You can use both the built-in and custom roles. Item and system-level roles are mutually exclusive but are used together to provide comprehensive permissions to report server content and operations. You can assign a built-in role definition or a custom role definition. Allows for read and write access to Azure resources for SQL Server on Arc-enabled servers. Create and manage classic compute domain names, Returns the storage account image. Learn more, View, edit training images and create, add, remove, or delete the image tags. For information about how to assign roles, see Steps to assign an Azure role. Learn more, Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. Lists subscription under the given management group. If a guest user needs to be able to assign incidents, you need to assign the Directory Reader to the user, in addition to the Microsoft Sentinel Responder role. A content manager deploys reports, manages report models and data source connections, and makes decisions about how reports are used. Lets you read and modify HDInsight cluster configurations. Get core restrictions and usage for this subscription, Create and manage lab services components. Run reports that are stored in the user's My Reports folder and view report properties. Grant User Access to a Report Server Creates a storage account with the specified parameters or update the properties or tags or adds custom domain for the specified storage account. Can manage Application Insights components, Gives user permission to view and download debug snapshots collected with the Application Insights Snapshot Debugger. Deletes a specific managed server Azure Active Directory only authentication object, Adds or updates a specific managed server Azure Active Directory only authentication object. Start execution for report definition without publishing it to a report server. Reads the database account readonly keys. Prevents access to account keys and connection strings. Learn more, Allows read/write access to most objects in a namespace. Manage Azure Automation resources and other resources using Azure Automation. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Get gateway settings for HDInsight Cluster, Update gateway settings for HDInsight Cluster, Installs or Updates an Azure Arc extensions. These kinds of modifications suggest the need for a custom role definition that is applied selectively for a specific group of users. Create, Delete, or Modify a Role (Management Studio) Only works for key vaults that use the 'Azure role-based access control' permission model. Learn more. When you create a role assignment, some tooling requires that you use the role definition ID while other tooling allows you to provide the name of the role. Retrieves the shared keys for the workspace. Returns the Account SAS token for the specified storage account. If the built-in roles don't meet the specific needs of your organization, you can create your own Azure custom roles. Built-in roles cover some common Intune scenarios. Retrieve a list of managed instance Advanced Threat Protection settings configured for a given instance, Change the managed instance Advanced Threat Protection settings for a given managed instance, Retrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database, Change the database Advanced Threat Protection settings for a given managed database, Retrieve a list of server Advanced Threat Protection settings configured for a given server, Change the server Advanced Threat Protection settings for a given server, Create and manage SQL server auditing setting, Retrieve details of the extended server blob auditing policy configured on a given server, Retrieve a list of database Advanced Threat Protection settings configured for a given database, Change the database Advanced Threat Protection settings for a given database, Create and manage SQL server database auditing settings, Create and manage SQL server database data masking policies, Retrieve details of the extended blob auditing policy configured on a given database. Allows for full access to IoT Hub device registry. To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Allows push or publish of trusted collections of container registry content. If you are looking for administrator roles for Azure Active Directory (Azure AD), see Azure AD built-in roles. Azure SQL Database To learn which actions are required for a given data operation, see Permissions for calling blob and queue data operations. Identify which users and groups require access to the report server, and at what level. Returns usage details for a Recovery Services Vault. Allows for full access to Azure Relay resources. Run a report without publishing it to a report server. Note that this only works if the assignment is done with a user-assigned managed identity. On the Permissions page, choose the permissions you want to use with this role. Run user issued command against managed kubernetes server. The "Execute report definitions" task is intended for use with Report Builder. It's typically just called a role. Azure SQL Managed Instance Readers can't create or update the project. Divide candidate faces into groups based on face similarity. Lets you manage EventGrid event subscription operations. Log Analytics roles grant access to your Log Analytics workspaces. 1-to-many identification to find the closest matches of the specific query person face from a person group or large person group. Applied at lab level, enables you to manage the lab. View and update permissions for Microsoft Defender for Cloud. Read-only actions in the project. Unlink a Storage account from a DataLakeAnalytics account. This permission is applicable to both programmatic and portal access to the Activity Log. The server-level permissions are: For more information about permissions, see Permissions (Database Engine) and sys.fn_builtin_permissions (Transact-SQL). Learn more, Allows for full read access to IoT Hub data-plane properties Learn more, Allows for full access to IoT Hub device registry. Removes Managed Services registration assignment. Roles are database-level securables. Learn more, Perform any action on the certificates of a key vault, except manage permissions. Read and list Schema Registry groups and schemas. Consider the following example: The server-level role##MS_ServerStateReader##holds the permissionVIEW SERVER STATE. Learn more, Contributor of Desktop Virtualization. The Role Management role allows users to view, create, and modify role groups. Grants access to read and write Azure Kubernetes Service clusters. Lets you manage DNS zones and record sets in Azure DNS, but does not let you control who has access to them. Attach playbooks to analytics and automation rules. Publish a lab by propagating image of the template virtual machine to all virtual machines in the lab. Learn more. Returns Storage Configuration for Recovery Services Vault. Allows for send access to Azure Service Bus resources. This role is equivalent to a file share ACL of read on Windows file servers. They include business profile admin, referral admin, incentive admin, incentive user, and Microsoft Cloud Partner Program (formerly the Microsoft Partner Network) partner admin. This role isn't necessary for using