assign to a user to prevent him from accessing an ML scoring endpoint

JA 131 Reputation points
2022-10-13T05:36:02.44+00:00

I have users who have contributor access for a subscription, so what I understand from this is that they would have all the access to the resource groups, resources except granting user access.
Now, I have ML endpoints created in a ML workspace.
Workspace also by default inherit the access for all user as contributor which means they will be able to access the scoring endpoints.
Now, I want to prevent users from accessing few endpoints in the workspace.
So, how I can achieve this narrow access when they already inherit broader access from subscription.
Which access should I give to user on endpoint? will the "reader" role prevent a user from accessing the endpoint?
I am not able to understand this very clearly from microsoft documentation so clear pointers would help here.

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
2,560 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
666 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,447 questions

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. romungi-MSFT 41,961 Reputation points Microsoft Employee
    2022-10-13T10:53:18.243+00:00

    @JA I believe you would like to restrict access to users to ensure they do not modify or delete the endpoint right?
    In this case you could add a custom role for read actions for the workspace or add a NotActions list to disable delete or write actions. This page in the documentation should help to identify the roles that need to added under NotActions.

    You could also identify the roles available under Microsoft.MachineLearningService using the following CLI command and use the name field of all the write/delete actions in the NotActions list of your custom role. 

    az provider operation show –n Microsoft.MachineLearningServices