last sync: 2024-Dec-05 18:53:40 UTC

SQL Security Manager

Azure BuiltIn RBAC Role definition

NameSQL Security Manager
Id056cd41c-7e88-42e1-933e-88ba6a50c9c3
DescriptionLets you manage the security-related policies of SQL servers and databases, but not access to them.
CreatedOn2015-06-16 18:44:40 UTC
UpdatedOn2023-03-02 16:44:21 UTC
History
Date/Time (UTC ymd) (i) Change Change detail
2023-03-03 18:43:27 change: Actions Actions: 'add Microsoft.Sql/managedInstances/serverConfigurationOptions/read; add Microsoft.Sql/managedInstances/serverConfigurationOptions/write; add Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/read'
2022-12-12 17:45:20 change: Actions Actions: 'add Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read; add Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write; add Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read; add Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write; add Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/read; add Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/write; add Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/read; add Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/write; add Microsoft.Sql/servers/advancedThreatProtectionSettings/read; add Microsoft.Sql/servers/advancedThreatProtectionSettings/write; add Microsoft.Sql/servers/advancedThreatProtectionSettings/read; add Microsoft.Sql/servers/advancedThreatProtectionSettings/write; add Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read; add Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write; add Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/read; add Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/write'
2022-11-16 17:42:38 change: Actions Actions: 'add Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*; add Microsoft.Sql/servers/sqlvulnerabilityAssessments/*; add Microsoft.Sql/servers/databases/ledgerDigestUploads/*; add Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/read; add Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/read'
2022-04-28 17:39:09 change: Actions Actions: 'add Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*'
2021-03-09 14:37:39 change: Actions Actions: 'add Microsoft.Sql/servers/devOpsAuditingSettings/*'
2021-02-15 15:24:20 change: Actions Actions: 'add Microsoft.Sql/managedInstances/administrators/read; add Microsoft.Sql/servers/administrators/read'
2020-12-10 15:11:36 change: Actions Actions: 'add Microsoft.Security/sqlVulnerabilityAssessments/*'
2020-10-20 13:29:34 change: Actions Actions: 'remove Microsoft.Sql/servers/auditingPolicies/*; remove Microsoft.Sql/servers/databases/auditingPolicies/*; remove Microsoft.Sql/servers/databases/connectionPolicies/*'
Permissions summary Effective control plane and data plane operations: 197 (unique operations)
•: 1
•Action: 24
•Delete: 18
•read: 111
•Write: 43

Actions: 73
Resolved control plane operations from Actions: 197
Effective control plane operations: 197
•: 1
•Action: 24
•Delete: 18
•read: 111
•Write: 43