workbooks, only for creating and deleting. For This role does not allow viewing Secrets, since reading the contents of Secrets enables access to ServiceAccount credentials in the namespace, which would allow API access as any ServiceAccount in the namespace (a form of privilege escalation). These server-level roles introduced prior to SQL Server 2022 (16.x) are not available in Azure SQL Database or Azure Synapse Analytics. Azure AD tenant roles include global admin, user admin, and CSP roles. Use. To add members to a database role, use ALTER ROLE (Transact-SQL). Lets you read, enable, and disable logic apps, but not edit or update them. Displays the permissions of a server-level role. Lets you manage integration service environments, but not access to them. You can create your own custom roles with the exact set of permissions you need. Lets you manage everything under Data Box Service except giving access to others. You should not remove the "View folders" task unless you want to eliminate folder navigation. View and modify system-wide role assignments. Returns the result of deleting a container, Manage results of operation on backup management, Create and manage backup containers inside backup fabrics of Recovery Services vault, Create and manage Results of backup management operations, Create and manage items which can be backed up, Create and manage containers holding backup items. Delete the lab and all its users, schedules and virtual machines. Learn more, Full access to the project, including the ability to view, create, edit, or delete projects. Can view CDN profiles and their endpoints, but can't make changes. If the user has elevated permissions, the script will run with those permissions. Allows read access to resource policies and write access to resource component policy events. These roles are security principals that group other principals. However, it is recommended that you keep the "Manage reports" task and the "Manage folders" task to enable basic content management. A login who is member of this role has a user account in the databases,masterandWideWorldImporters. At a minimum, this role should support both the "View reports" task and the "View folders" tasks to support viewing and folder navigation. Use, Removes a SQL Server login or a Windows user or group from a server-level role. For example, you can remove the "Manage individual subscriptions" task if you do not want to support subscriptions, or you can remove the "View resources" task if you do not want users to see collateral documentation or other items that might be uploaded to the report server. Power BI Report Server. Returns all the backup management servers registered with vault. Allows user to use the applications in an application group. Learn more, Read and create quota requests, get quota request status, and create support tickets. When you use the AUTHORIZATION option, the following permissions are also required: To assign ownership of a role to another user, requires IMPERSONATE permission on that user. This includes folders, reports, and resources. Joins a load balancer inbound nat rule. Learn more, Reader of the Desktop Virtualization Application Group. The My Reports role is a predefined role that includes a set of tasks that are useful for users of the My Reports feature. Azure AD tenant roles include global admin, user admin, and CSP roles. Report Builder is a client application that can process a report independently of a report server. While roles are claims, not all claims are roles. Deployment can view the project but can't update. Gets result of Operation performed on Protection Container. To learn which actions are required for a given data operation, see, Get a user delegation key, which can then be used to create a shared access signature for a container or blob that is signed with Azure AD credentials. Can manage Azure Cosmos DB accounts. In the Microsoft Endpoint Manager admin center, choose Tenant administration > Roles > All roles > Create. Gets the alerts for the Recovery services vault. View the configured and effective network security group rules applied on a VM. Returns the result of modifying permission on a file/folder. Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support. Return the list of servers or gets the properties for the specified server. Allows for creating managed application resources. Provides permission to backup vault to perform disk restore. Lets you manage all resources in the fleet manager cluster. Microsoft Sentinel uses playbooks for automated threat response. Does not allow you to assign roles in Azure RBAC. Read, write, and delete Azure Storage queues and queue messages. Push or Write images to a container registry. When For example, a user in a role may have access to data only from a single organization. Azure roles grant access across all your Azure resources, including Log Analytics workspaces and Microsoft Sentinel resources. For asymmetric keys, this operation exposes public key and includes ability to perform public key algorithms such as encrypt and verify signature. Learn more, Lets you update everything in cluster/namespace, except (cluster)roles and (cluster)role bindings. Role groups enable access management for Defender for Identity. List single or shared recommendations for Reserved instances for a subscription. Add or remove roles from a role assignment policy Use the EAC to add or remove roles from a role assignment policy In the EAC, go to Permissions > User roles, select the role assignment policy, and then click Edit . Learn more, Permits listing and regenerating storage account access keys. Get information about a policy definition. Log Analytics RBAC. On the Permissions page, choose the permissions you want to use with this role. Lets you manage Data Box Service except creating order or editing order details and giving access to others. Get the current Service limit or quota of the specified resource, Creates the service limit or quota request for the specified resource, Get any service limit request for the specified resource, Register the subscription with Microsoft.Quota Resource Provider, Registers Subscription with Microsoft.Compute resource provider. To view Transact-SQL syntax for SQL Server 2014 and earlier, see Previous versions documentation. Learn more, Create and manage data factories, as well as child resources within them. Log Analytics roles grant access to your Log Analytics workspaces. View, create, update, delete and execute load tests. The following table provides a brief description of each built-in role. Lets you manage Search services, but not access to them. Roles are exposed to the developer through the IsInRole method on the ClaimsPrincipal class. Lets you create new labs under your Azure Lab Accounts. Learn more, Lets you manage SQL servers and databases, but not access to them, and not their security-related policies. Learn more, Operator of the Desktop Virtualization User Session. If an uploaded report or HTML file contains malicious script, any user who clicks on the report or HTML document will run the script under his or her credentials. Azure AD tenant roles include global admin, user admin, and CSP roles. Allows read-only access to see most objects in a namespace.