Metadata permissions clarity

Question

Hello,

Having a few doubts related to Metadata permissions.

• What is metadata read/write permissions? What is the use of it, and whether this permission is required for an user who majorly uses only Azure portal for managing the resources?
• How to provide/deny these permissions? Like what is the permission string to be used in the role json?
• How to test these permission assignments (either allow/deny) in Azure portal?
  • Like, the users won't be able to view the Resource JSON of the resources?, etc.

Thank you in advance.

Answer 1

@Alex Thanks for posting your question on Microsoft Q&A forum.

Metadata read/write permissions in Azure Cosmos DB allow users to access and modify metadata, such as schema, indexing policies, and configuration settings. These permissions are crucial for managing resources like databases and containers via the Azure portal.

To grant or restrict these permissions, use Azure role-based access control (RBAC). This involves assigning roles to users, groups, or identities with permissions defined in a JSON file.

https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control

Custom roles in Azure Cosmos DB allow you to define a set of permissions to the specific needs of your users or service principals. These roles enable fine-grained access control to your Cosmos DB resources, ensuring that users have only the permissions they need to perform their tasks.

https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/databases#microsoftdocumentdb

To assign read/write permissions to a user, you need to assign a special, hidden role that exists in the system. Specifically, it's the roles 00000000-0000-0000-0000-000000000001 for read and 00000000-0000-0000-0000-000000000002 for read+write.

https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#metadata-requests

Regards

Geetha