Sql Resources - Create Update Sql Role Definition

Service:: Cosmos DB Resource Provider

API Version:: 2025-11-01-preview

Creates or updates an Azure Cosmos DB SQL Role Definition.

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DocumentDB/databaseAccounts/{accountName}/sqlRoleDefinitions/{roleDefinitionId}?api-version=2025-11-01-preview

URI Parameters

Name	In	Required	Type	Description
accountName	path	True	string minLength: 3 maxLength: 50 pattern: ^[a-z0-9]+(-[a-z0-9]+)*	Cosmos DB database account name.
resourceGroupName	path	True	string minLength: 1 maxLength: 90	The name of the resource group. The name is case insensitive.
roleDefinitionId	path	True	string	The GUID for the Role Definition.
subscriptionId	path	True	string (uuid)	The ID of the target subscription. The value must be an UUID.
api-version	query	True	string minLength: 1	The API version to use for this operation.

Request Body

Name	Type	Description
properties.assignableScopes	string[]	A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
properties.permissions	Permission[]	The set of operations allowed through this Role Definition.
properties.roleName	string	A user-friendly name for the Role Definition. Must be unique for the database account.
properties.type	RoleDefinitionType	Indicates whether the Role Definition was built-in or user created.

Responses

Name	Type	Description
200 OK	SqlRoleDefinitionGetResults	Resource 'SqlRoleDefinitionGetResults' update operation succeeded
202 Accepted		Resource operation accepted. Headers Location: string Retry-After: integer
Other Status Codes	CloudError	An unexpected error response.

Name

Type

Description

200 OK

SqlRoleDefinitionGetResults

Resource 'SqlRoleDefinitionGetResults' update operation succeeded

202 Accepted

Resource operation accepted.

Headers

Location: string
Retry-After: integer

Other Status Codes

CloudError

An unexpected error response.

Security

azure_auth

Azure Active Directory OAuth2 Flow.

Type: oauth2
Flow: implicit
Authorization URL: https://login.microsoftonline.com/common/oauth2/authorize

Scopes

Name	Description
user_impersonation	impersonate your user account

Examples

CosmosDBSqlRoleDefinitionCreateUpdate

PUT https://management.azure.com/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/sqlRoleDefinitions/myRoleDefinitionId?api-version=2025-11-01-preview

{
  "properties": {
    "type": "CustomRole",
    "assignableScopes": [
      "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
      "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases"
    ],
    "permissions": [
      {
        "dataActions": [
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read"
        ],
        "notDataActions": []
      }
    ],
    "roleName": "myRoleName"
  }
}

const { CosmosDBManagementClient } = require("@azure/arm-cosmosdb");
const { DefaultAzureCredential } = require("@azure/identity");
require("dotenv/config");

/**
 * This sample demonstrates how to Creates or updates an Azure Cosmos DB SQL Role Definition.
 *
 * @summary Creates or updates an Azure Cosmos DB SQL Role Definition.
 * x-ms-original-file: specification/cosmos-db/resource-manager/Microsoft.DocumentDB/DocumentDB/preview/2025-11-01-preview/examples/CosmosDBSqlRoleDefinitionCreateUpdate.json
 */
async function cosmosDbSqlRoleDefinitionCreateUpdate() {
  const subscriptionId = process.env["COSMOSDB_SUBSCRIPTION_ID"] || "mySubscriptionId";
  const roleDefinitionId = "myRoleDefinitionId";
  const resourceGroupName = process.env["COSMOSDB_RESOURCE_GROUP"] || "myResourceGroupName";
  const accountName = "myAccountName";
  const createUpdateSqlRoleDefinitionParameters = {
    type: "CustomRole",
    assignableScopes: [
      "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
      "/subscriptions/mySubscriptionId/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases",
    ],
    permissions: [
      {
        dataActions: [
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
        ],
        notDataActions: [],
      },
    ],
    roleName: "myRoleName",
  };
  const credential = new DefaultAzureCredential();
  const client = new CosmosDBManagementClient(credential, subscriptionId);
  const result = await client.sqlResources.beginCreateUpdateSqlRoleDefinitionAndWait(
    roleDefinitionId,
    resourceGroupName,
    accountName,
    createUpdateSqlRoleDefinitionParameters,
  );
  console.log(result);
}

