AzRoleAdvertizer

last sync: 2025-Oct-24 17:22:50 UTC

Key Vault Certificates Officer

Azure BuiltIn RBAC Role definition

Name

Key Vault Certificates Officer
Microsoft Learn

a4417e6f-fecd-4de8-b567-7b0420556985

Description

Perform any action on the certificates of a key vault, except manage permissions. Only works for key vaults that use the 'Azure role-based access control' permission model.

Category

Security
Microsoft Learn

CreatedOn

2020-05-19 17:52:47 UTC

UpdatedOn

2023-06-09 18:51:51 UTC

Permissions summary

Effective control plane and data plane operations: 93 (unique operations)
•: 1
•Action: 19
•Delete: 4
•read: 64
•Write: 5

Actions: 10
Resolved control plane operations from Actions: 80
Effective control plane operations: 80
•: 1
•Action: 12
•Delete: 2
•read: 62
•Write: 3

NotActions: 0
Resolved control plane operations from NotActions: 0
Effective denied control plane operations: 17317

DataActions: 3
Resolved data plane operations: 13
Effective data plane operations: 13
•action: 7
•delete: 2
•read: 2
•write: 2

NotDataActions: 0
Resolved data plane operations from NotDataActions: 0
Effective denied data plane operations: 4068

Actions

Operation	Description
Microsoft.Authorization/*/read	wildcarded / no description
Microsoft.Insights/alertRules/*	wildcarded / no description
Microsoft.KeyVault/checkNameAvailability/read	Checks that a key vault name is valid and is not in use
Microsoft.KeyVault/deletedVaults/read	View the properties of soft deleted key vaults
Microsoft.KeyVault/locations/*/read	wildcarded / no description
Microsoft.KeyVault/operations/read	Lists operations available on Microsoft.KeyVault resource provider
Microsoft.KeyVault/vaults/*/read	wildcarded / no description
Microsoft.Resources/deployments/*	wildcarded / no description
Microsoft.Resources/subscriptions/resourceGroups/read	Gets or lists resource groups.
Microsoft.Support/*	wildcarded / no description

NotActions

n/a

DataActions

Operation	Description
Microsoft.KeyVault/vaults/certificatecas/*	wildcarded / no description
Microsoft.KeyVault/vaults/certificatecontacts/write	Manage Certificate Contact
Microsoft.KeyVault/vaults/certificates/*	wildcarded / no description

NotDataActions

n/a

Used in
BuiltIn Policy

none

History

Date/Time (UTC ymd) (i)	Change	Change detail
2023-06-12 17:45:13	change: DisplayName, DataActions	New DisplayName: 'Key Vault Certificates Officer' Old DisplayName: 'Key Vault Certificates Officer (preview)', DataActions: 'add Microsoft.KeyVault/vaults/certificatecontacts/write'
2020-05-19 20:42:36	add: Role	a4417e6f-fecd-4de8-b567-7b0420556985

JSON

api-version=2023-07-01-preview

Condition

none