Built-in RBAC roles for IoT Operations

Azure IoT Operations (AIO) offers two built-in roles designed to simplify and secure access management for AIO resources: Azure IoT Operations Administrator and Azure IoT Operations Onboarding. If your scenario requires more granular access, you can create a custom RBAC role.

Azure IoT Operations Administrator role

The Azure IoT Operations Administrator role provides comprehensive permissions to manage and operate all Azure IoT Operations components. Assign this role to users who need full access to use AIO resources. To support deployment and ongoing management of AIO, users require additional permissions. If a user only needs to use AIO, you can assign the Administrator role alone.

When assigning this built-in role, you need to ensure that the following roles are also assigned to the user:

• Azure Edge Hardware Center Administrator role: This role grants access to manage and take action as an edge order administrator. It is used for ordering and managing Azure Stack Edge devices.
• Azure Arc Enabled Kubernetes Cluster User role: This role is used to manage Azure Arc-enabled Kubernetes clusters by providing permission to write deployments, manage subscriptions, and handle connected clusters and extensions.
• Key Vault Administrator role: This role allows the user to manage all aspects of Azure Key Vaults, including creating, maintaining, viewing, and deleting keys, certificates, and secrets.
• Kubernetes Extension Contributor role: This role allows users to manage Kubernetes extensions, including creating, updating, and deleting extensions.
• Managed Identity Contributor role: This role allows the user to manage managed identities, including creating, updating, and deleting user-assigned managed identities.
• Monitoring Contributor role: This role allows the user to read all monitoring data and update monitoring settings.
• Resource Group Contributor role: This role grants permissions to manage resources within a resource group, including creating, updating, and deleting resources.
• Secrets Store Extension Owner role: This role allows the user to manage the Secrets Store extension, which synchronizes secrets from Azure Key Vault to Kubernetes clusters.
• Storage Account Contributor role: This role allows the user to manage storage accounts, including creating, updating, and deleting storage accounts, as well as managing access keys and other settings.

Azure IoT Operations Onboarding role

AIO Onboarding is a specialized role that provides the necessary permissions to deploy Azure IoT Operations components.

When assigning this built-in role, you need to ensure that the following roles are also assigned to the user:

• Azure Resource Bridge Deployment role: This role is used to manage the deployment of the Azure Resource Bridge. It includes permissions to read, write, and delete various resources related to the Resource Bridge, such as appliances, locations, and telemetry configurations.
• Kubernetes Cluster – Azure Arc Onboarding role: This role is used for onboarding Kubernetes clusters to Azure Arc.
• Storage Account Contributor role: This role allows the user to manage storage accounts, including creating, updating, and deleting storage accounts, as well as managing access keys and other settings.
• Resource Group Contributor role: This role grants permissions to manage resources within a resource group, including creating, updating, and deleting resources.
• Azure Arc Enabled Kubernetes Cluster User role: This role is used to manage Azure Arc-enabled Kubernetes clusters by providing permission to write deployments, manage subscriptions, and handle connected clusters and extensions.