limit access on the subscription level only to API Connection

Oleg Tserkovnyuk 661 Reputation points
2024-11-08T13:36:41.63+00:00

Hello,

Is it possible to allow a user access only 'API Connection' in Azure?

What I tried:

On the subscription level assigned to a user account the 'API Management Service Contributor' RBAC role.

Based on this the role gives access to API Management.

However, when I opened the Azure portal it did not show any resources.

To see the 'API Connection' resources I had to give the same user the 'Reader' RBAC role on the subscription level.

Is it expected behavior?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
2,208 questions
0 comments No comments
{count} votes

Accepted answer
  1. LeelaRajeshSayana-MSFT 16,611 Reputation points
    2024-11-08T17:15:44.24+00:00

    Hi @Oleg Tserkovnyuk Greetings! Thank you for posting this question here.

    There is a difference between the roles you have outlined.

    1. API Management Service Contributor is used to grant access to API Management service. This is different from the API Connections you are referring to. This role provides read, deployment access among other permission to API Management instance. Please refer the role API Management Service Contributor for additional details.
    2. The Reader access role is a much broader built-in role that allows users to view all the resources on the platform but prevent them from making any changes.

    If you prefer to grant visibility access to just API connections, there is no built-in role available for it.

    However, you can create a custom role and assign the appropriate permissions. This is a bit challenging as you have to look up the specific role permissions for connections based on the resource type from Azure RBAC documentation

    For example, to grant permissions to Logic App API connections, you would have to grant Microsoft.Web/connections/*/read role. The details for this specific role can be found from the documentation Logic App Operator

    Please refer the documentation Create custom roles for guidance.

    Hope this helps!


    If the response helped, please do click Accept Answer and Yes for the answer provided. Doing so would help other community members with similar issue identify the solution. I highly appreciate your contribution to the community.

    1 person found this answer helpful.
    0 comments No comments

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.