Managed HSM local RBAC built-in roles

Managed HSM local RBAC has several built-in roles. You can assign these roles to users, service principals, groups, and managed identities. To allow a principal to perform an operation, you must assign them a role that grants them permission to perform that operations. All these roles and operations only allow you to manage permission for data plane operations. To manage control plane permissions for the Managed HSM resource, you must use Azure role-based access control (Azure RBAC). Some examples of control plane operations are create a new managed HSM or update, move, delete it.

Built-in roles

Role Name Description ID
Managed HSM Administrator Grants permissions to perform all operations related to Security Domain, full backup/restore, and role management. Not permitted to perform any key management operations. a290e904-7015-4bba-90c8-60543313cdb4
Managed HSM Crypto Officer Grants permissions to perform all role management, purge or recover deleted keys, and export keys. Not permitted to perform any other key management operations. 515eb02d-2335-4d2d-92f2-b1cbdf9c3778
Managed HSM Crypto User Grants permissions to perform all key management operations except purge or recover deleted keys, and export keys. 21dbd100-6940-42c2-9190-5d6cb909625b
Managed HSM Policy Administrator Grants permission to create and delete role assignments 4bd23610-cdcf-4971-bdee-bdc562cc28e4
Managed HSM Crypto Auditor Grants read permission to read (but not use) key attributes. 2c18b078-7c48-4d3a-af88-5a3a1b3f82b3
Managed HSM Crypto Service Encryption User Grants permission to use a key for service encryption. 33413926-3206-4cdd-b39a-83574fe37a17
Managed HSM Backup Grants permission to perform single key or whole HSM backup. 7b127d3c-77bd-4e3e-bbe0-dbb8971fa7f8

Permitted operations

Note

  • An 'X' indicates that a role is allowed to perform the data action. Empty cell indicates the role does not have pemission to perform that data action.
  • All the data action names have a 'Microsoft.KeyVault/managedHsm' prefix, which is omitted in the tables for brevity.
  • All role names have a prefix "Managed HSM" which is omitted in the below table for brevity.
Data Action Administrator Crypto Officer Crypto User Policy Administrator Crypto Service Encryption Backup Crypto Auditor
Security Domain management
/securitydomain/download/action
X
/securitydomain/upload/action
X
/securitydomain/upload/read
X
/securitydomain/transferkey/read
X
Key management
/keys/read/action
X
X
X
/keys/write/action
X
/keys/rotate/action
X
/keys/create
X
/keys/delete
X
/keys/deletedKeys/read/action
X
/keys/deletedKeys/recover/action
X
/keys/deletedKeys/delete
X
X
/keys/backup/action
X
X
/keys/restore/action
X
/keys/release/action
X
/keys/import/action
X
Key cryptographic operations
/keys/encrypt/action
X
/keys/decrypt/action
X
/keys/wrap/action
X
X
/keys/unwrap/action
X
X
/keys/sign/action
X
/keys/verify/action
X
Role management
/roleAssignments/read/action
X
X
X
X
X
/roleAssignments/write/action
X
X
X
/roleAssignments/delete/action
X
X
X
/roleDefinitions/read/action
X
X
X
X
X
/roleDefinitions/write/action
X
X
X
/roleDefinitions/delete/action
X
X
X
Backup/Restore management
/backup/start/action
X
X
/backup/status/action
X
X
/restore/start/action
X
/restore/status/action
X

Next steps