Set RBAC roles for administrative access to Azure Cognitive Search
Azure provides a global role-based authorization model for all services managed through the portal or Resource Manager APIs. Owner, Contributor, and Reader roles determine the level of service administration for Active Directory users, groups, and security principals assigned to each role.
There is no role-based access controls for securing portions of an index or a subset of documents. For identity-based access over search results, you can create security filters to trim results by identity, removing documents for which the requestor should not have access. For more information, see Security filters and Secure with Active Directory.
Management tasks by role
For Azure Cognitive Search, roles are associated with permission levels that support the following management tasks:
|Owner||Create or delete the service or any object on the service, including api-keys, indexes, indexers, indexer data sources, and indexer schedules.
View service status, including counts and storage size.
Add or delete role membership (only an Owner can manage role membership).
Subscription administrators and service owners have automatic membership in the Owners role.
|Contributor||Same level of access as Owner, minus RBAC role management. For example, a Contributor can create or delete objects, or view and regenerate api-keys, but cannot modify role memberships.|
|Search Service Contributor built-in role||Equivalent to the Contributor role.|
|Reader||View service essentials and metrics. Members of this role cannot view index, indexer, data source, or key information.|
Roles do not grant access rights to the service endpoint. Search service operations, such as index management, index population, and queries on search data, are controlled through api-keys, not roles. For more information, see Manage api-keys.