Lets say a user has below role structure assigned.
- Contributor at Subscription scope
- Reader at a Resource group scope. This resource group is inside subscription.
- Cosmos DB Account Reader role on cosmos db which is inside the Resource group in point 2)
Can the user do write operations on cosmos db ?
i couldn't find any documentation on this use case.
CodePudding user response:
Can the user do write operations on cosmos db ?
Yes because the user is in Contributor role at the Subscription level and Azure RBAC is an additive model where effective permissions are computed based on all the role assignments. From this link:
Multiple role assignments
So what happens if you have multiple overlapping role assignments? Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments. Consider the following example where a user is granted the Contributor role at the subscription scope and the Reader role on a resource group. The sum of the Contributor permissions and the Reader permissions is effectively the Contributor role for the subscription. Therefore, in this case, the Reader role assignment has no impact.