Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Azure provides a set of general built-in roles that can be assigned to any Azure Sphere resource, but we caution you to be aware of Azure best practices recommendations which state that administrators limit a given user’s scope to the greatest extent possible without compromising their ability to perform their job. For example, if you have a business user that needs to create new catalogs in a specific resource group, we recommend that you assign the Azure Sphere Owner role to that user for the resource group rather than the standard Azure Owner role. The Azure Sphere Owner role enables the user to create only Azure Sphere catalog resources within the group, and to only assign Azure Sphere-specific RBAC roles to other users for that group, whereas the Azure Owner role enables the user to create any type of Azure resource, such as a Cosmos DB or multi-core virtual machine, in the resource group, and to assign RBAC roles for any type of Azure resource to any user within that resource group.
For more information, see Understand scope for Azure RBAC.
Take the following considerations into account when determining whether or not to use Azure General built-in roles for Azure Sphere resources.
| Role Name | Permissions | Considerations and cautions |
|---|---|---|
| Reader | n/a | Due to the unique nature of Azure Sphere resources, this role does not work as expected on Azure Sphere resources and we strongly recommend that you use the Azure Sphere Reader role instead. |
| Contributor | Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC | We recommend using the Azure Sphere Contributor role instead, particularly if assigning the role to a subscription or resource group. Contributor role users have extremely broad permissions, with ability to add and manage any type of Azure resource to the subscription or resource group. |
| Owner | Contributor + RBAC user administration | We recommend using the Azure Sphere Owner role instead, particularly if assigning the role to a subscription or resource group. Owner role users have the highest permissions set, with access to all user functions, including RBAC user administration. |
Warning
Warning! For users that require read-only permissions to Azure Sphere resources, we strongly recommend that you assign the Azure Sphere Reader pre-built role, and not the standard Azure Reader role. Due to the number of levels in the Azure Sphere resource hierarchy and the way in which Azure RBAC manages permissions, the Azure Reader role does not work as expected when users attempt to view device groups and devices.
Users with standard Azure Reader permissions can view a catalog and view the catalog’s product by clicking the Products button in the left menu. It is also possible for standard Reader users to view and select device groups directly from the parent product’s device groups list, and to select a device from the parent device group’s devices list; however, clicking either the Device Groups or Devices buttons in the left menu will result in an error.