Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists the Azure built-in roles in the Databases category.
Azure Connected SQL Server Onboarding
Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers.
| Actions | Description |
|---|---|
| Microsoft.AzureArcData/sqlServerInstances/read | Retrieves a SQL Server Instance resource |
| Microsoft.AzureArcData/sqlServerInstances/write | Updates a SQL Server Instance resource |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Microsoft.AzureArcData service role to access the resources of Microsoft.AzureArcData stored with RPSAAS.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e8113dce-c529-4d33-91fa-e9b972617508",
"name": "e8113dce-c529-4d33-91fa-e9b972617508",
"permissions": [
{
"actions": [
"Microsoft.AzureArcData/sqlServerInstances/read",
"Microsoft.AzureArcData/sqlServerInstances/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Connected SQL Server Onboarding",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Managed Redis Contributor
Create and manage Azure Managed Redis resources. Cannot read or write data stored in the cache.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Cache/locations/operationsStatus/read | View the status of a long running operation for which the 'AzureAsync' header was previously returned to the client |
| Microsoft.Cache/locations/checknameavailability/action | Checks if a name is available for use with a new Redis Enterprise cache |
| Microsoft.Cache/operations/read | Lists the operations that 'Microsoft.Cache' provider supports. |
| Microsoft.Cache/redisEnterprise/* | Create and manage Azure Managed Redis resources |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Managed Redis resources, but not access the data stored in them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/3015e5ed-6856-4ab3-b2f0-b8492aa30ca6",
"name": "3015e5ed-6856-4ab3-b2f0-b8492aa30ca6",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cache/locations/operationsStatus/read",
"Microsoft.Cache/locations/checknameavailability/action",
"Microsoft.Cache/operations/read",
"Microsoft.Cache/redisEnterprise/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Managed Redis Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Azure Managed Redis Reader
Read Azure Managed Redis resources and their configuration. Cannot modify resources, retrieve access keys, or read data stored in the cache.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Cache/locations/operationsStatus/read | View the status of a long running operation for which the 'AzureAsync' header was previously returned to the client |
| Microsoft.Cache/operations/read | Lists the operations that 'Microsoft.Cache' provider supports. |
| Microsoft.Cache/redisEnterprise/read | View Azure Managed Redis resource’s settings and configurations |
| Microsoft.Cache/redisEnterprise/*/read | Gets or lists Azure Managed Redis resources |
| Microsoft.Insights/alertRules/read | Read a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/read | Gets or lists deployments. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you view Azure Managed Redis resources, but not modify them or access keys or access to the data stored in them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/f287ba2f-f923-4464-a5bd-721c3951d32d",
"name": "f287ba2f-f923-4464-a5bd-721c3951d32d",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cache/locations/operationsStatus/read",
"Microsoft.Cache/operations/read",
"Microsoft.Cache/redisEnterprise/read",
"Microsoft.Cache/redisEnterprise/*/read",
"Microsoft.Insights/alertRules/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Azure Managed Redis Reader",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cosmos DB Account Reader Role
Can read Azure Cosmos DB account data. See DocumentDB Account Contributor for managing Azure Cosmos DB accounts.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.DocumentDB/*/read | Read any collection |
| Microsoft.DocumentDB/databaseAccounts/readonlykeys/action | Reads the database account readonly keys. |
| Microsoft.Insights/MetricDefinitions/read | Read metric definitions |
| Microsoft.Insights/Metrics/read | Read metrics |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can read Azure Cosmos DB Accounts data",
"id": "/providers/Microsoft.Authorization/roleDefinitions/fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"name": "fbdf93bf-df7d-467e-a4d2-9458aa1360c8",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDB/*/read",
"Microsoft.DocumentDB/databaseAccounts/readonlykeys/action",
"Microsoft.Insights/MetricDefinitions/read",
"Microsoft.Insights/Metrics/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Account Reader Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Cosmos DB Operator
Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.
