SqlResources2 - Create Update Sql Role Definition

Reference

Service:: Cosmos DB Resource Provider

API Version:: 2023-11-15

Creates or updates an Azure Cosmos DB SQL Role Definition.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}/sqlRoleDefinitions/{roleDefinitionId}?api-version=2023-11-15

URI Parameters

Name	In	Required	Type	Description
accountName	path	True	string	Cosmos DB database account name. Regex pattern: `^[a-z0-9]+(-[a-z0-9]+)*`
resourceGroupName	path	True	string	The name of the resource group. The name is case insensitive.
roleDefinitionId	path	True	string	The GUID for the Role Definition.
subscriptionId	path	True	string	The ID of the target subscription.
api-version	query	True	string	The API version to use for this operation.

Request Body

Name	Type	Description
properties.assignableScopes	string[]	A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
properties.permissions	Permission[]	The set of operations allowed through this Role Definition.
properties.roleName	string	A user-friendly name for the Role Definition. Must be unique for the database account.
properties.type	RoleDefinitionType	Indicates whether the Role Definition was built-in or user created.

Responses

Name	Type	Description
200 OK	SqlRoleDefinitionGetResults	The Role Definition create or update operation was completed successfully.
202 Accepted		The Role Definition create or update request was accepted and will complete asynchronously.
Other Status Codes	CloudError	Error response describing why the operation failed.

Security

azure_auth

Azure Active Directory OAuth2 Flow

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	Impersonate your user account

Examples

CosmosDBSqlRoleDefinitionCreateUpdate

Sample Request

PUT https://management.azure.com/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/sqlRoleDefinitions/myRoleDefinitionId?api-version=2023-11-15

{
  "properties": {
    "roleName": "myRoleName",
    "type": "CustomRole",
    "assignableScopes": [
      "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
      "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases"
    ],
    "permissions": [
      {
        "dataActions": [
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read"
        ],
        "notDataActions": []
      }
    ]
  }
}


import com.azure.resourcemanager.cosmos.models.Permission;
import com.azure.resourcemanager.cosmos.models.RoleDefinitionType;
import com.azure.resourcemanager.cosmos.models.SqlRoleDefinitionCreateUpdateParameters;
import java.util.Arrays;

/**
 * Samples for SqlResources CreateUpdateSqlRoleDefinition.
 */
public final class Main {
    /*
     * x-ms-original-file: specification/cosmos-db/resource-manager/Microsoft.DocumentDB/stable/2023-11-15/examples/
     * CosmosDBSqlRoleDefinitionCreateUpdate.json
     */
    /**
     * Sample code: CosmosDBSqlRoleDefinitionCreateUpdate.
     * 
     * @param azure The entry point for accessing resource management APIs in Azure.
     */
    public static void cosmosDBSqlRoleDefinitionCreateUpdate(com.azure.resourcemanager.AzureResourceManager azure) {
        azure.cosmosDBAccounts().manager().serviceClient().getSqlResources().createUpdateSqlRoleDefinition(
            "myRoleDefinitionId", "myResourceGroupName", "myAccountName",
            new SqlRoleDefinitionCreateUpdateParameters().withRoleName("myRoleName")
                .withType(RoleDefinitionType.CUSTOM_ROLE)
                .withAssignableScopes(Arrays.asList(
                    "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
                    "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases"))
                .withPermissions(Arrays.asList(new Permission()
                    .withDataActions(
                        Arrays.asList("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
                            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read"))
                    .withNotDataActions(Arrays.asList()))),
            com.azure.core.util.Context.NONE);
    }
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

from azure.identity import DefaultAzureCredential
from azure.mgmt.cosmosdb import CosmosDBManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-cosmosdb
# USAGE
    python cosmos_db_sql_role_definition_create_update.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = CosmosDBManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="mySubscriptionId",
    )

    response = client.sql_resources.begin_create_update_sql_role_definition(
        role_definition_id="myRoleDefinitionId",
        resource_group_name="myResourceGroupName",
        account_name="myAccountName",
        create_update_sql_role_definition_parameters={
            "properties": {
                "assignableScopes": [
                    "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
                    "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases",
                ],
                "permissions": [
                    {
                        "dataActions": [
                            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
                            "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
                        ],
                        "notDataActions": [],
                    }
                ],
                "roleName": "myRoleName",
                "type": "CustomRole",
            }
        },
    ).result()
    print(response)


