Back to Operation

Container Registry Contributor and Data Access Configuration Administrator

Azure Built-in Role

Role Information

Details and metadata

Role ID
3bc748fc-213d-45c1-8d91-9da5725539b9
Type
BuiltInRole
Last Updated (Azure)
2024-10-25 22:56:35

Change History

Track all modifications to this role since 2025-12-15 01:08:16+00:00

2024-10-25 22:56:35 Created
View details
+ {
+ "properties": {
+ "roleName": "Container Registry Contributor and Data Access Configuration Administrator",
+ "type": "BuiltInRole",
+ "description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
+ "assignableScopes": [
+ "/"
+ ],
+ "permissions": [
+ {
+ "actions": [
+ "Microsoft.Resources/subscriptions/resourceGroups/read",
+ "Microsoft.ContainerRegistry/registries/operationStatuses/read",
+ "Microsoft.ContainerRegistry/registries/read",
+ "Microsoft.ContainerRegistry/registries/write",
+ "Microsoft.ContainerRegistry/registries/delete",
+ "Microsoft.ContainerRegistry/registries/listCredentials/action",
+ "Microsoft.ContainerRegistry/registries/regenerateCredential/action",
+ "Microsoft.ContainerRegistry/registries/generateCredentials/action",
+ "Microsoft.ContainerRegistry/registries/replications/read",
+ "Microsoft.ContainerRegistry/registries/replications/write",
+ "Microsoft.ContainerRegistry/registries/replications/delete",
+ "Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
+ "Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
+ "Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
+ "Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
+ "Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
+ "Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
+ "Microsoft.ContainerRegistry/registries/tokens/read",
+ "Microsoft.ContainerRegistry/registries/tokens/write",
+ "Microsoft.ContainerRegistry/registries/tokens/delete",
+ "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
+ "Microsoft.ContainerRegistry/registries/scopeMaps/read",
+ "Microsoft.ContainerRegistry/registries/scopeMaps/write",
+ "Microsoft.ContainerRegistry/registries/scopeMaps/delete",
+ "Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
+ "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
+ "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
+ "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
+ "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
+ "Microsoft.Resources/deployments/*",
+ "Microsoft.Authorization/*/read",
+ "Microsoft.ContainerRegistry/registries/connectedRegistries/read",
+ "Microsoft.ContainerRegistry/registries/connectedRegistries/write",
+ "Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
+ "Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
+ "Microsoft.ContainerRegistry/registries/webhooks/read",
+ "Microsoft.ContainerRegistry/registries/webhooks/write",
+ "Microsoft.ContainerRegistry/registries/webhooks/delete",
+ "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
+ "Microsoft.ContainerRegistry/registries/webhooks/ping/action",
+ "Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
+ "Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
+ "Microsoft.Insights/AlertRules/Write",
+ "Microsoft.Insights/AlertRules/Delete",
+ "Microsoft.Insights/AlertRules/Read",
+ "Microsoft.Insights/AlertRules/Activated/Action",
+ "Microsoft.Insights/AlertRules/Resolved/Action",
+ "Microsoft.Insights/AlertRules/Throttled/Action",
+ "Microsoft.Insights/AlertRules/Incidents/Read",
+ "Microsoft.ContainerRegistry/locations/operationResults/read",
+ "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
+ "Microsoft.Network/virtualNetworks/subnets/read",
+ "Microsoft.Network/virtualNetworks/subnets/write",
+ "Microsoft.Network/virtualNetworks/read",
+ "Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
+ ],
+ "notActions": [],
+ "dataActions": [],
+ "notDataActions": []
+ }
+ ],
+ "createdOn": "2024-10-25T22:56:35.353Z",
+ "updatedOn": "2024-10-25T22:56:35.353Z",
+ "createdBy": null,
+ "updatedBy": null
+ },
+ "id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
+ "type": "Microsoft.Authorization/roleDefinitions",
+ "name": "3bc748fc-213d-45c1-8d91-9da5725539b9"
+ }

