last sync: 2024-May-24 18:02:49 UTC

Defender for Storage Data Scanner

Azure BuiltIn RBAC Role definition

NameDefender for Storage Data Scanner
DescriptionGrants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.
CreatedOn2023-06-21 15:30:31 UTC
UpdatedOn2023-07-10 15:10:57 UTC
Date/Time (UTC ymd) (i) Change Change detail
2023-07-11 17:57:31 change: DisplayName, Description, Actions, DataActions New DisplayName: 'Defender for Storage Data Scanner'
Old DisplayName: 'Storage Data Scanner',
New Description: 'Grants access to read blobs and update index tags. This role is used by the data scanner of Defender for Storage.'
Old Description: 'Grants all permissions needed for a storage data scanner.',
Actions: 'add Microsoft.Storage/storageAccounts/blobServices/containers/read',
DataActions: 'add Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read; add Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/write; add Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/read'
2023-06-22 17:48:48 add: Role 1e7ca9b1-60d1-4db8-a914-f2ca1ff27c40
Permissions summary Effective control plane and data plane operations: 4 (unique operations)
•read: 3
•write: 1

Actions: 1
Resolved control plane operations from Actions: 1
Effective control plane operations: 1
•read: 1

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 15649

DataActions: 3
Resolved data plane operations: 3
Effective data plane operations: 3
•read: 2
•write: 1

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3157
Operation Description
Microsoft.Storage/storageAccounts/blobServices/containers/readReturns list of containers
NotActions n/a
Operation Description
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/readReturns a blob or a list of blobs
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/readReturns the result of reading blob tags
Microsoft.Storage/storageAccounts/blobServices/containers/blobs/tags/writeReturns the result of writing blob tags
NotDataActions n/a
Used in
BuiltIn Policy
Condition none