Hello @grajee ,
Thanks for the question and using MS Q&A platform.
Note: "Storage Blob Data Owner", "Storage Blob Data Contributor" and "Storage Blob Data Reader" doesn't allow a user to manipulate object (read/upload/delete),
Only Storage Blob Data Contributor allow users to grant (read/write/delete) permissions to Blob storage resources.
Azure provides the following Azure built-in roles for authorizing access to blob and queue data using Azure AD and OAuth:
- Storage Blob Data Owner: Use to set ownership and manage POSIX access control for Azure Data Lake Storage Gen2. For more information, see Access control in Azure Data Lake Storage Gen2.
- Storage Blob Data Contributor: Use to grant read/write/delete permissions to Blob storage resources.
- Storage Blob Data Reader: Use to grant read-only permissions to Blob storage resources.
- Storage Blob Delegator: Get a user delegation key to use to create a shared access signature that is signed with Azure AD credentials for a container or blob.
- Storage Queue Data Contributor: Use to grant read/write/delete permissions to Azure queues.
- Storage Queue Data Reader: Use to grant read-only permissions to Azure queues.
- Storage Queue Data Message Processor: Use to grant peek, retrieve, and delete permissions to messages in Azure Storage queues.
- Storage Queue Data Message Sender: Use to grant add permissions to messages in Azure Storage queues.
For more details, refer to Use the Azure portal to assign an Azure role for access to blob and queue data.
User Access Administrator - Lets you manage user access to Azure resources.
Hope this helps. Do let us know if you any further queries.
---------------------------------------------------------------------------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.