Latest Role JSON

Raw definition from Azure

{
  "properties": {
    "roleName": "Container Registry Contributor and Data Access Configuration Administrator",
    "type": "BuiltInRole",
    "description": "Provides permissions to create, list, and update container registries and registry configuration properties. Provides permissions to configure data access such as admin user credentials, scope maps, and tokens, which can be used to read, write or delete repositories and images. Does not provide direct permissions to read, list, or write registry contents including repositories and images. Does not provide permissions to modify data plane content such as imports, Artifact Cache or Sync, and Transfer Pipelines. Does not provide permissions for managing Tasks.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.Resources/subscriptions/resourceGroups/read",
          "Microsoft.ContainerRegistry/registries/operationStatuses/read",
          "Microsoft.ContainerRegistry/registries/read",
          "Microsoft.ContainerRegistry/registries/write",
          "Microsoft.ContainerRegistry/registries/delete",
          "Microsoft.ContainerRegistry/registries/listCredentials/action",
          "Microsoft.ContainerRegistry/registries/regenerateCredential/action",
          "Microsoft.ContainerRegistry/registries/generateCredentials/action",
          "Microsoft.ContainerRegistry/registries/replications/read",
          "Microsoft.ContainerRegistry/registries/replications/write",
          "Microsoft.ContainerRegistry/registries/replications/delete",
          "Microsoft.ContainerRegistry/registries/replications/operationStatuses/read",
          "Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action",
          "Microsoft.ContainerRegistry/registries/privateEndpointConnections/read",
          "Microsoft.ContainerRegistry/registries/privateEndpointConnections/write",
          "Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete",
          "Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read",
          "Microsoft.ContainerRegistry/registries/tokens/read",
          "Microsoft.ContainerRegistry/registries/tokens/write",
          "Microsoft.ContainerRegistry/registries/tokens/delete",
          "Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read",
          "Microsoft.ContainerRegistry/registries/scopeMaps/read",
          "Microsoft.ContainerRegistry/registries/scopeMaps/write",
          "Microsoft.ContainerRegistry/registries/scopeMaps/delete",
          "Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read",
          "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read",
          "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write",
          "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read",
          "Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read",
          "Microsoft.Resources/deployments/*",
          "Microsoft.Authorization/*/read",
          "Microsoft.ContainerRegistry/registries/connectedRegistries/read",
          "Microsoft.ContainerRegistry/registries/connectedRegistries/write",
          "Microsoft.ContainerRegistry/registries/connectedRegistries/delete",
          "Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action",
          "Microsoft.ContainerRegistry/registries/webhooks/read",
          "Microsoft.ContainerRegistry/registries/webhooks/write",
          "Microsoft.ContainerRegistry/registries/webhooks/delete",
          "Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action",
          "Microsoft.ContainerRegistry/registries/webhooks/ping/action",
          "Microsoft.ContainerRegistry/registries/webhooks/listEvents/action",
          "Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read",
          "Microsoft.Insights/AlertRules/Write",
          "Microsoft.Insights/AlertRules/Delete",
          "Microsoft.Insights/AlertRules/Read",
          "Microsoft.Insights/AlertRules/Activated/Action",
          "Microsoft.Insights/AlertRules/Resolved/Action",
          "Microsoft.Insights/AlertRules/Throttled/Action",
          "Microsoft.Insights/AlertRules/Incidents/Read",
          "Microsoft.ContainerRegistry/locations/operationResults/read",
          "Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
          "Microsoft.Network/virtualNetworks/subnets/read",
          "Microsoft.Network/virtualNetworks/subnets/write",
          "Microsoft.Network/virtualNetworks/read",
          "Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ],
    "createdOn": "2024-10-25T22:56:35.353Z",
    "updatedOn": "2024-10-25T22:56:35.353Z",
    "createdBy": null,
    "updatedBy": null
  },
  "id": "/providers/Microsoft.Authorization/roleDefinitions/3bc748fc-213d-45c1-8d91-9da5725539b9",
  "type": "Microsoft.Authorization/roleDefinitions",
  "name": "3bc748fc-213d-45c1-8d91-9da5725539b9"
}

