Metadata permissions clarity

Alex 355 Reputation points
2024-06-17T06:35:44.6733333+00:00

Hello,

Having a few doubts related to Metadata permissions.

  • What is metadata read/write permissions? What is the use of it, and whether this permission is required for an user who majorly uses only Azure portal for managing the resources?
  • How to provide/deny these permissions? Like what is the permission string to be used in the role json?
  • How to test these permission assignments (either allow/deny) in Azure portal?
    • Like, the users won't be able to view the Resource JSON of the resources?, etc.

Thank you in advance.

Azure Cosmos DB
Azure Cosmos DB
An Azure NoSQL database service for app development.
1,539 questions
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
721 questions
{count} votes

1 answer

Sort by: Most helpful
  1. GeethaThatipatri-MSFT 29,017 Reputation points Microsoft Employee
    2024-06-18T18:10:35.3133333+00:00

    @Alex Thanks for posting your question on Microsoft Q&A forum.

    Metadata read/write permissions in Azure Cosmos DB allow users to access and modify metadata, such as schema, indexing policies, and configuration settings. These permissions are crucial for managing resources like databases and containers via the Azure portal.

    To grant or restrict these permissions, use Azure role-based access control (RBAC). This involves assigning roles to users, groups, or identities with permissions defined in a JSON file.

    https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control

    Custom roles in Azure Cosmos DB allow you to define a set of permissions to the specific needs of your users or service principals. These roles enable fine-grained access control to your Cosmos DB resources, ensuring that users have only the permissions they need to perform their tasks.

    https://learn.microsoft.com/en-us/azure/role-based-access-control/permissions/databases#microsoftdocumentdb

    To assign read/write permissions to a user, you need to assign a special, hidden role that exists in the system. Specifically, it's the roles 00000000-0000-0000-0000-000000000001 for read and 00000000-0000-0000-0000-000000000002 for read+write.

    https://learn.microsoft.com/en-us/azure/cosmos-db/how-to-setup-rbac#metadata-requests

    Regards

    Geetha