![]() ![]() This setting will prevent any changes to any Cosmos resource from any client connecting using account keys including any Cosmos DB SDK, any tools that connect via account keys. Make sure that you understand the impact before enabling it. When this feature is enabled, changes to any resource can only be made from a user with the right Azure role and Azure Active Directory credentials including Managed Service Identities.Įnabling this feature can have impact on your application. The operations involving reading and writing data to Cosmos containers themselves are not impacted. The clients connecting from Azure Cosmos DB SDK will be prevented from changing any property for the Azure Cosmos accounts, databases, containers, and throughput. Preventing changes from the SDK also enables features such as resource locks and diagnostic logs for control plane operations. This feature may be desirable for users who want higher degrees of control and governance for production environments. The Azure Cosmos DB resource provider can be locked down to prevent any changes to resources from a client connecting using the account keys (that is applications connecting via the Azure Cosmos SDK). Preventing changes from the Azure Cosmos DB SDKs To learn which operations are available for building custom roles for Azure Cosmos DB see, Azure Cosmos DB resource provider operationsĬustom roles that need to access data stored within Cosmos DB or use Data Explorer in the Azure portal must have Microsoft.DocumentDB/databaseAccounts/listKeys/* action. Custom roles provide users a way to create Azure role definitions with a custom set of resource provider operations. In addition to the built-in roles, users may also create custom roles in Azure and apply these roles to service principals across all subscriptions within their Active Directory tenant. The following screenshot shows Active Directory integration (Azure RBAC) using access control (IAM) in the Azure portal: You can use built-in roles or custom roles for individuals and groups. ![]() The roles are applied to users, groups, service principals, and managed identities in Active Directory. The Access control (IAM) pane in the Azure portal is used to configure Azure role-based access control on Azure Cosmos resources. Cannot access any data or use Data Explorer. Cannot access any data or use Data Explorer.Ĭan perform restore action for Azure Cosmos DB account with continuous backup mode.Ĭan provision Azure Cosmos accounts, databases, and containers. Can modify the backup interval and retention on the Azure portal. The following are the built-in roles supported by Azure Cosmos DB: Built-in roleĬan submit a restore request for Azure portal for a periodic backup enabled database or a container. Role assignments are scoped to control-plane access only, which includes access to Azure Cosmos accounts, databases, containers, and offers (throughput). An individual who has a profile in Azure Active Directory can assign these Azure roles to users, groups, service principals, or managed identities to grant or deny access to resources and operations on Azure Cosmos DB resources. For the Cosmos DB API for MongoDB, see Data Plane RBAC in the API for MongoDB.Īzure Cosmos DB provides built-in Azure role-based access control (Azure RBAC) for common management scenarios in Azure Cosmos DB. To learn more about role-based access control applied to data plane operations in the SQL API, see Secure access to data and Azure Cosmos DB RBAC articles. If you are using data plane operations, data is secured using primary keys, resource tokens, or the Azure Cosmos DB RBAC. This article is about role-based access control for management plane operations in Azure Cosmos DB.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |