Managed HSM local RBAC built-in roles
Managed HSM local RBAC has several built-in roles. You can assign these roles to users, service principals, groups, and managed identities. To allow a principal to perform an operation, you must assign them a role that grants them permission to perform that operations. All these roles and operations only allow you to manage permission for data plane operations. To manage control plane permissions for the Managed HSM resource, you must use Azure role-based access control (Azure RBAC). Some examples of control plane operations are create a new managed HSM or update, move, delete it.
Built-in roles
| Role Name | Description | ID |
|---|---|---|
| Managed HSM Administrator | Grants permissions to perform all operations related to Security Domain, full backup/restore, and role management. Not permitted to perform any key management operations. | a290e904-7015-4bba-90c8-60543313cdb4 |
| Managed HSM Crypto Officer | Grants permissions to perform all role management, purge or recover deleted keys, and export keys. Not permitted to perform any other key management operations. | 515eb02d-2335-4d2d-92f2-b1cbdf9c3778 |
| Managed HSM Crypto User | Grants permissions to perform all key management operations except purge or recover deleted keys, and export keys. | 21dbd100-6940-42c2-9190-5d6cb909625b |
| Managed HSM Policy Administrator | Grants permission to create and delete role assignments | 4bd23610-cdcf-4971-bdee-bdc562cc28e4 |
| Managed HSM Crypto Auditor | Grants read permission to read (but not use) key attributes. | 2c18b078-7c48-4d3a-af88-5a3a1b3f82b3 |
| Managed HSM Crypto Service Encryption User | Grants permission to use a key for service encryption. | 33413926-3206-4cdd-b39a-83574fe37a17 |
| Managed HSM Backup | Grants permission to perform single key or whole HSM backup. | 7b127d3c-77bd-4e3e-bbe0-dbb8971fa7f8 |
Permitted operations
Note
- An 'X' indicates that a role is allowed to perform the data action. Empty cell indicates the role does not have pemission to perform that data action.
- All the data action names have a 'Microsoft.KeyVault/managedHsm' prefix, which is omitted in the tables for brevity.
- All role names have a prefix "Managed HSM" which is omitted in the below table for brevity.
| Data Action | Administrator | Crypto Officer | Crypto User | Policy Administrator | Crypto Service Encryption User | Backup | Crypto Auditor |
|---|---|---|---|---|---|---|---|
| Security Domain management | |||||||
| /securitydomain/download/action | |||||||
| /securitydomain/upload/action | |||||||
| /securitydomain/upload/read | |||||||
| /securitydomain/transferkey/read | |||||||
| Key management | |||||||
| /keys/read/action | |||||||
| /keys/write/action | |||||||
| /keys/rotate/action | |||||||
| /keys/create | |||||||
| /keys/delete | |||||||
| /keys/deletedKeys/read/action | |||||||
| /keys/deletedKeys/recover/action | |||||||
| /keys/deletedKeys/delete | |||||||
| /keys/backup/action | |||||||
| /keys/restore/action | |||||||
| /keys/release/action | |||||||
| /keys/import/action | |||||||
| Key cryptographic operations | |||||||
| /keys/encrypt/action | |||||||
| /keys/decrypt/action | |||||||
| /keys/wrap/action | |||||||
| /keys/unwrap/action | |||||||
| /keys/sign/action | |||||||
| /keys/verify/action | |||||||
| Role management | |||||||
| /roleAssignments/read/action | |||||||
| /roleAssignments/write/action | |||||||
| /roleAssignments/delete/action | |||||||
| /roleDefinitions/read/action | |||||||
| /roleDefinitions/write/action | |||||||
| /roleDefinitions/delete/action | |||||||
| Backup/Restore management | |||||||
| /backup/start/action | |||||||
| /backup/status/action | |||||||
| /restore/start/action | |||||||
| /restore/status/action | |||||||
Next steps
- See an overview of Azure role-based access control (Azure RBAC).
- See a tutorial on Managed HSM role management
Feedback
Submit and view feedback for