Effective Permissions

Operations granted by this role (93 total)

Permission Patterns (from role definition)

Actions 55 patterns
Microsoft.Resources/subscriptions/resourceGroups/read Microsoft.ContainerRegistry/registries/operationStatuses/read Microsoft.ContainerRegistry/registries/read Microsoft.ContainerRegistry/registries/write Microsoft.ContainerRegistry/registries/delete Microsoft.ContainerRegistry/registries/listCredentials/action Microsoft.ContainerRegistry/registries/regenerateCredential/action Microsoft.ContainerRegistry/registries/generateCredentials/action Microsoft.ContainerRegistry/registries/replications/read Microsoft.ContainerRegistry/registries/replications/write Microsoft.ContainerRegistry/registries/replications/delete Microsoft.ContainerRegistry/registries/replications/operationStatuses/read Microsoft.ContainerRegistry/registries/privateEndpointConnectionsApproval/action Microsoft.ContainerRegistry/registries/privateEndpointConnections/read Microsoft.ContainerRegistry/registries/privateEndpointConnections/write Microsoft.ContainerRegistry/registries/privateEndpointConnections/delete Microsoft.ContainerRegistry/registries/privateEndpointConnections/operationStatuses/read Microsoft.ContainerRegistry/registries/tokens/read Microsoft.ContainerRegistry/registries/tokens/write Microsoft.ContainerRegistry/registries/tokens/delete Microsoft.ContainerRegistry/registries/tokens/operationStatuses/read Microsoft.ContainerRegistry/registries/scopeMaps/read Microsoft.ContainerRegistry/registries/scopeMaps/write Microsoft.ContainerRegistry/registries/scopeMaps/delete Microsoft.ContainerRegistry/registries/scopeMaps/operationStatuses/read Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/read Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/diagnosticSettings/write Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/logDefinitions/read Microsoft.ContainerRegistry/registries/providers/Microsoft.Insights/metricDefinitions/read Microsoft.Resources/deployments/* Microsoft.Authorization/*/read Microsoft.ContainerRegistry/registries/connectedRegistries/read Microsoft.ContainerRegistry/registries/connectedRegistries/write Microsoft.ContainerRegistry/registries/connectedRegistries/delete Microsoft.ContainerRegistry/registries/connectedRegistries/deactivate/action Microsoft.ContainerRegistry/registries/webhooks/read Microsoft.ContainerRegistry/registries/webhooks/write Microsoft.ContainerRegistry/registries/webhooks/delete Microsoft.ContainerRegistry/registries/webhooks/getCallbackConfig/action Microsoft.ContainerRegistry/registries/webhooks/ping/action Microsoft.ContainerRegistry/registries/webhooks/listEvents/action Microsoft.ContainerRegistry/registries/webhooks/operationStatuses/read Microsoft.Insights/AlertRules/Write Microsoft.Insights/AlertRules/Delete Microsoft.Insights/AlertRules/Read Microsoft.Insights/AlertRules/Activated/Action Microsoft.Insights/AlertRules/Resolved/Action Microsoft.Insights/AlertRules/Throttled/Action Microsoft.Insights/AlertRules/Incidents/Read Microsoft.ContainerRegistry/locations/operationResults/read Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action Microsoft.Network/virtualNetworks/subnets/read Microsoft.Network/virtualNetworks/subnets/write Microsoft.Network/virtualNetworks/read Microsoft.Network/privateEndpoints/privateLinkServiceProxies/write

Control Plane Operations (93)

Data Plane Operations (0)

No data plane operations granted