This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(96, 40%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIK%3C/text%3E%3C/svg%3E)
Hello,
I planning to create Azure Managed Application that will contain Linux VM with the application server and DB. As far as I understand from this article https://learn.microsoft.com/en-us/azure/azure-resource-manager/managed-applications/overview I as a publisher can access to all resources from the Managed Resource Group of Managed Application. But customer can store confidential data on DB that I have access.
Is there any way to limit access for a publisher to some resources in Managed Resource Group that can store customer internal data?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(249.60000000000002, 39%, 34%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESM%3C/text%3E%3C/svg%3E)
@Ivan Karimov Welcome to Microsoft Q & A Community Forum. If in case you want restrict access to Storage account, kindly note management access is not inherited to your data provided that the container authentication method is set to "Azure AD User Account" and not "Access Key". This separation prevents roles with wildcards (*) from having unrestricted access to your data. For example, if a user has a Reader role on a resource group , then they can view the storage account, but by default they can't view the underlying data. This might be a workaround in your scenario.
Or you can take advantage of just-in-time access feature which gives permission for specific time period. For more information about just-in-time access feature, kindly check this documentation.
Hello @SwathiDhanwada-MSFT
Thank you for your clarification. I'll read that documentation.
Hi @Ivan Karimov One of ways can be --- restrict publisher account access on DB.(assuming its SQL -SQL managed Studio) ---- Create a user (publisher) account (make sure its not mapped to any Database)---Right Click on the upper section of the SQL (SQLSERVER Name)>Properties>Permissions>Click on the user account, and select Deny to view databases.---Right Click on the newly created DB, Properties,Files, and change the Owner to the newly created account.
At this point, once the user/publisher logs in to Db he will see the Master,tempdb and will also see the new DB which he is a DB Owner of.
OR
DENY VIEW any DATABASE TO PUBLIC;
GRANT CREATE DATABASE TO PUBLIC;
Ref: https://stackoverflow.com/questions/13809456/sql-database-restrict-view-of-data
Hello @JoyDutt
Thank you for that information. I want to use another Db type. But I got it. And I'll try in this way.