# Azure permission mapping
| Category | Entity create level | Tessell Permission | Cloud Description | Applicable for Register Use Case(Not completely managed Tessell Sub) | Feature Mapping | Private CP DP Use Case |
| ------------------------------------- | -------------------------- | ------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------- | ------------------------------------ |
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/read | Grants read access to blob services within storage accounts. | Yes | Subscription | Private CP DP
Public CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/write | Allows updating settings of blob services within storage
accounts.
| Yes | Subscription | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/\* | Grants all permissions on blobs within containers in blob
services of storage accounts.
| Yes | PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action | Allows adding new blobs to containers. | Yes | PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete | Grants permission to delete blobs within containers. | Yes | SLA | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action | Allows moving blobs between containers or within a container. | Yes | PITR,DAP | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read | Grants read access to blobs within containers. | Yes
| PITR,Clone | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write | Allows writing or updating blobs within containers. | Yes
| PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/listkeys/action | Allows listing the access keys for a storage account. | Yes
| PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/checknameavailability/read | Allows checking the availability of a storage account name. | Yes | PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/read | Grants read access to storage accounts | Yes
| Subscription,PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/write | Allows creating or updating storage accounts. | No
| Subscription,PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/delete | Grants permission to delete storage accounts. | No
| Delete AM | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/locations/checknameavailability/read | Allows checking storage account name availability in specific
locations.
| Yes
| PITR | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/operations/read | Grants read access to storage account operations metadata. | Yes
| PITR,Clone | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/objectReplicationPolicies/write | Allows creating or updating object replication policies for storage accounts. | Yes | DAP | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/objectReplicationPolicies/read | Grants read access to object replication policies within storage accounts. | Yes | DAP | Public CP DP
Private CP DP
|
| Storage Account | Region | Microsoft.Storage/storageAccounts/objectReplicationPolicies/delete | Grants permission to delete object replication policies within
storage accounts.
| Yes | DAP | Public CP DP
Private CP DP
|
| Compute Operations | | Microsoft.Compute/locations/operations/read | Grants read access to compute operations in specific locations. | Yes | Provisioning,Add Instance,Clone,Restore,Service
Resize
| Public CP DP
Private CP DP
|
| Data Collection Endpoints | Region | Microsoft.Insights/DataCollectionEndpoints/Write | Allows creating or updating data collection endpoints. | Yes | Subscription, DB Logs | Public CP DP
Private CP DP
|
| Data Collection Endpoints | Region | Microsoft.Insights/DataCollectionEndpoints/Read | Grants read access to data collection endpoints. | Yes | Subscription,Provisioning,Add
Instance,Clone,Restore, DB Logs
| Public CP DP
Private CP DP
|
| Data Collection Endpoints | Region | Microsoft.Insights/DataCollectionEndpoints/Delete | Grants permission to delete data collection endpoints. | Yes
| Subscription,DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRuleAssociations/Write | Allows creating or updating data collection rule associations. | Yes
| Provisioning,Add Instance,Clone,Restore, DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRuleAssociations/Read | Grants read access to data collection rule associations. | Yes
| Provisioning,Add Instance,Clone,Restore, DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRuleAssociations/Delete | Grants permission to delete data collection rule associations. | Yes
| Delete Service,DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRules/write | Allows creating or updating data collection rules. | Yes
| Provisioning,Add Instance,Clone,Restore,DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRules/read | Grants read access to data collection rules. | Yes
| Provisioning,Add Instance,Clone,Restore, DB Logs | Public CP DP
Private CP DP
|
| Data Collection Rules | Compute
Resource
| Microsoft.Insights/dataCollectionRules/Delete | Grants permission to delete data collection rules. | Yes
| Delete Service,DB Logs | Public CP DP
Private CP DP
|
| Disk Encryption Sets | Region | Microsoft.Compute/diskEncryptionSets/read | Grants read access to disk encryption sets. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Disk Encryption Sets | Region | Microsoft.Compute/diskEncryptionSets/write | Allows creating or updating disk encryption sets. | No
| Provisioning,Add Instance,Clone,Restore-BYOK | Public CP DP
