"Owner" and Contributor" doesn't include the permission of "Azure Digital Twins Data Owner"

Question

According to the document "Azure built-in roles", the "Owner" role has all permission (the actions of permissions in the JSON is a wildcard "*"),
and the "Contributor" role also has the same permission excluding a few permission like RBAC.

It seems like the action starts with "Microsoft.DigitalTwins." should also be included in the permission with action "*",
but as an "Owner" I can't view the digital twins in Azure digital Twins Explorer, and the other user with the "Contributor" role also can't view them.

The error message says that I don't have the right permission, and after I add the "Azure Digital Twins Data Owner" role I can get access to the ADT explorer.

Is this by design or a bug?

Answer 1

This is by design! The owner and contributor roles allow you to manage the Azure resource (i.e. create and/or delete the resource). It does not however give you access to the data inside that resource. This separation of concerns is called the control plane and the data plane. An owner or contributor allows access to the control plane, whereas the Azure Digital Twins Data Owner/Reader role grants access to its data plane. This allows you to assign the minimal access needed to a user/application to do its job. The difference between the two planes is better explained here.