AzRoleAdvertizer

last sync: 2025-May-23 18:27:00 UTC

Key Vault Data Access Administrator

Azure BuiltIn RBAC Role definition

NameKey Vault Data Access Administrator
Microsoft Learn
Id8b54135c-b56d-4d72-a534-26097cfdc8d8
DescriptionManage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.
CategorySecurity
Microsoft Learn
CreatedOn2023-06-20 22:26:01 UTC
UpdatedOn2023-12-07 01:33:05 UTC
Permissions summary Effective control plane and data plane operations: 66 (unique operations)
•action: 7
•delete: 2
•read: 54
•write: 3

Actions: 10
Resolved control plane operations from Actions: 66
Effective control plane operations: 66
•action: 7
•delete: 2
•read: 54
•write: 3

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 16494

DataActions: 0
Resolved data plane operations: 0
Effective data plane operations: 0

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 3420
Actions
Operation Description
Microsoft.Authorization/*/readwildcarded / no description
Microsoft.Authorization/roleAssignments/delete conditionedDelete a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/write conditionedCreate a role assignment at the specified scope.
Microsoft.KeyVault/vaults/*/readwildcarded / no description
Microsoft.Management/managementGroups/readList management groups for the authenticated user.
Microsoft.Resources/deployments/*wildcarded / no description
Microsoft.Resources/deployments/*wildcarded / no description
Microsoft.Resources/subscriptions/readGets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/readGets or lists resource groups.
Microsoft.Support/*wildcarded / no description
NotActions n/a
DataActions n/a
NotDataActions n/a
Used in
BuiltIn Policy		 none
History
Date/Time (UTC ymd) (i) Change Change detail
2023-10-09 18:04:57 change: Description, Actions New Description: 'Manage access to Azure Key Vault by adding or removing role assignments for the Key Vault Administrator, Key Vault Certificates Officer, Key Vault Crypto Officer, Key Vault Crypto Service Encryption User, Key Vault Crypto User, Key Vault Reader, Key Vault Secrets Officer, or Key Vault Secrets User roles. Includes an ABAC condition to constrain role assignments.'
Old Description: 'Add or remove key vault data plane role assignments and read resources of all types, except secrets. Includes an ABAC condition to constrain role assignments.',
Actions: 'add Microsoft.KeyVault/vaults/*/read'
2023-09-20 18:01:08 add: Role 8b54135c-b56d-4d72-a534-26097cfdc8d8
JSON
api-version=2023-07-01-preview
Condition

    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/write'
                }
            )
        )
        OR
        (
            @Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            00482a5a-887f-4fb3-b363-3b7fe8e74483 (Key Vault Administrator),
            a4417e6f-fecd-4de8-b567-7b0420556985 (Key Vault Certificates Officer),
            14b46e9e-c2b7-41b4-b07b-48a6ebf60603 (Key Vault Crypto Officer),
            e147488a-f6f5-4113-8e2d-b22465e65bf6 (Key Vault Crypto Service Encryption User),
            12338af0-0e69-4776-bea7-57ae8d297424 (Key Vault Crypto User),
            21090545-7ca7-4776-b22c-e363652d74d2 (Key Vault Reader),
            b86a8fe4-44ce-4948-aee5-eccb2c155cd7 (Key Vault Secrets Officer),
            4633458b-17de-408a-b874-0445c86b69e6 (Key Vault Secrets User)
            }
        )
    )
    AND
    (
        (
            !
            (
                ActionMatches {
                'Microsoft.Authorization/roleAssignments/delete'
                }
            )
        )
        OR
        (
            @Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {
            00482a5a-887f-4fb3-b363-3b7fe8e74483 (Key Vault Administrator),
            a4417e6f-fecd-4de8-b567-7b0420556985 (Key Vault Certificates Officer),
            14b46e9e-c2b7-41b4-b07b-48a6ebf60603 (Key Vault Crypto Officer),
            e147488a-f6f5-4113-8e2d-b22465e65bf6 (Key Vault Crypto Service Encryption User),
            12338af0-0e69-4776-bea7-57ae8d297424 (Key Vault Crypto User),
            21090545-7ca7-4776-b22c-e363652d74d2 (Key Vault Reader),
            b86a8fe4-44ce-4948-aee5-eccb2c155cd7 (Key Vault Secrets Officer),
            4633458b-17de-408a-b874-0445c86b69e6 (Key Vault Secrets User)
            }
        )
    )