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 15995

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3303
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.Insights/alertRules/*wildcarded / no description
Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/actionJoins resource such as storage account or SQL database to a subnet. Not alertable.
Microsoft.ResourceHealth/availabilityStatuses/readGets the availability statuses for all resources in the specified scope
Microsoft.Resources/deployments/*wildcarded / no description
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
Microsoft.Security/sqlVulnerabilityAssessments/*wildcarded / no description
Microsoft.Sql/locations/administratorAzureAsyncOperation/readGets the Managed instance azure async administrator operations result.
Microsoft.Sql/locations/ledgerDigestUploadsAzureAsyncOperation/readGets in-progress operations of ledger digest upload settings
Microsoft.Sql/locations/ledgerDigestUploadsOperationResults/readGets in-progress operations of ledger digest upload settings
Microsoft.Sql/locations/serverConfigurationOptionAzureAsyncOperation/readGets the status of Azure SQL Managed Instance Server Configuration Option Azure async operation.
Microsoft.Sql/managedInstances/administrators/readGets a list of managed instance administrators.
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/readRetrieve a list of managed instance Advanced Threat Protection settings configured for a given instance
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/readRetrieve a list of managed instance Advanced Threat Protection settings configured for a given instance
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/writeChange the managed instance Advanced Threat Protection settings for a given managed instance
Microsoft.Sql/managedInstances/advancedThreatProtectionSettings/writeChange the managed instance Advanced Threat Protection settings for a given managed instance
Microsoft.Sql/managedInstances/azureADOnlyAuthentications/*wildcarded / no description
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/readRetrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/readRetrieve a list of the managed database Advanced Threat Protection settings configured for a given managed database
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/writeChange the database Advanced Threat Protection settings for a given managed database
Microsoft.Sql/managedInstances/databases/advancedThreatProtectionSettings/writeChange the database Advanced Threat Protection settings for a given managed database
Microsoft.Sql/managedInstances/databases/currentSensitivityLabels/*wildcarded / no description
Microsoft.Sql/managedInstances/databases/recommendedSensitivityLabels/*wildcarded / no description
Microsoft.Sql/managedInstances/databases/schemas/tables/columns/sensitivityLabels/*wildcarded / no description
Microsoft.Sql/managedInstances/databases/securityAlertPolicies/*wildcarded / no description
Microsoft.Sql/managedInstances/databases/sensitivityLabels/*wildcarded / no description
Microsoft.Sql/managedInstances/databases/transparentDataEncryption/*wildcarded / no description
Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/*wildcarded / no description
Microsoft.Sql/managedInstances/readReturn the list of managed instances or gets the properties for the specified managed instance.
Microsoft.Sql/managedInstances/securityAlertPolicies/*wildcarded / no description
Microsoft.Sql/managedInstances/serverConfigurationOptions/readGets properties for the specified Azure SQL Managed Instance Server Configuration Option.
Microsoft.Sql/managedInstances/serverConfigurationOptions/writeUpdates Azure SQL Managed Instance's Server Configuration Option properties for the specified instance.
Microsoft.Sql/managedInstances/vulnerabilityAssessments/*wildcarded / no description
Microsoft.Sql/servers/administrators/readGets a specific Azure Active Directory administrator object
Microsoft.Sql/servers/advancedThreatProtectionSettings/readRetrieve a list of server Advanced Threat Protection settings configured for a given server
Microsoft.Sql/servers/advancedThreatProtectionSettings/readRetrieve a list of server Advanced Threat Protection settings configured for a given server
Microsoft.Sql/servers/advancedThreatProtectionSettings/writeChange the server Advanced Threat Protection settings for a given server
Microsoft.Sql/servers/advancedThreatProtectionSettings/writeChange the server Advanced Threat Protection settings for a given server
Microsoft.Sql/servers/auditingSettings/*wildcarded / no description
Microsoft.Sql/servers/azureADOnlyAuthentications/*wildcarded / no description
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/readRetrieve a list of database Advanced Threat Protection settings configured for a given database
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/readRetrieve a list of database Advanced Threat Protection settings configured for a given database
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/writeChange the database Advanced Threat Protection settings for a given database
Microsoft.Sql/servers/databases/advancedThreatProtectionSettings/writeChange the database Advanced Threat Protection settings for a given database
Microsoft.Sql/servers/databases/auditingSettings/*wildcarded / no description
Microsoft.Sql/servers/databases/auditRecords/readRetrieve the database blob audit records
Microsoft.Sql/servers/databases/currentSensitivityLabels/*wildcarded / no description
Microsoft.Sql/servers/databases/dataMaskingPolicies/*wildcarded / no description
Microsoft.Sql/servers/databases/extendedAuditingSettings/readRetrieve details of the extended blob auditing policy configured on a given database
Microsoft.Sql/servers/databases/ledgerDigestUploads/*wildcarded / no description
Microsoft.Sql/servers/databases/readReturn the list of databases or gets the properties for the specified database.
Microsoft.Sql/servers/databases/recommendedSensitivityLabels/*wildcarded / no description
Microsoft.Sql/servers/databases/schemas/readGet a database schema.
Microsoft.Sql/servers/databases/schemas/tables/columns/readGet a database column.
Microsoft.Sql/servers/databases/schemas/tables/columns/sensitivityLabels/*wildcarded / no description
Microsoft.Sql/servers/databases/schemas/tables/readGet a database table.
Microsoft.Sql/servers/databases/securityAlertPolicies/*wildcarded / no description
Microsoft.Sql/servers/databases/securityMetrics/*wildcarded / no description
Microsoft.Sql/servers/databases/sensitivityLabels/*wildcarded / no description
Microsoft.Sql/servers/databases/sqlvulnerabilityAssessments/*wildcarded / no description
Microsoft.Sql/servers/databases/transparentDataEncryption/*wildcarded / no description
Microsoft.Sql/servers/databases/vulnerabilityAssessments/*wildcarded / no description
Microsoft.Sql/servers/databases/vulnerabilityAssessmentScans/*wildcarded / no description
Microsoft.Sql/servers/databases/vulnerabilityAssessmentSettings/*wildcarded / no description
Microsoft.Sql/servers/devOpsAuditingSettings/*wildcarded / no description
Microsoft.Sql/servers/extendedAuditingSettings/readRetrieve details of the extended server blob auditing policy configured on a given server
Microsoft.Sql/servers/externalPolicyBasedAuthorizations/*wildcarded / no description
Microsoft.Sql/servers/firewallRules/*wildcarded / no description
Microsoft.Sql/servers/readReturn the list of servers or gets the properties for the specified server.
Microsoft.Sql/servers/securityAlertPolicies/*wildcarded / no description
Microsoft.Sql/servers/sqlvulnerabilityAssessments/*wildcarded / no description
Microsoft.Sql/servers/vulnerabilityAssessments/*wildcarded / no description
Microsoft.Support/*wildcarded / no description
NotActions n/a
DataActions n/a
NotDataActions n/a
Used in
BuiltIn Policy
Policy DisplayName Policy Id Category State
Configure Azure Defender to be enabled on SQL managed instances c5a62eb0-c65a-4220-8a4d-f70dd4ca95dd SQL GA
Configure Azure Defender to be enabled on SQL servers 36d49e87-48c4-4f2e-beed-ba4ed02b71f5 SQL GA
Configure Azure SQL database servers diagnostic settings to Log Analytics workspace 7ea8a143-05e3-4553-abfe-f56bef8b0b70 SQL GA
Configure Microsoft Defender for SQL to be enabled on Synapse workspaces 951c1558-50a5-4ca3-abb6-a93e3e2367a6 Security Center GA
Configure SQL servers to have auditing enabled f4c68484-132f-41f9-9b6d-3e4b1cb55036 SQL GA
Configure SQL servers to have auditing enabled to Log Analytics workspace 25da7dfb-0666-4a15-a8f5-402127efd8bb SQL GA
Configure Synapse workspaces to have auditing enabled ac7891a4-ac7a-4ba0-9ae9-c923e5a225ee Synapse GA
Deploy Advanced Data Security on SQL servers 6134c3db-786f-471e-87bc-8f479dc890f6 SQL GA
JSON
api-version=2023-07-01-preview
Condition none