Azure role-based access control

Custom Vision supports Azure role-based access control (Azure RBAC), an authorization system for managing individual access to Azure resources. Using Azure RBAC, you assign different team members different levels of permissions for your Custom Vision projects. For more information on Azure RBAC, see the Azure RBAC documentation.

Add role assignment to Custom Vision resource

Azure RBAC can be assigned to a Custom Vision resource. To grant access to an Azure resource, you add a role assignment.

  1. In the Azure portal, select All services.
  2. Then select the Cognitive Services, and navigate to your specific Custom Vision training resource.


    You can also set up Azure RBAC for whole resource groups, subscriptions, or management groups. Do this by selecting the desired scope level and then navigating to the desired item (for example, selecting Resource groups and then clicking through to your wanted resource group).

  3. Select Access control (IAM) on the left navigation pane.
  4. Select the Role assignments tab to view the role assignments for this scope.
  5. Select Add -> Add role assignment.
  6. In the Role drop-down list, select a role you want to add.
  7. In the Select list, select a user, group, service principal, or managed identity. If you don't see the security principal in the list, you can type the Select box to search the directory for display names, email addresses, and object identifiers.
  8. Select Save to assign the role.

Within a few minutes, the target will be assigned the selected role at the selected scope.

Custom Vision role types

Use the following table to determine access needs for your Custom Vision resources.

Role Permissions
Cognitive Services Custom Vision Contributor Full access to the projects, including the ability to create, edit, or delete a project.
Cognitive Services Custom Vision Trainer Full access except the ability to create or delete a project. Trainers can view and edit projects and train, publish, unpublish, or export the models.
Cognitive Services Custom Vision Labeler Ability to upload, edit, or delete training images and create, add, remove, or delete tags. Labelers can view projects but can't update anything other than training images and tags.
Cognitive Services Custom Vision Deployment Ability to publish, unpublish, or export the models. Deployers can view projects but can't update a project, training images, or tags.
Cognitive Services Custom Vision Reader Ability to view projects. Readers can't make any changes.