An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
Hello Praveen Kumar Kushwaha,
Welcome to the Microsoft Q&A and thank you for posting your questions here.
I understand that you are having issue with Query on Custom RBAC Role for API Metadata Editing in Azure API Center.
From experience when trying to create a least-privilege custom Azure RBAC role in Azure API Center that allows API Product Owners to edit only API metadata, while preventing API specification changes, API deletion, deployment/environment management, and platform-level configuration changes. The proposed role will not work as written because these permissions are not valid Azure API Center RBAC operations:
- "Microsoft.ApiCenter/services/apis/metadata/read",
- "Microsoft.ApiCenter/services/apis/metadata/write"
Azure API Center does not currently expose separate RBAC actions for “metadata-only” updates. API metadata such as title, description, contacts, license, terms of service, and customProperties is updated through the API resource create/update operation, not through a separate metadata operation. The correct operation boundary is Microsoft.ApiCenter/services/workspaces/apis/write, while API definitions/specifications are managed through separate API definition operations. - https://learn.microsoft.com/en-us/rest/api/resource-manager/apicenter/apis/create-or-update?view=rest-resource-manager-apicenter-2024-03-01, https://learn.microsoft.com/en-us/rest/api/resource-manager/apicenter/api-definitions/create-or-update?view=rest-resource-manager-apicenter-2024-03-01
The best practice resolution is to:
- Use a custom role with
Microsoft.ApiCenter/services/workspaces/apis/write. - Do not grant API definition/specification write, import, or delete permissions.
- Do not grant API delete permissions.
- Do not grant environment, deployment, metadata schema, service, or workspace write permissions.
- Assign the role at the specific API resource scope where possible, not broadly at subscription or resource group level.
This gives you the closest valid RBAC-only implementation for “API metadata editor” in Azure API Center. It allows API-level metadata updates while preventing OpenAPI/specification changes, API deletion, deployments, environments, and platform configuration changes. However, Azure RBAC cannot restrict editing to individual JSON fields inside the API resource body, because RBAC controls operations, not individual API properties.
Use the below resource links for more reading and implementation:
- Azure API Center API create/update REST API: - https://learn.microsoft.com/en-us/rest/api/resource-manager/apicenter/apis/create-or-update?view=rest-resource-manager-apicenter-2024-03-01
- Azure API Center metadata concepts: - https://learn.microsoft.com/en-us/azure/api-center/metadata
- Azure API Center API definitions operations: - https://learn.microsoft.com/en-us/rest/api/resource-manager/apicenter/api-definitions?view=rest-resource-manager-apicenter-2024-03-01
- Azure custom roles: - https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
- Azure RBAC role definitions: - https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions
- Azure resource provider operations: - https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.
Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.