Query on Custom RBAC Role for API Metadata Editing in Azure API Center

Praveen Kumar Kushwaha 0 Reputation points
2026-06-18T04:08:14.34+00:00

Hi,

I am working as part of the API Platform team managing a centralized API governance model using Azure API Center and Azure RBAC. As part of our platform enablement and least‑privilege access strategy, we are evaluating the feasibility of defining a custom role with restricted permissions.

Requirement

We would like to understand whether it is possible to create a custom RBAC role in Azure API Center with the following scope:

  • Allow users (e.g., API Product Owners) to:
    • Edit/update API metadata only (e.g., title, description, owners, business metadata, tags, etc.)
  • Restrict users from:
  • Modifying API definitions (OpenAPI specs)
  • Deleting APIs
  • Managing environments, deployments, or other platform-level configurations
    • Making changes outside metadata scope

If possible, please share:

  • A list of RBAC actions relevant to API Center metadata operations
  • Share the custom role definition in API Center to Edit/update API metadata only

I'm thinking to create custom role like this, not sure it will work or not

{

"Name": "API Center Metadata Editor",

"Description": "Can view APIs and update metadata (via API write operation).",

"IsCustom": true,

"Actions": [

"Microsoft.ApiCenter/services/read",

"Microsoft.ApiCenter/services/apis/read",

"Microsoft.ApiCenter/services/apis/metadata/read",

"Microsoft.ApiCenter/services/apis/metadata/write"

],

"NotActions": [],

"DataActions": [],

"NotDataActions": [],

"AssignableScopes": [

"/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME"

]

}

Thank you for your support.

Azure Role-based access control
Azure Role-based access control

An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.


2 answers

Sort by: Most helpful
  1. Sina Salam 30,566 Reputation points Volunteer Moderator
    2026-06-24T17:42:28.1333333+00:00

    Hello Praveen Kumar Kushwaha,

    Welcome to the Microsoft Q&A and thank you for posting your questions here.

    I understand that you are having issue with Query on Custom RBAC Role for API Metadata Editing in Azure API Center.

    From experience when trying to create a least-privilege custom Azure RBAC role in Azure API Center that allows API Product Owners to edit only API metadata, while preventing API specification changes, API deletion, deployment/environment management, and platform-level configuration changes. The proposed role will not work as written because these permissions are not valid Azure API Center RBAC operations:

    • "Microsoft.ApiCenter/services/apis/metadata/read",
    • "Microsoft.ApiCenter/services/apis/metadata/write"

    Azure API Center does not currently expose separate RBAC actions for “metadata-only” updates. API metadata such as title, description, contacts, license, terms of service, and customProperties is updated through the API resource create/update operation, not through a separate metadata operation. The correct operation boundary is Microsoft.ApiCenter/services/workspaces/apis/write, while API definitions/specifications are managed through separate API definition operations. - https://learn.microsoft.com/en-us/rest/api/resource-manager/apicenter/apis/create-or-update?view=rest-resource-manager-apicenter-2024-03-01, https://learn.microsoft.com/en-us/rest/api/resource-manager/apicenter/api-definitions/create-or-update?view=rest-resource-manager-apicenter-2024-03-01

    The best practice resolution is to:

    • Use a custom role with Microsoft.ApiCenter/services/workspaces/apis/write.
    • Do not grant API definition/specification write, import, or delete permissions.
    • Do not grant API delete permissions.
    • Do not grant environment, deployment, metadata schema, service, or workspace write permissions.
    • Assign the role at the specific API resource scope where possible, not broadly at subscription or resource group level.

    This gives you the closest valid RBAC-only implementation for “API metadata editor” in Azure API Center. It allows API-level metadata updates while preventing OpenAPI/specification changes, API deletion, deployments, environments, and platform configuration changes. However, Azure RBAC cannot restrict editing to individual JSON fields inside the API resource body, because RBAC controls operations, not individual API properties.

    Use the below resource links for more reading and implementation:

    I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.


    Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.

    Was this answer helpful?

    0 comments No comments

  2. Siddhesh Desai 7,640 Reputation points Microsoft External Staff Moderator
    2026-06-18T04:34:00.37+00:00

    Hi @Praveen Kumar Kushwaha

    Thank you for reaching out to Microsoft Q&A.

    Azure API Center uses Azure RBAC for access control; however, based on the currently published Azure API Center resource provider operations, there are no documented RBAC permissions such as Microsoft.ApiCenter/services/apis/metadata/read or Microsoft.ApiCenter/services/apis/metadata/write. API metadata is managed as part of the API resource itself, and Azure API Center documentation does not currently expose separate RBAC actions that distinguish metadata updates from API definition updates. Because of this, granting write permissions on APIs would generally allow modifications to the API resource as a whole, making it difficult to enforce a strict "metadata-only editor" role using Azure RBAC alone. Therefore, the custom role definition shared in the question is unlikely to work because the referenced metadata-specific operations are not documented Azure API Center permissions.

    Refer below points to resolve this issue or as a workaround:

    1. Metadata-specific RBAC actions do not appear to be available

    The following actions are not currently documented Azure API Center resource provider operations:

    "Microsoft.ApiCenter/services/apis/metadata/read",
    "Microsoft.ApiCenter/services/apis/metadata/write"
    

    Therefore, Azure RBAC cannot validate or grant permissions using these action names. [

    2. API write permission may allow broader modifications

    To update API properties, users typically require API-level write permissions such as:

    1 "Microsoft.ApiCenter/services/apis/write"
    

    However, this permission is not documented as being limited to metadata updates only and may allow changes to other API properties, including API definitions. Therefore, RBAC alone may not provide the level of separation required between metadata management and API definition management.

    3. Verify the available API Center operations in your tenant

    To confirm the exact operations currently exposed by the Azure API Center resource provider in your environment, run the following command:

    PowerShell

    Get-AzProviderOperation Microsoft.ApiCenter/* |
    Select-Object Operation
    

    Azure CLI

    az provider operation show --namespace Microsoft.ApiCenter
    

    Review the output to determine whether Microsoft has introduced granular operations for metadata management that are not yet reflected in public documentation. [learn.microsoft.com]

    4. Consider a custom role with API write and delete restrictions

    If your objective is to prevent API deletion while still allowing API updates, you can consider a role similar to:

    JSON

    {
     "Name": "API Center Metadata Editor",
     "Description": "Can read and update APIs in API Center",
     "Actions": [
     "Microsoft.ApiCenter/services/read",
     "Microsoft.ApiCenter/services/apis/read",
     "Microsoft.ApiCenter/services/apis/write"
     ],
     "NotActions": [
     "Microsoft.ApiCenter/services/apis/delete"
     ],
     "AssignableScopes": [
     "/subscriptions/<subscription-id>"
     ]
    }
    

    Please note that this approach may still allow broader API modifications and does not guarantee metadata-only access.

    5. Recommended workaround – Use governance controls outside RBAC

    A common governance approach is to:

    • Allow API Product Owners to maintain API metadata in API Center.
    • Store OpenAPI specifications in GitHub or Azure DevOps repositories.
    • Protect API definitions through:
      • Pull Request approvals
        • Branch protection policies
          • CODEOWNERS
            • CI/CD validation pipelines
            • Use API Center primarily for API inventory, discovery, and metadata governance.

    This provides stronger separation between metadata management and API definition management than RBAC currently offers. Azure API Center documentation emphasizes metadata governance, custom metadata, API inventory management, and integration with automation workflows for governance scenarios.

    Conclusion

    At present, Azure API Center documentation does not show support for a dedicated RBAC role that can update only API metadata while preventing modifications to API definitions. The proposed custom role is therefore unlikely to function as expected because the metadata-specific permissions referenced are not documented API Center operations. The recommended approach is to verify the currently available provider operations and complement RBAC with repository, approval, and CI/CD governance controls

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.