# x-ms-original-file: specification/cosmos-db/resource-manager/Microsoft.DocumentDB/stable/2023-11-15/examples/CosmosDBSqlRoleDefinitionCreateUpdate.json
if __name__ == "__main__":
    main()

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

package armcosmos_test

import (
	"context"
	"log"

	"github.com/Azure/azure-sdk-for-go/sdk/azcore/to"
	"github.com/Azure/azure-sdk-for-go/sdk/azidentity"
	"github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/cosmos/armcosmos/v2"
)

// Generated from example definition: https://github.com/Azure/azure-rest-api-specs/blob/41e4538ed7bb3ceac3c1322c9455a0812ed110ac/specification/cosmos-db/resource-manager/Microsoft.DocumentDB/stable/2023-11-15/examples/CosmosDBSqlRoleDefinitionCreateUpdate.json
func ExampleSQLResourcesClient_BeginCreateUpdateSQLRoleDefinition() {
	cred, err := azidentity.NewDefaultAzureCredential(nil)
	if err != nil {
		log.Fatalf("failed to obtain a credential: %v", err)
	}
	ctx := context.Background()
	clientFactory, err := armcosmos.NewClientFactory("<subscription-id>", cred, nil)
	if err != nil {
		log.Fatalf("failed to create client: %v", err)
	}
	poller, err := clientFactory.NewSQLResourcesClient().BeginCreateUpdateSQLRoleDefinition(ctx, "myRoleDefinitionId", "myResourceGroupName", "myAccountName", armcosmos.SQLRoleDefinitionCreateUpdateParameters{
		Properties: &armcosmos.SQLRoleDefinitionResource{
			Type: to.Ptr(armcosmos.RoleDefinitionTypeCustomRole),
			AssignableScopes: []*string{
				to.Ptr("/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales"),
				to.Ptr("/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases")},
			Permissions: []*armcosmos.Permission{
				{
					DataActions: []*string{
						to.Ptr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create"),
						to.Ptr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read")},
					NotDataActions: []*string{},
				}},
			RoleName: to.Ptr("myRoleName"),
		},
	}, nil)
	if err != nil {
		log.Fatalf("failed to finish the request: %v", err)
	}
	res, err := poller.PollUntilDone(ctx, nil)
	if err != nil {
		log.Fatalf("failed to pull the result: %v", err)
	}
	// You could use response here. We use blank identifier for just demo purposes.
	_ = res
	// If the HTTP response code is 200 as defined in example definition, your response structure would look as follows. Please pay attention that all the values in the output are fake values for just demo purposes.
	// res.SQLRoleDefinitionGetResults = armcosmos.SQLRoleDefinitionGetResults{
	// 	Name: to.Ptr("myRoleDefinitionId"),
	// 	Type: to.Ptr("Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions"),
	// 	ID: to.Ptr("/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/sqlRoleDefinitions/myRoleDefinitionId"),
	// 	Properties: &armcosmos.SQLRoleDefinitionResource{
	// 		Type: to.Ptr(armcosmos.RoleDefinitionTypeCustomRole),
	// 		AssignableScopes: []*string{
	// 			to.Ptr("/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales"),
	// 			to.Ptr("/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases")},
	// 			Permissions: []*armcosmos.Permission{
	// 				{
	// 					DataActions: []*string{
	// 						to.Ptr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create"),
	// 						to.Ptr("Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read")},
	// 				}},
	// 				RoleName: to.Ptr("myRoleName"),
	// 			},
	// 		}
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

const { CosmosDBManagementClient } = require("@azure/arm-cosmosdb");
const { DefaultAzureCredential } = require("@azure/identity");