To use the Azure SDK library in your project, see this documentation. To provide feedback on this code sample, open a GitHub issue

Sample response

Status code:: 200

{
  "name": "myRoleDefinitionId",
  "type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions",
  "id": "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/sqlRoleDefinitions/myRoleDefinitionId",
  "properties": {
    "type": "CustomRole",
    "assignableScopes": [
      "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/sales",
      "/subscriptions/00000000-1111-2222-3333-444444444444/resourceGroups/myResourceGroupName/providers/Microsoft.DocumentDB/databaseAccounts/myAccountName/dbs/purchases"
    ],
    "permissions": [
      {
        "dataActions": [
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/create",
          "Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read"
        ]
      }
    ],
    "roleName": "myRoleName"
  }
}

Status code:: 202

azure-AsyncOperation: https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DocumentDB/locations/{location}/operationsStatus/{operationId}?api-version=2025-11-01-preview
location: https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.DocumentDB/locations/{location}/operationsStatus/{operationId}?api-version=2025-11-01-preview

Definitions

Name	Description
CloudError	An error response from the service.
createdByType	The type of identity that created the resource.
ErrorResponse	Error Response.
Permission	The set of data plane operations permitted through this Role Definition.
RoleDefinitionType	Indicates whether the Role Definition was built-in or user created.
SqlRoleDefinitionCreateUpdateParameters	Parameters to create and update an Azure Cosmos DB SQL Role Definition.
SqlRoleDefinitionGetResults	An Azure Cosmos DB SQL Role Definition.
systemData	Metadata pertaining to creation and last modification of the resource.

CloudError

Object

An error response from the service.

Name	Type	Description
error	ErrorResponse	Error Response.

createdByType

Enumeration

The type of identity that created the resource.

Value	Description
User
Application
ManagedIdentity
Key

ErrorResponse

Object

Error Response.

Name	Type	Description
code	string	Error code.
message	string	Error message indicating why the operation failed.

Permission

Object

The set of data plane operations permitted through this Role Definition.

Name	Type	Description
dataActions	string[]	An array of data actions that are allowed.
id	string	The id for the permission.
notDataActions	string[]	An array of data actions that are denied.

RoleDefinitionType

Enumeration

Indicates whether the Role Definition was built-in or user created.

Value	Description
BuiltInRole
CustomRole

SqlRoleDefinitionCreateUpdateParameters

Object

Parameters to create and update an Azure Cosmos DB SQL Role Definition.

Name	Type	Description
properties.assignableScopes	string[]	A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
properties.permissions	Permission[]	The set of operations allowed through this Role Definition.
properties.roleName	string	A user-friendly name for the Role Definition. Must be unique for the database account.
properties.type	RoleDefinitionType	Indicates whether the Role Definition was built-in or user created.

SqlRoleDefinitionGetResults

Object

An Azure Cosmos DB SQL Role Definition.

Name	Type	Description
id	string (arm-id)	Fully qualified resource ID for the resource. E.g. "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}"
name	string	The name of the resource
properties.assignableScopes	string[]	A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist.
properties.permissions	Permission[]	The set of operations allowed through this Role Definition.
properties.roleName	string	A user-friendly name for the Role Definition. Must be unique for the database account.
properties.type	RoleDefinitionType	Indicates whether the Role Definition was built-in or user created.
systemData	systemData	Azure Resource Manager metadata containing createdBy and modifiedBy information.
type	string	The type of the resource. E.g. "Microsoft.Compute/virtualMachines" or "Microsoft.Storage/storageAccounts"

systemData

Object

Metadata pertaining to creation and last modification of the resource.

Name	Type	Description
createdAt	string (date-time)	The timestamp of resource creation (UTC).
createdBy	string	The identity that created the resource.
createdByType	createdByType	The type of identity that created the resource.
lastModifiedAt	string (date-time)	The timestamp of resource last modification (UTC)
lastModifiedBy	string	The identity that last modified the resource.
lastModifiedByType	createdByType	The type of identity that last modified the resource.