Hi @Kothai Ramanathan ,
Thanks for your patience again!
I got update from ADLS Gen2 team that each role definition has a set of permissions associated with it. The permissions can be set for management operations (Actions) or data operations (DataActions). Actions grant permissions for operations on the resource itself, for example the storage account itself, but not the data within the resource. On the other hand, DataActions grant permissions for operations on the data contained within the resource.
As a Contributor you have Actions that grant you full control of a storage account, but you do not have any DataActions. This prevents you from accessing the data in the storage account.
As a Storage Blob Data Reader, you have a DataAction that grants “Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read” permission, so you can read blobs. Note this role also grants the Action “Microsoft.Storage/storageAccounts/blobServices/containers/read” which allows you to read containers. From an RBAC perspective, operations on containers are treated as management operations as opposed to data operations.
Hope this helps! Please let us know for further queries and we will be glad to assist.
----
- Please accept an answer if correct. Original posters help the community find answers faster by identifying the correct answer. Here is how.
- Want a reminder to come back and check responses? Here is how to subscribe to a notification.