/**
 * This sample demonstrates how to Creates or updates an Azure Cosmos DB SQL Role Definition.
 *
 * @summary Creates or updates an Azure Cosmos DB SQL Role Definition.
 * x-ms-original-file: specification/cosmos-db/resource-manager/Microsoft.DocumentDB/stable/2023-11-15/examples/CosmosDBSqlRoleDefinitionCreateUpdate.json
 */
async function cosmosDbSqlRoleDefinitionCreateUpdate() {
  const subscriptionId = process.env["COSMOSDB_SUBSCRIPTION_ID"] || "mySubscriptionId";
  const roleDefinitionId = "myRoleDefinitionId";
  const resourceGroupName = process.env["COSMOSDB_RESOURCE_GROUP"] || "myResourceGroupName";
  const accountName = "myAccountName";
  const createUpdateSqlRoleDefinitionParameters = {
    type: "CustomRole",
    assignableScopes: [
      "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
      "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases",
    ],
    permissions: [
      {
        dataActions: [
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
        ],
        notDataActions: [],
      },
    ],
    roleName: "myRoleName",
  };
  const credential = new DefaultAzureCredential();
  const client = new CosmosDBManagementClient(credential, subscriptionId);
  const result = await client.sqlResources.beginCreateUpdateSqlRoleDefinitionAndWait(
    roleDefinitionId,
    resourceGroupName,
    accountName,
    createUpdateSqlRoleDefinitionParameters,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample Response

Status code:: 200

{
  "id": "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/sqlRoleDefinitions/myRoleDefinitionId",
  "name": "myRoleDefinitionId",
  "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions",
  "properties": {
    "roleName": "myRoleName",
    "type": "CustomRole",
    "assignableScopes": [
      "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
      "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases"
    ],
    "permissions": [
      {
        "dataActions": [
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read"
        ]
      }
    ]
  }
}

Status code:: 202

Definitions

Name	Description
CloudError	An error response from the service.
ErrorResponse	Error Response.
Permission	The set of data plane operations permitted through this Role Definition.
RoleDefinitionType	Indicates whether the Role Definition was built-in or user created.
SqlRoleDefinitionCreateUpdateParameters	Parameters to create and update an Azure Cosmos DB SQL Role Definition.
SqlRoleDefinitionGetResults	An Azure Cosmos DB SQL Role Definition.

CloudError

An error response from the service.

Name	Type	Description
error	ErrorResponse	Error Response.

ErrorResponse

Error Response.

Name	Type	Description
code	string	Error code.
message	string	Error message indicating why the operation failed.

Permission

The set of data plane operations permitted through this Role Definition.

Name	Type	Description
dataActions	string[]	An array of data actions that are allowed.
notDataActions	string[]	An array of data actions that are denied.

RoleDefinitionType

Indicates whether the Role Definition was built-in or user created.

Name	Type	Description
BuiltInRole	string
CustomRole	string

SqlRoleDefinitionCreateUpdateParameters

Parameters to create and update an Azure Cosmos DB SQL Role Definition.

Name	Type	Description
properties.assignableScopes	string[]	A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
properties.permissions	Permission[]	The set of operations allowed through this Role Definition.
properties.roleName	string	A user-friendly name for the Role Definition. Must be unique for the database account.
properties.type	RoleDefinitionType	Indicates whether the Role Definition was built-in or user created.

SqlRoleDefinitionGetResults

An Azure Cosmos DB SQL Role Definition.

Name	Type	Description
id	string	The unique resource identifier of the database account.
name	string	The name of the database account.
properties.assignableScopes	string[]	A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
properties.permissions	Permission[]	The set of operations allowed through this Role Definition.
properties.roleName	string	A user-friendly name for the Role Definition. Must be unique for the database account.
properties.type	RoleDefinitionType	Indicates whether the Role Definition was built-in or user created.
type	string	The type of Azure resource.

SqlResources2 - Create Update Sql Role Definition

URI Parameters

Request Body

Responses

Security

azure_auth

Scopes

Examples

CosmosDBSqlRoleDefinitionCreateUpdate

Sample Request

Sample Response

Definitions

CloudError

ErrorResponse

Permission

RoleDefinitionType

SqlRoleDefinitionCreateUpdateParameters

SqlRoleDefinitionGetResults

Additional resources