Hi @Diaz Casado, Victor · Thank you for reaching out.
In Key Vault, access can be granted for Management plane or Data plane or both.
Management plane: To control operations like creating and deleting key vaults, retrieving key vault properties, and updating access policies. This require permissions to be added at the Subscription/ResourceGroup/KeyVault Resource level via RBAC.
Data plane: To control operations like reading, adding, deleting , and/or modifying keys, secrets, and certificates. This require permissions to be added via Access Policy blade in Key Vault.
Now, to answer your question, if you want to have access to Data plane, you don't need permission added at subscription or resource level. However, if access to management plane is needed then permissions at subscription or resource level would be needed.
-----------------------------------------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.