Azure Cosmos DB for NoSQL data plane built-in roles reference

Article
10/01/2024

APPLIES TO: NoSQL

Diagram of the current location ('Reference') in the sequence of the deployment guide.

Azure Cosmos DB for NoSQL includes built-in data plane roles within its native role-based access control implementation. This article includes a list of those roles and descriptions on what permissions are granted for each role.

Built-in data plane roles

Azure Cosmos DB for NoSQL defines data plane-specific role definitions. These roles are distinct from Azure role-based access control role definitions.

Cosmos DB Built-in Data Reader

ID: 00000000-0000-0000-0000-000000000001

Included actions
- Microsoft.DocumentDB/databaseAccounts/readMetadata
- Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read
- Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQuery
- Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed

Cosmos DB Built-in Data Contributor

ID: 00000000-0000-0000-0000-000000000002

Included actions
- Microsoft.DocumentDB/databaseAccounts/readMetadata
- Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*
- Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*

Data plane actions

Share via

Azure Cosmos DB for NoSQL data plane built-in roles reference

Built-in data plane roles

Cosmos DB Built-in Data Reader

Cosmos DB Built-in Data Contributor

Feedback

Additional resources

Share via

Azure Cosmos DB for NoSQL data plane built-in roles reference

Built-in data plane roles

Cosmos DB Built-in Data Reader

Cosmos DB Built-in Data Contributor

Related content

Feedback

Additional resources