| Actions | Description |
|---|---|
| Microsoft.DocumentDb/databaseAccounts/* | |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
| NotActions | |
| Microsoft.DocumentDB/databaseAccounts/copyJobs/* | |
| Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/* | |
| Microsoft.DocumentDB/databaseAccounts/readonlyKeys/* | |
| Microsoft.DocumentDB/databaseAccounts/regenerateKey/* | |
| Microsoft.DocumentDB/databaseAccounts/listKeys/* | |
| Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/* | |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write | Create or update a SQL Role Definition |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete | Delete a SQL Role Definition |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write | Create or update a SQL Role Assignment |
| Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete | Delete a SQL Role Assignment |
| Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write | Create or update a Mongo Role Definition |
| Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete | Delete a MongoDB Role Definition |
| Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write | Create or update a MongoDB User Definition |
| Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete | Delete a MongoDB User Definition |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Azure Cosmos DB accounts, but not access data in them. Prevents access to account keys and connection strings.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/230815da-be43-4aae-9cb4-875f7bd000aa",
"name": "230815da-be43-4aae-9cb4-875f7bd000aa",
"permissions": [
{
"actions": [
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [
"Microsoft.DocumentDB/databaseAccounts/copyJobs/*",
"Microsoft.DocumentDB/databaseAccounts/dataTransferJobs/*",
"Microsoft.DocumentDB/databaseAccounts/readonlyKeys/*",
"Microsoft.DocumentDB/databaseAccounts/regenerateKey/*",
"Microsoft.DocumentDB/databaseAccounts/listKeys/*",
"Microsoft.DocumentDB/databaseAccounts/listConnectionStrings/*",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/write",
"Microsoft.DocumentDB/databaseAccounts/sqlRoleAssignments/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbRoleDefinitions/delete",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/write",
"Microsoft.DocumentDB/databaseAccounts/mongodbUserDefinitions/delete"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Cosmos DB Operator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosBackupOperator
Can submit restore request for a Cosmos DB database or a container for an account
| Actions | Description |
|---|---|
| Microsoft.DocumentDB/databaseAccounts/backup/action | Submit a request to trigger external backup operation |
| Microsoft.DocumentDB/databaseAccounts/restore/action | Submit a request to trigger external restore operation |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can submit restore request for a Cosmos DB database or a container for an account",
"id": "/providers/Microsoft.Authorization/roleDefinitions/db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"name": "db7b14f2-5adf-42da-9f96-f2ee17bab5cb",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/databaseAccounts/backup/action",
"Microsoft.DocumentDB/databaseAccounts/restore/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosBackupOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
CosmosRestoreOperator
Can perform restore action for Cosmos DB database account with continuous backup mode
| Actions | Description |
|---|---|
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action | Submit a restore request |
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read | |
| Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read | Read a restorable database account or List all the restorable database accounts |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Can perform restore action for Cosmos DB database account with continuous backup mode",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"name": "5432c526-bc82-444a-b7ba-57c5b0b5b34f",
"permissions": [
{
"actions": [
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/restore/action",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/*/read",
"Microsoft.DocumentDB/locations/restorableDatabaseAccounts/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "CosmosRestoreOperator",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
DocumentDB Account Contributor
Can manage Azure Cosmos DB accounts. Azure Cosmos DB is formerly known as DocumentDB.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.DocumentDb/databaseAccounts/* | Create and manage Azure Cosmos DB accounts |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage DocumentDB accounts, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/5bd9cd88-fe45-4216-938b-f97437e15450",
"name": "5bd9cd88-fe45-4216-938b-f97437e15450",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.DocumentDb/databaseAccounts/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "DocumentDB Account Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
PostgreSQL Flexible Server Long Term Retention Backup Role
Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup.
