Povratne informacije Uredi

Role-based access control for Speech resources

  • Članak
  • 3 min. za čitanje

You can manage access and permissions to your Speech resources with Azure role-based access control (Azure RBAC). Assigned roles can vary across Speech resources. For example, you can assign a role to a Speech resource that should only be used to train a Custom Speech model. You can assign another role to a Speech resource that is used to transcribe audio files. Depending on who can access each Speech resource, you can effectively set a different level of access per application or user. For more information on Azure RBAC, see the Azure RBAC documentation.

Note

A Speech resource can inherit or be assigned multiple roles. The final level of access to this resource is a combination of all roles permissions from the operation level.

Roles for Speech resources

A role definition is a collection of permissions. When you create a Speech resource, the built-in roles in this table are assigned by default.

Role Can list resource keys Access to data, models, and endpoints
Owner Yes View, create, edit, and delete
Contributor Yes View, create, edit, and delete
Cognitive Services Contributor Yes View, create, edit, and delete
Cognitive Services User Yes View, create, edit, and delete
Cognitive Services Speech Contributor No View, create, edit, and delete
Cognitive Services Speech User No View only
Cognitive Services Data Reader (Preview) No View only

Important

Whether a role can list resource keys is important for Speech Studio authentication. To list resource keys, a role must have permission to run the Microsoft.CognitiveServices/accounts/listKeys/action operation. Please note that if key authentication is disabled in the Azure Portal, then none of the roles can list keys.

Keep the built-in roles if your Speech resource can have full read and write access to the projects.

For finer-grained resource access control, you can add or remove roles using the Azure portal. For example, you could create a custom role with permission to upload Custom Speech datasets, but without permission to deploy a Custom Speech model to an endpoint.

Authentication with keys and tokens

The roles define what permissions you have. Authentication is required to use the Speech resource.

To authenticate with Speech resource keys, all you need is the key and region. To authenticate with an Azure AD token, the Speech resource must have a custom subdomain and use a private endpoint. The Speech service uses custom subdomains with private endpoints only.

Speech SDK authentication

For the SDK, you configure whether to authenticate with a Speech resource key or Azure AD token. For details, see Azure Active Directory Authentication with the Speech SDK.

Speech Studio authentication

Once you're signed into Speech Studio, you select a subscription and Speech resource. You don't choose whether to authenticate with a Speech resource key or Azure AD token. Speech Studio gets the key or token automatically from the Speech resource. If one of the assigned roles has permission to list resource keys, Speech Studio will authenticate with the key. Otherwise, Speech Studio will authenticate with the Azure AD token.

If Speech Studio uses your Azure AD token, but the Speech resource doesn't have a custom subdomain and private endpoint, then you can't use some features in Speech Studio. In this case, for example, the Speech resource can be used to train a Custom Speech model, but you can't use a Custom Speech model to transcribe audio files.

Authentication credential Feature availability
Speech resource key Full access limited only by the assigned role permissions.
Azure AD token with custom subdomain and private endpoint Full access limited only by the assigned role permissions.
Azure AD token without custom subdomain and private endpoint (not recommended) Features are limited. For example, the Speech resource can be used to train a Custom Speech model or Custom Neural Voice. But you can't use a Custom Speech model or Custom Neural Voice.

Next steps