Private CP DP
|
| Disk Encryption Sets | Region | Microsoft.Compute/diskEncryptionSets/delete | Grants permission to delete disk encryption sets. | No
| Provisioning,Add Instance,Clone,Restore-BYOK | Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/read | Grants read access to disks. | Yes
| Provisioning,Add
Instance,Clone,Restore,Patching,Resize
| Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/write | Allows creating or updating disks. | Yes
| Provisioning,Add
Instance,Clone,Restore,Patching,Resize
| Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/delete | Grants permission to delete disks. | Yes | Delete Service, Delete Instance, Patching | Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/beginGetAccess/action | Initiates access to a disk. | Yes | Provisioning,Add
Instance,Clone,Restore,Patching,Resize
| Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/endGetAccess/action | Revokes access toa disk. | Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/download/action | Allows downloading disks. | Yes | | Public CP DP
Private CP DP
|
| Disks | DB Service | Microsoft.Compute/disks/upload/action | Allows uploading data to disks. | Yes | | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/accessPolicies/write | Allows creating or updating access policies for a Key Vault. | No | Subscription | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/deploy/action | Allows deploying resources into a Key Vault. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/versions/read | Grants read access to all versions of a key in a Key Vault. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/read | Grants read access to keys stored in a Key Vault. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/write | Allows creating or updating keys in a Key Vault. | No
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/encrypt/action | Allows encrypting data using keys stored in the Key Vault. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/decrypt/action | Allows decrypting data using keys stored in the Key Vault. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/create/action | Allows creating new keys in the Key Vault. | No
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/update/action | Allows updating existing keys in the Key Vault. | No
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/delete | Grants permmission to delete keys from the Key Vault. | No
| Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/purge/action | Allows purging deleted keys from the Key Vault permanently. | No | Delete Service,Delete Instance | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/keys/import/action | Allows importing keys into the Key Vault. | No
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/ocations/operationResults/read | Grants read access to the results of Key Vault operations in
specific locations.
| Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/operations/read | Grants read access to Key Vault operations metadata. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/write | Allows creating or updating secrets in a Key Vault. | Yes | Provisioning,Add Instance,Clone,Restore | Public CPDP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/delete | Grants permission to delete secrets from the Key Vault. | Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/getSecret/action | Allows retrieving (reading) secrets from the Key Vault. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/update/action | Allows updating secrets in the Key Vault. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/purge/action | Allows purging deleted secrets from the Key Vault permanently. | Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/secrets/setSecret/action | Allows setting (creating or updating) secrets in the Key Vault. | Yes | Change Password | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/read | Grants read access to Key Vaults. | Yes | | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/write | Allows creating or updating Key Vaults. | No | | Public CP DP
Private CP DP
|
| Key Vault | Region | Microsoft.KeyVault/vaults/delete | Grants permission to delete Key Vaults. | No
| | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/backendAddressPools/write | Allows creating or updating backend address pools of load
balancers.
| Yes | | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/backendAddressPools/read | Grants read access to backend address pools of load balanoers. | Yes | | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/backendAddressPools/delete | Grants permission to delete backend address pools of load
balancers.
| Yes | | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/backendAddressPools/join/action | Allows backend pools to be associated with other resources. | Yes | | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/read | Grants read access to load balancers. | Yes | Create Private Link | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/write | Allows creating or updating load balancers. | Yes | Create Private Link | Public CP DP
Private CP DP
|
| Load Balancer | VPC | Microsoft.Network/loadBalancers/delete | Grants permission to delete load balancers. | Yes | Create Private Link | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/datasources/write | Allows creating or updating data sources in a Log Analytics
workspace.