| Actions | Description |
|---|---|
| Microsoft.DBforPostgreSQL/flexibleServers/ltrBackup/action | Start LTR backup operation for a server |
| Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupAccess/action | Start LTR backup access operation for a server |
| Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read | Returns the list of PostgreSQL server long term backup operation tracking. |
| Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupPreCheck/action | Start LTR backup pre-check operation for a server |
| Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action | Checks if a server is ready for a long term backup |
| Microsoft.DBforPostgreSQL/flexibleServers/ltrRestoreFinalize/action | Start LTR restore finalize operation for a server |
| Microsoft.DBforPostgreSQL/flexibleServers/ltrRestoreInitialize/action | Start LTR restore initialize operation for a server |
| Microsoft.DBforPostgreSQL/flexibleServers/ltrRestorePreCheck/action | Start LTR restore pre-check operation for a server |
| Microsoft.DBforPostgreSQL/flexibleServers/read | Return the list of servers or gets the properties for the specified server. |
| Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action | Start long term backup for a server |
| Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read | Return PostgreSQL Server Operation Results |
| Microsoft.DBforPostgreSQL/locations/operationResults/read | Return PostgreSQL Server Operation Results |
| Microsoft.Resources/subscriptions/read | Gets the list of subscriptions. |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Role to allow backup vault to access PostgreSQL Flexible Server Resource APIs for Long Term Retention Backup.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/c088a766-074b-43ba-90d4-1fb21feae531",
"name": "c088a766-074b-43ba-90d4-1fb21feae531",
"permissions": [
{
"actions": [
"Microsoft.DBforPostgreSQL/flexibleServers/ltrBackup/action",
"Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupAccess/action",
"Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupOperations/read",
"Microsoft.DBforPostgreSQL/flexibleServers/ltrBackupPreCheck/action",
"Microsoft.DBforPostgreSQL/flexibleServers/ltrPreBackup/action",
"Microsoft.DBforPostgreSQL/flexibleServers/ltrRestoreFinalize/action",
"Microsoft.DBforPostgreSQL/flexibleServers/ltrRestoreInitialize/action",
"Microsoft.DBforPostgreSQL/flexibleServers/ltrRestorePreCheck/action",
"Microsoft.DBforPostgreSQL/flexibleServers/read",
"Microsoft.DBforPostgreSQL/flexibleServers/startLtrBackup/action",
"Microsoft.DBforPostgreSQL/locations/azureAsyncOperation/read",
"Microsoft.DBforPostgreSQL/locations/operationResults/read",
"Microsoft.Resources/subscriptions/read",
"Microsoft.Resources/subscriptions/resourceGroups/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "PostgreSQL Flexible Server Long Term Retention Backup Role",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Redis Cache Contributor
Create and manage Azure Cache for Redis resources. Cannot read or write data stored in the cache.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Cache/register/action | Registers the 'Microsoft.Cache' resource provider with a subscription |
| Microsoft.Cache/redis/* | Create and manage Azure Cache for Redis resources |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Support/* | Create and update a support ticket |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage Redis caches, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/e0f68234-74aa-48ed-b826-c38b57376e17",
"name": "e0f68234-74aa-48ed-b826-c38b57376e17",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Cache/register/action",
"Microsoft.Cache/redis/*",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Support/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "Redis Cache Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
Semantic Reranker User
Execute semantic reranking operations against registered inference accounts. This role should be assigned to users who need to run semantic reranking workloads but do not need to manage the accounts themselves.
