question

ChrisHibberd-9452 avatar image
0 Votes"
ChrisHibberd-9452 asked ChrisHibberd-9452 commented

What roles are required for a user to view device provisioning service enrollment groups?

Hi

I am trying to configure IAM settings for our device provisioning services (DPS) so that a group of users has permission to view the resources, including the enrollment groups. I have tried adding Reader role at the resource group scope and Device Provisioning Service Data Reader at the DPS scope, but the users in the group still cannot view the enrollment groups. In the portal, they can view the DPS page, but when they select "Manage Enrollments" an error dialogue is displayed, as shown below. Is anyone able to let me know what permissions I have to add to enable this action?

Thanks,

Chris

198897-image.png


azure-rbacazure-iot-dps
image.png (179.4 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

asergaz avatar image
1 Vote"
asergaz answered ChrisHibberd-9452 commented

Hello @ChrisHibberd-9452 ,

You should just need to give the Device Provisioning Service Data Reader Role at the Azure IoT DPS Scope. Can you try creating a custom Role and instead of using the wildcard, select all the Microsoft.Devices/provisioningServices read permissions ? See how to create a custom role in the portal here. I would clone the Device Provisioning Service Data Reader and select the permissions needed like described in Permissions for Azure IoT Hub Device Provisioning Service (DPS) APIs:

199176-image.png

199293-image.png

You can use this JSON list to test:

199237-image.png

 "permissions": [
             {
                 "actions": [
                     "Microsoft.Devices/provisioningServices/Read",
                     "Microsoft.Devices/provisioningServices/certificates/Read",
                     "Microsoft.Devices/provisioningServices/operationresults/Read",
                     "Microsoft.Devices/provisioningServices/skus/Read",
                     "Microsoft.Devices/provisioningServices/privateEndpointConnectionProxies/Read",
                     "Microsoft.Devices/provisioningServices/privateEndpointConnectionProxies/operationResults/Read",
                     "Microsoft.Devices/provisioningServices/privateEndpointConnections/Read",
                     "Microsoft.Devices/provisioningServices/privateEndpointConnections/operationResults/Read",
                     "Microsoft.Devices/provisioningServices/privateLinkResources/Read",
                     "Microsoft.Devices/provisioningServices/diagnosticSettings/read",
                     "Microsoft.Devices/provisioningServices/logDefinitions/read",
                     "Microsoft.Devices/provisioningServices/metricDefinitions/read"
                 ],
                 "notActions": [],
                 "dataActions": [
                     "Microsoft.Devices/provisioningServices/registrationStates/read",
                     "Microsoft.Devices/provisioningServices/enrollmentGroups/read",
                     "Microsoft.Devices/provisioningServices/enrollments/read"
                 ],
                 "notDataActions": []
             }
         ]

199286-image.png



image.png (101.1 KiB)
image.png (263.9 KiB)
image.png (110.5 KiB)
image.png (301.7 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks @asergaz , that worked perfectly. The "Microsoft.Devices/provisioningServices/listkeys/Action" permission is not included in the recommended "Device Provisioning Service Data Contributor" role as that role only has data_action permissions.

1 Vote 1 ·