| Yes | Provisioning,Add Instance,Clone,Restore, DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/locations/operationstatuses/read | Grants read access to operation statuses of Log Analytics in
specific locations.
| Yes | Subscription, Provisioning,Add
Instance,Clone,Restore, DB Logs
| Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.OperationalInsights/workspaces/tables/query/read | Grants read access to queries on tables in a Log Analytics
workspace.
| Yes | DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/tables/write | Allows creating or updating tables in a Log Analytics workspace. | Yes | Subscription,DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/tables/read | Grants read access to tables in a Log Analytics workspace. | Yes | Subscription,DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/tables/delete | Grants permission to delete tables in a Log Analytics workspace. | Yes | Subscription,DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/query/"/read | Grants read access to all queries in a Log Analytics workspace. | Yes | DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/read | Grants read access to Log Analytics workspaces. | Yes | Subscription, DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/sharedkeys/action | Allows access to shared keys of a Log Analytics workspace. | Yes | Subscription,DB Logs | Public CP DP
Private CP DP
|
| Log Analytics Workspace | Resource
Group
| Microsoft.Operationallnsights/workspaces/delete | Grants permission to delete Log Analytics workspaces. | No | Subscription,DB Logs | Public CP DP
Private CP DP
|
| NAT Gateway | VPC | Microsoft.Network/natGateways/write | Allows creating or updating NAT gateways. | Yes | Update Service access from Public to
Private(Non-BYON)
| Public CP DP |
| NAT Gateway | VPC | Microsoft.Network/natGateways/delete | Grants permission to delete NAT gateways. | Yes | Update Service access from Public to
Private(Non-BYON)
| Public CP DP |
| NAT Gateway | VPC | Microsoft.Network/natGateways/read | Grants read access to NAT gateways. | Yes
| Update Service access from Public to
Private(Non-BYON)
| Public CP DP |
| NAT Gateway | VPC | Microsoft.Network/natGateways/join/action | Allows NAT gateways to be associated with other resources. | Yes
| Update Service access from Public to
Private(Non-BYON)
| Public CP DP |
| Network Interface | Compute
Resource
| Microsoft.Network/networkinterfaces/read | Grants read access to network interfaces. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Network Interface | Compute
Resource
| Microsoft.Network/networkInterfaces/write | Allows creating or updating network interfaces. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Network Interface | Compute
Resource
| Microsoft.Network/networkinterfaces/delete | Grants permission to delete network interfaces. | Yes
| Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Network Interface | Compute
Resource
| Microsoft.Network/networkinterfaces/join/action | Allows network interfaces to be associated with other resources. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/securityRules/read | Grants read access to security rules within network security
groups.
| Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/securityRules/write | Allows creating or updating security rules within network security groups. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/securityRules/delete | Grants permission to delete security rules within network
security groups.
| Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/read | Grants read access to network security groups (NSGs). | Yes | Provisioning.Add Instance,Clone,Restore,Add IPs | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/write | Allows creating or updating network security groups. | Yes | Provisioning,Add Instance,Clone,Restore,Add IPs | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/delete | Grants permission to delete network security groups. | Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Network Security Group | DB Service | Microsoft.Network/networkSecurityGroups/join/action | Allows NSGs to be associated with other resources. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateLinkServices/privateEndpointConnections/read | Grants read access to private endpoint connections associated with a private link service. | Yes | Subscription,Service Private Link | Public CP DP
Private CP DP
|
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateLinkServices/privateEndpointConnections/write | Allows updating private endpoint connections associated with a private link service. | Yes | Create Service Private Link | Public CP DP
Private CP DP
|
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateLinkServices/privateEndpointConnections/delete | Grants permission to delete private endpoint connections
associated with a private link service.
| Yes | Delete Service Private Link | Public CP DP
Private CP DP
|
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateLinkServices/PrivateEndpointConnectionsApproval/action | Allows approving private endpoint connections to a private link service. | Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateLinkServices/notifyPrivateEndpointMove/action | Allows notifying about private endpoint moves related to a
private link service.
| Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Network/privateEndpoints/read | Grants read access to private endpoints. | Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Insights/PrivateLinkScopes/ScopedResources/Read | Grants read access to resources scoped within a Private Link Scope. | Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Insights/PrivateLinkScopes/ScopedResources/Write | Allows adding or updating resources scoped within a Private
Link Scope.
| Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Insights/PrivateLinkScopes/ScopedResources/Delete | Grants permission to delete resources scoped within a Private Link Scope. | Yes | Subscription | Private CP DP |
| Private Endpoint
Connection
| Resource
Group
| Microsoft.Insights/privateLinkScopes/read | Grants read access to Azure Monitor Private Link Scopes. | Yes | Subscription | Private CP DP |
| Private Link Services | VPC | Microsoft.Network/locations/autoApprovedPrivateLinkServices/read | Grants read access to auto-approved private link services in
specific locations.
| Yes | Create Service Private Link | Private CP DP
Public CP DP
|
| Private Link Services | VPC | Microsoft.Network/locations/availablePrivateEndpointTypes/read | Grants read access to available private endpoint types in
specific locations.
| Yes | Create Service Private Link | Private CP DP
Public CP DP
|
| Private Link Services | VPC | Microsoft.Network/privateLinkServices/read | Grants read access to private link services. | Yes | Private Link | Public CP DP
Private CP DP
|
| Private Link Services | VPC | Microsoft.Network/privateLinkServices/write | Allows creating or updating private link services. | Yes | Create Service Private Link | Public CP DP
Private CP DP
|
| Private Link Services | VPC | Microsoft.Network/privateLinkServices/delete | Grants permission to delete private link services. | Yes
| Delete Service Private Link | Public CP DP
Private CP DP
|
| Public IP Address | Compute
Resource
| Microsoft.Network/publiclPAddresses/read | Grants read access to public IP addresses. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Public IP Address | Compute
Resource
| Microsoft.Network/publiclPAddresses/write | Allows creating or updating public IP addresses. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Public IP Address | Compute
Resource
| Microsoft.Network/publiclPAddresses/delete | Grants permission to delete public IP addresses. | Yes | Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Public IP Address | Compute
Resource
| Microsoft.Network/publiclPAddresses/join/action | Allows public IP addresses to be associated with other
resources.
| Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Resource Groups | | Microsoft.Resources/subscriptions/resourceGroups/read | Grants read access to resource groups within a subscription. | Yes | Subscription | Public CP DP
Private CPDP
|
| Resource Locks | Compute
Resource
| Microsoft.Authorization/locks/read | Grants read access to resource locks. | Yes | Provisioning,Add Instance,Clone,Restore, Start
Service, Stop Service, Delete Service
| Public CP DP
Private CP DP
|
| Resource Locks | Compute
Resource
| Microsoft.Authorization/locks/write | Allows creating or updating resource locks. | Yes | Provisioning,Add Instance,Clone,Restore, Start
Service,Stop Service, Delete Service
| Public CP DP
Private CP DP
|
| Resource Locks | Compute
Resource
| Microsoft.Authorization/locks/delete | Grants permission to delete resource locks. | Yes | Stop Service, Delete Service | Public CP DP
Private CP DP
|
| Role Assignments | | Microsoft.Authorization/roleAssignments/read | Grants read access to role assignments. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Run Commands | | Microsoft.Compute/virtualMachines/runCommands/write | Allows creating or updating run commands on virtual machines. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CPDP
|
| Shared Image Gallery
Images
| | Microsoft.Compute/galleries/images/versions/read | Grants read access to image versions in shared image galleries. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Shared Image Gallery
Images
| | Microsoft.Compute/galleries/images/versions/write | Allows creating or updating image versions in shared image
galleries.
| Yes
| | Public CP DP
Private CP DP
|
| Shared Image Gallery
Images
| | Microsoft.Compute/galleries/images/versions/delete | Grants permission to delete image versions in shared image
galleries.
| Yes
| | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/write | Allows creating or updating snapshots of disks. | Yes | AM | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/delete | Grants permission to delete disk snapshots. | Yes
| AM | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/beginGetAccess/action | Initiates access to a snapshot. | Yes
| AM | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/endGetAccess/action | Revokes access to a snapshot. | Yes | AM | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/read | Grants read access to disk snapshots. | Yes | Clone,Restore | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/download/action | Allows downloading snapshots. | Yes | | Public CP DP
Private CP DP
|
| Snapshots | DB Service | Microsoft.Compute/snapshots/upload/action | Allows uploading data to snapshots. | Yes | | Public CP DP
Private CP DP
|
| Managed Identity | Resource
Group
| Microsoft.Managedldentity/userAssignedldentities/read | Grants read access to user-assigned managed identities. | Yes | Subscription, Provisioning.Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Managed Identity | Resource
Group
| Microsoft.Managedldentity/userAssignedldentities/assign/action | Allows assigning a user-assigned managed identity to a
resource.
| Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/read | Grants read access to virtual machines (VMs). | Yes
| Provisioning,Add Instance,Clone,Restore,Stop
Service,Start Service
| Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/write | Allows creating or updating virtual machines. | Yes
| Provisioning,Add Instance,Clone,Restore,Stop
Service,Start Service
| Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/delete | Grants permission to delete virtual machines. | Yes
| Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/start/action | Allows starting a virtual machine. | Yes
| Start Service | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/powerOff/action | Allows powering off a virtual machine. | Yes
| Stop Service | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/restart/action | Allows restarting a virtual machine. | Yes
| | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/runCommand/action | Allows running commands on a virtual machine remotely. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Virtual Machines | Compute
Resource
| Microsoft.Compute/virtualMachines/deallocate/action | Allows deallocating a virtual machine. | Yes
| Delete Service, Delete Instance | Public CP DP
Private CP DP
|
| Virtual Network Peerings | VPC | Microsoft.Network/virtualNetworks/virtualNetworkPeerings/read | Grants read access to virtual network peerings. | No
| Add Instance | Public CPDP
Private CP DP
|
| Virtual Network Peerings | VPC | Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write | Allows creating or updating virtual network peerings. | No
| Add Instance | Public CP DP
Private CP DP
|
| Virtual Network Peerings | VPC | Microsoft.Network/virtualNetworks/virtualNetworkPeerings/delete | Grants permission to delete virtual network peerings. | No
| Add Instance | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/read | Grants read access to virtual networks. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/write | Allows creating or updating virtual networks. | No | Add Network | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/delete | Grants permission to delete virtual networks. | No
| Remove Network | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/peer/action | Allows peering of virtual networks. | No
| Add Instance | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/subnets/read | Grants read access to subnets within a virtual network. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/subnets/join/action | Allows subnets to be associated with other resources. | Yes
| Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/subnets/write | Allows creating or updating subnets within a virtual network. | No
| Add Network | Public CP DP
Private CP DP
|
| Virtual Networks | VPC | Microsoft.Network/virtualNetworks/subnets/delete | Grants permission to delete subnets within a virtual network. | No | Remove Network | Public CP DP
Private CP DP
|
| VM Evtensi | | Microsoft.Compute/virtualMachines/extensions/write | Allows adding or updating extensions on virtual machines. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
| VM Extensions | | Microsoft.Compute/virtualMachines/extensions/read | Grants read access to virtual machine extensions. | Yes | Provisioning,Add Instance,Clone,Restore | Public CP DP
Private CP DP
|
---
# Agent Instructions: Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.
Perform an HTTP GET request on the current page URL with the `ask` query parameter:
```
GET https://docs.tessell.com/tessell/governance/subscriptions/azure-permission-mapping.md?ask=
```
The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.
Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.