{"id":2439,"date":"2021-03-02T05:45:19","date_gmt":"2021-03-02T13:45:19","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/cosmosdb\/?p=2439"},"modified":"2021-03-01T18:21:01","modified_gmt":"2021-03-02T02:21:01","slug":"role-based-access-control-preview","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/cosmosdb\/role-based-access-control-preview\/","title":{"rendered":"Role-based access control with Azure AD now in preview"},"content":{"rendered":"<p>The public preview of role-based access control (RBAC) for the Azure Cosmos DB Core (SQL) API was announced today at Microsoft Ignite. With RBAC in <a href=\"https:\/\/azure.microsoft.com\/services\/cosmos-db\/\" target=\"_blank\" rel=\"noopener\">Azure Cosmos DB<\/a>, you can now:<\/p>\n<ul>\n<li>Authenticate your data requests with an Azure Active Directory (AD) identity.<\/li>\n<li>Authorize your data requests with a fine-grained, role-based permission model.<\/li>\n<li>Audit your diagnostic logs to retrieve the Azure AD identity used when accessing your data.<\/li>\n<\/ul>\n<h3>What is RBAC?<\/h3>\n<p>The concepts exposed by the Azure Cosmos DB RBAC should look very familiar to anyone who has used <a href=\"https:\/\/docs.microsoft.com\/azure\/role-based-access-control\/overview\">Azure RBAC<\/a> before.<\/p>\n<ul>\n<li>Our new permission model exposes a set of <strong>actions<\/strong> that map to database operations (like writing a document or executing a query).<\/li>\n<li>You can create <strong>role definitions<\/strong> by assembling a list of actions that a role should allow.<\/li>\n<li>You associate your role definitions with Azure AD identities through <strong>role assignments<\/strong>. Roles can be assigned at the Azure Cosmos DB account, database or container levels.<\/li>\n<\/ul>\n<p><figure id=\"attachment_2456\" aria-labelledby=\"figcaption_attachment_2456\" class=\"wp-caption aligncenter\" ><a href=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2021\/02\/concepts.png\"><img decoding=\"async\" class=\"wp-image-2456 size-full\" src=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2021\/02\/concepts.png\" alt=\"Role-based access control concepts\" width=\"460\" height=\"253\" srcset=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2021\/02\/concepts.png 460w, https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-content\/uploads\/sites\/52\/2021\/02\/concepts-300x165.png 300w\" sizes=\"(max-width: 460px) 100vw, 460px\" \/><\/a><figcaption id=\"figcaption_attachment_2456\" class=\"wp-caption-text\">Example of role definition and assignment<\/figcaption><\/figure><\/p>\n<p>The granularity of the permission model lets you control very precisely what a client is allowed to do. Some examples of custom role definitions:<\/p>\n<ul>\n<li>A read-only role that can only fetch documents by their ID, but not run queries or read from the change feed.<\/li>\n<li>A role that can only insert new documents to an Azure Cosmos DB container, but not read, replace or delete documents.<\/li>\n<\/ul>\n<p>Find<a href=\"https:\/\/docs.microsoft.com\/azure\/cosmos-db\/how-to-setup-rbac#permission-model\" target=\"_blank\" rel=\"noopener\">\u00a0the complete list<\/a> of available actions.<\/p>\n<h3>Managing your role<\/h3>\n<div>To create your role definitions and assignments, you can use new PowerShell cmdlets or Azure CLI commands. Here is a PowerShell example, showing how to create a read-only role and assign it to an Azure AD identity:<\/div>\n<div><script src=\"https:\/\/gist.github.com\/ThomasWeiss\/ff133e3c0f7600659acb55782484ee3e.js\"><\/script><\/div>\n<h3>No more primary keys!<\/h3>\n<div>Once your role definitions and assignments have been created, you can start using an Azure AD identity instead of your Azure Cosmos DB account&#8217;s primary key. When initializing the SDK, just replace the primary key with a <code>TokenCredential<\/code> instance that will resolve to the desired identity:<\/div>\n<div><script src=\"https:\/\/gist.github.com\/ThomasWeiss\/f059ac965c8cc945a9cb56b8e9850946.js\"><\/script><\/div>\n<div>This is currently supported in our .NET and Java SDKs, with broader support coming soon.<\/div>\n<h3>Advanced auditing of data requests<\/h3>\n<div>When you use the Azure Cosmos DB RBAC, the <a href=\"https:\/\/docs.microsoft.com\/azure\/cosmos-db\/cosmosdb-monitor-resource-logs\">logging of your data plane requests<\/a> gets augmented with identity and authorization information. For each data operation received by your Azure Cosmos DB account, you can query:<\/div>\n<ul>\n<li>The Azure AD identity used to authenticate the request.<\/li>\n<li>The ID of the role assignment used to authorize the request.<\/li>\n<\/ul>\n<pre class=\"prettyprint\">AzureDiagnostics \r\n| where ResourceProvider == \"MICROSOFT.DOCUMENTDB\"\r\n    and Category == \"DataPlaneRequests\"\r\n    and ResourceId == \"&lt;yourAccountResourceId&gt;\"\r\n    and OperationName == 'Query'\r\n| summarize by aadPrincipalId_g, aadAppliedRoleAssignmentId_g<\/pre>\n<h3>Getting started<\/h3>\n<p>You can start using role-based access control today to tighten the access control to your Azure Cosmos DB resources. Just head to the <a href=\"https:\/\/docs.microsoft.com\/azure\/cosmos-db\/how-to-setup-rbac\">detailed documentation<\/a> of the Azure Cosmos DB RBAC to get started!<\/p>\n<h3>New to Azure Cosmos DB?<\/h3>\n<ul>\n<li><a href=\"https:\/\/devblogs.microsoft.com\/cosmosdb\/four-ways-to-try-azure-cosmos-db-free\/\">Try Azure Cosmos DB free<\/a> in production or non-production environments<\/li>\n<li>Download the free\u00a0<a href=\"https:\/\/azure.microsoft.com\/resources\/azure-cosmos-db-onboarding-best-practices\/\" target=\"_blank\" rel=\"noopener noreferrer\">best practices and optimization guide\u00a0<\/a><\/li>\n<li class=\"x-hidden-focus\">Visit\u00a0<a href=\"https:\/\/docs.microsoft.com\/en-us\/learn\/browse\/?terms=cosmos%20db\" target=\"_blank\" rel=\"noopener noreferrer\">MS Learn<\/a>\u00a0to build your Azure Cosmos DB skills<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Role-based access controls are now in public preview for Azure Cosmos DB Core (SQL) API. They offer fine-grained control over permissions and add a new layer of security to your databases.<\/p>\n","protected":false},"author":13778,"featured_media":2456,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[12,14,667],"tags":[499,1774],"class_list":["post-2439","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-announcements","category-core-sql-api","category-security","tag-azure-cosmos-db","tag-msignite"],"acf":[],"blog_post_summary":"<p>Role-based access controls are now in public preview for Azure Cosmos DB Core (SQL) API. They offer fine-grained control over permissions and add a new layer of security to your databases.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/2439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/users\/13778"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/comments?post=2439"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/posts\/2439\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media\/2456"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/media?parent=2439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/categories?post=2439"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/cosmosdb\/wp-json\/wp\/v2\/tags?post=2439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}