| Actions | Description |
|---|---|
| Microsoft.InferenceService/inferenceAccounts/read | Reads an inference service. |
| NotActions | |
| Microsoft.InferenceService/inferenceAccounts/write | Creates or updates an inference service. |
| Microsoft.InferenceService/inferenceAccounts/delete | Deletes an inference service. |
| DataActions | |
| Microsoft.InferenceService/inferenceAccounts/invoke/semanticReranker/action | Invokes the semantic reranker on an inference account. |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Execute semantic reranking operations against registered inference accounts. This role should be assigned to users who need to run semantic reranking workloads but do not need to manage the accounts themselves.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6c74a7c5-4a87-40f9-bb03-61e49aecbc78",
"name": "6c74a7c5-4a87-40f9-bb03-61e49aecbc78",
"permissions": [
{
"actions": [
"Microsoft.InferenceService/inferenceAccounts/read"
],
"notActions": [
"Microsoft.InferenceService/inferenceAccounts/write",
"Microsoft.InferenceService/inferenceAccounts/delete"
],
"dataActions": [
"Microsoft.InferenceService/inferenceAccounts/invoke/semanticReranker/action"
],
"notDataActions": []
}
],
"roleName": "Semantic Reranker User",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL DB Contributor
Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Sql/locations/*/read | |
| Microsoft.Sql/servers/databases/* | Create and manage SQL databases |
| Microsoft.Sql/servers/read | Return the list of servers or gets the properties for the specified server. |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.Insights/metricDefinitions/read | Read metric definitions |
| NotActions | |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/write | Enable uploading ledger digests |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action | Disable uploading ledger digests |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/auditingSettings/* | Edit audit settings |
| Microsoft.Sql/servers/databases/auditRecords/read | Retrieve the database blob audit records |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/* | Edit data masking policies |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/securityAlertPolicies/* | Edit security alert policies |
| Microsoft.Sql/servers/databases/securityMetrics/* | Edit security metrics |
| Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL databases, but not access to them. Also, you can't manage their security-related policies or their parent SQL servers.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"name": "9b7fa17d-e63e-47b0-bb0a-15c516ac86ec",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/databases/*",
"Microsoft.Sql/servers/read",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/servers/databases/ledgerDigestUploads/write",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/disable/action",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL DB Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL Managed Instance Contributor
Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.
| Actions | Description |
|---|---|
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Network/networkSecurityGroups/* | |
| Microsoft.Network/routeTables/* | |
| Microsoft.Sql/locations/*/read | |
| Microsoft.Sql/locations/instanceFailoverGroups/* | |
| Microsoft.Sql/managedInstances/* | |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Network/virtualNetworks/subnets/* | |
| Microsoft.Network/virtualNetworks/* | |
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.Insights/metricDefinitions/read | Read metric definitions |
| NotActions | |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete | Deletes a specific managed server Azure Active Directory only authentication object |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write | Adds or updates a specific managed server Azure Active Directory only authentication object |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL Managed Instances and required network configuration, but can't give access to others.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"name": "4939a1f6-9ae0-4e48-a1e0-f2cbe897382d",
"permissions": [
{
"actions": [
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Network/networkSecurityGroups/*",
"Microsoft.Network/routeTables/*",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/locations/instanceFailoverGroups/*",
"Microsoft.Sql/managedInstances/*",
"Microsoft.Support/*",
"Microsoft.Network/virtualNetworks/subnets/*",
"Microsoft.Network/virtualNetworks/*",
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/delete",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Managed Instance Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL Security Manager
Lets you manage the security-related policies of SQL servers and databases, but not access to them.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action | Joins resource such as storage account or SQL database to a subnet. Not alertable. |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Sql/locations/administratorAzureAsyncOperation/read | Gets the Managed instance azure async administrator operations result. |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read | Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write | Change the managed instance Advanced Threat Protection settings for a given managed instance |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read | Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given managed database |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read | Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance |
| Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write | Change the managed instance Advanced Threat Protection settings for a given managed instance |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read | Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database |
| Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given managed database |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/read | Retrieve a list of server Advanced Threat Protection settings configured for a given server |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/write | Change the server Advanced Threat Protection settings for a given server |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/transparentDataEncryption/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/serverConfigurationOptions/read | Gets properties for the specified Azure SQL Managed Instance Server Configuration Option. |
| Microsoft.Sql/managedInstances/serverConfigurationOptions/write | Updates Azure SQL Managed Instance's Server Configuration Option properties for the specified instance. |
| Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read | Gets the status of Azure SQL Managed Instance Server Configuration Option Azure async operation. |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/read | Retrieve a list of server Advanced Threat Protection settings configured for a given server |
| Microsoft.Sql/servers/advancedThreatProtectionSettings/write | Change the server Advanced Threat Protection settings for a given server |
| Microsoft.Sql/servers/auditingSettings/* | Create and manage SQL server auditing setting |
| Microsoft.Sql/servers/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read | Retrieve a list of database Advanced Threat Protection settings configured for a given database |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given database |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read | Retrieve a list of database Advanced Threat Protection settings configured for a given database |
| Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write | Change the database Advanced Threat Protection settings for a given database |
| Microsoft.Sql/servers/databases/auditingSettings/* | Create and manage SQL server database auditing settings |
| Microsoft.Sql/servers/databases/auditRecords/read | Retrieve the database blob audit records |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/* | Create and manage SQL server database data masking policies |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/read | Retrieve details of the extended blob auditing policy configured on a given database |
| Microsoft.Sql/servers/databases/read | Return the list of databases or gets the properties for the specified database. |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/read | Get a database schema. |
| Microsoft.Sql/servers/databases/schemas/tables/columns/read | Get a database column. |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/read | Get a database table. |
| Microsoft.Sql/servers/databases/securityAlertPolicies/* | Create and manage SQL server database security alert policies |
| Microsoft.Sql/servers/databases/securityMetrics/* | Create and manage SQL server database security metrics |
| Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/transparentDataEncryption/* | |
| Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/devOpsAuditingSettings/* | |
| Microsoft.Sql/servers/firewallRules/* | |
| Microsoft.Sql/servers/read | Return the list of servers or gets the properties for the specified server. |
| Microsoft.Sql/servers/securityAlertPolicies/* | Create and manage SQL server security alert policies |
| Microsoft.Sql/servers/sqlvulnerabilityAssessments/* | |
| Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Sql/servers/azureADOnlyAuthentications/* | |
| Microsoft.Sql/managedInstances/read | Return the list of managed instances or gets the properties for the specified managed instance. |
| Microsoft.Sql/managedInstances/azureADOnlyAuthentications/* | |
| Microsoft.Security/sqlVulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/administrators/read | Gets a list of managed instance administrators. |
| Microsoft.Sql/servers/administrators/read | Gets a specific Azure Active Directory administrator object |
| Microsoft.Sql/servers/databases/ledgerDigestUploads/* | |
| Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read | Gets in-progress operations of ledger digest upload settings |
| Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read | Gets in-progress operations of ledger digest upload settings |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/* | |
| NotActions | |
| none | |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage the security-related policies of SQL servers and databases, but not access to them.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"name": "056cd41c-7e88-42e1-933e-88ba6a50c9c3",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/administratorAzureAsyncOperation/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/read",
"Microsoft.Sql/managedInstances/serverConfigurationOptions/write",
"Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read",
"Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/read",
"Microsoft.Sql/servers/databases/read",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/read",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/read",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/transparentDataEncryption/*",
"Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/firewallRules/*",
"Microsoft.Sql/servers/read",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/sqlvulnerabilityAssessments/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Support/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/*",
"Microsoft.Sql/managedInstances/read",
"Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*",
"Microsoft.Security/sqlVulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/administrators/read",
"Microsoft.Sql/servers/administrators/read",
"Microsoft.Sql/servers/databases/ledgerDigestUploads/*",
"Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read",
"Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Security Manager",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
SQL Server Contributor
Lets you manage SQL servers and databases, but not access to them, and not their security-related policies.
| Actions | Description |
|---|---|
| Microsoft.Authorization/*/read | Read roles and role assignments |
| Microsoft.Insights/alertRules/* | Create and manage a classic metric alert |
| Microsoft.ResourceHealth/availabilityStatuses/read | Gets the availability statuses for all resources in the specified scope |
| Microsoft.Resources/deployments/* | Create and manage a deployment |
| Microsoft.Resources/subscriptions/resourceGroups/read | Gets or lists resource groups. |
| Microsoft.Sql/locations/*/read | |
| Microsoft.Sql/servers/* | Create and manage SQL servers |
| Microsoft.Support/* | Create and update a support ticket |
| Microsoft.Insights/metrics/read | Read metrics |
| Microsoft.Insights/metricDefinitions/read | Read metric definitions |
| NotActions | |
| Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/databases/sensitivityLabels/* | |
| Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/managedInstances/securityAlertPolicies/* | |
| Microsoft.Sql/managedInstances/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/auditingSettings/* | Edit SQL server auditing settings |
| Microsoft.Sql/servers/databases/auditingSettings/* | Edit SQL server database auditing settings |
| Microsoft.Sql/servers/databases/auditRecords/read | Retrieve the database blob audit records |
| Microsoft.Sql/servers/databases/currentSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/dataMaskingPolicies/* | Edit SQL server database data masking policies |
| Microsoft.Sql/servers/databases/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/databases/recommendedSensitivityLabels/* | |
| Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/securityAlertPolicies/* | Edit SQL server database security alert policies |
| Microsoft.Sql/servers/databases/securityMetrics/* | Edit SQL server database security metrics |
| Microsoft.Sql/servers/databases/sensitivityLabels/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/* | |
| Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/* | |
| Microsoft.Sql/servers/devOpsAuditingSettings/* | |
| Microsoft.Sql/servers/extendedAuditingSettings/* | |
| Microsoft.Sql/servers/securityAlertPolicies/* | Edit SQL server security alert policies |
| Microsoft.Sql/servers/vulnerabilityAssessments/* | |
| Microsoft.Sql/servers/azureADOnlyAuthentications/delete | Deletes a specific server Azure Active Directory only authentication object |
| Microsoft.Sql/servers/azureADOnlyAuthentications/write | Adds or updates a specific server Azure Active Directory only authentication object |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete | Deletes a specific server external policy based authorization property |
| Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write | Adds or updates a specific server external policy based authorization property |
| DataActions | |
| none | |
| NotDataActions | |
| none |
{
"assignableScopes": [
"/"
],
"description": "Lets you manage SQL servers and databases, but not access to them, and not their security -related policies.",
"id": "/providers/Microsoft.Authorization/roleDefinitions/6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"name": "6d8ee4ec-f05a-4a1d-8b00-a9b17e38b437",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Sql/locations/*/read",
"Microsoft.Sql/servers/*",
"Microsoft.Support/*",
"Microsoft.Insights/metrics/read",
"Microsoft.Insights/metricDefinitions/read"
],
"notActions": [
"Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/databases/sensitivityLabels/*",
"Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/managedInstances/securityAlertPolicies/*",
"Microsoft.Sql/managedInstances/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditingSettings/*",
"Microsoft.Sql/servers/databases/auditRecords/read",
"Microsoft.Sql/servers/databases/currentSensitivityLabels/*",
"Microsoft.Sql/servers/databases/dataMaskingPolicies/*",
"Microsoft.Sql/servers/databases/extendedAuditingSettings/*",
"Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*",
"Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/securityAlertPolicies/*",
"Microsoft.Sql/servers/databases/securityMetrics/*",
"Microsoft.Sql/servers/databases/sensitivityLabels/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*",
"Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*",
"Microsoft.Sql/servers/devOpsAuditingSettings/*",
"Microsoft.Sql/servers/extendedAuditingSettings/*",
"Microsoft.Sql/servers/securityAlertPolicies/*",
"Microsoft.Sql/servers/vulnerabilityAssessments/*",
"Microsoft.Sql/servers/azureADOnlyAuthentications/delete",
"Microsoft.Sql/servers/azureADOnlyAuthentications/write",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/delete",
"Microsoft.Sql/servers/externalPolicyBasedAuthorizations/write"
],
"dataActions": [],
"notDataActions": []
}
],
"roleName": "SQL Server Contributor",
"roleType": "BuiltInRole",
"type": "Microsoft.Authorization/roleDefinitions"
}