Roles and permissions
Learn how to manage access to recommendations and reviews for your organization.
Advisor uses the built-in roles provided by Azure role-based access control (Azure RBAC).
Review the following section to learn more about each role and the associated access.
| Role | View recommendations | Dismiss and postpone recommendations |
|---|---|---|
| Subscription Reader | X | |
| Subscription Contributor | X | X |
| Subscription Owner | X | X |
| Resource group Reader | X | |
| Resource group Contributor | X | X |
| Resource group Owner | X | X |
| Resource Reader | X | |
| Resource Contributor | X | X |
| Resource Owner | X | X |
| Role | Edit rules | Edit subscription configuration | Edit resource group configuration |
|---|---|---|---|
| Subscription Contributor | X | X | X |
| Subscription Owner | X | X | X |
| Resource group Contributor | X | ||
| Resource group Owner | X |
Note
You must have access to the resource associated with the recommendation to view a recommendation.
To learn more about built-in roles, see Azure built-in roles. To learn more about Azure role-based access control (Azure RBAC), see What is Azure role-based access control (Azure RBAC)?.
The permissions vary by role. The roles must be configured for the subscription that was used to publish the review.
| Role | View reviews for a workload and all recommendations associated with the reviews | Triage recommendations associated with the reviews |
|---|---|---|
| Advisor Reviews Reader | X | |
| Advisor Reviews Contributor | X | X |
| Subscription Reader | X | |
| Subscription Contributor | X | X |
| Subscription Owner | X | X |
The roles must be configured for the subscriptions included in the workload under a review.
| Role | View accepted recommendations | Manage the lifecycle of a recommendation |
|---|---|---|
| Advisor Recommendations Contributor (Assessments and Reviews) | X | X |
| Subscription Reader | X | |
| Subscription Contributor | X | |
| Subscription Owner | X |
Learn how to assign an Azure role, see Steps to assign an Azure role.
Manage access to Advisor Well-Architected Framework (WAF) using built-in roles. The permissions vary by role.
| Role | Detail |
|---|---|
| Reader | View assessments for a subscription or workload and the associated recommendations. |
| Contributor | Create assessments for a subscription or workload and manage lifecycle of the associated recommendations. |
Note
The role must be configured for the relevant subscription to create the assessment and view the corresponding recommendations.
If your organization requires roles that don't match the Azure built-in roles, create your own custom role. A custom role works like a built-in role and allow you to assign it to users, groups, and service principals at management group, subscription, and resource group scopes. Use the following actions to create your custom role.
| Action | Details |
|---|---|
Microsoft.Advisor/generateRecommendations/action |
Create a Recommendation. |
Microsoft.Advisor/register/action |
Register with the Provider. |
Microsoft.Advisor/unregister/action |
Unregister with the Provider. |
Microsoft.Advisor/advisorScore/read |
Gets Advisor score. |
Microsoft.Advisor/configurations/read |
Read Configurations. |
Microsoft.Advisor/configurations/write |
Create or update Configuration. |
Microsoft.Advisor/generateRecommendations/read |
Get status of generateRecommendations action. |
Microsoft.Advisor/metadata/read |
Read Metadata. |
Microsoft.Advisor/operations/read |
Get operations. |
Microsoft.Advisor/recommendations/read |
Read recommendations. |
Microsoft.Advisor/recommendations/write |
Create recommendations. |
Microsoft.Advisor/recommendations/available/action |
New recommendation is available. |
Microsoft.Advisor/recommendations/suppressions/read |
Read Suppressions. |
Microsoft.Advisor/recommendations/suppressions/write |
Create or update Suppressions. |
Microsoft.Advisor/recommendations/suppressions/delete |
Delete Suppression. |
Microsoft.Advisor/suppressions/read |
Read Suppressions. |
Microsoft.Advisor/suppressions/write |
Create or update Suppressions. |
Microsoft.Advisor/suppressions/delete |
Delete Suppression. |
Microsoft.Advisor/assessmentTypes/read |
Reads AssessmentTypes. |
Microsoft.Advisor/assessments/read |
Reads Assessments. |
Microsoft.Advisor/assessments/write |
Create Assessments. |
Microsoft.Advisor/resiliencyReviews/read |
Reads resiliencyReviews. |
Microsoft.Advisor/triageRecommendations/read |
Reads triageRecommendations. |
Microsoft.Advisor/triageRecommendations/approve/action |
Approves triageRecommendations. |
Microsoft.Advisor/triageRecommendations/reject/action |
Rejects triageRecommendations. |
Microsoft.Advisor/triageRecommendations/reset/action |
Resets triageRecommendations. |
Microsoft.Advisor/workloads/read |
Reads workloads. |
Note
For example, you must have a sufficient permission level for a virtual machine (VM) to view recommendations associated with the VM.
To learn more about custom roles, see Azure custom roles.
If your permission level is too low, your access to the associated action is blocked. Review common problems in the following section.
When you try to configure a subscription or resource group, the option to include or exclude is blocked. The blocked status indicates that your permission level for that resource group or subscription is insufficient. To learn how to change your permission level, see Tutorial: Grant a user access to Azure resources using the Azure portal.
When you try to postpone or dismiss a recommendation, you receive an error. The error indicates that your permission level is insufficient. You must have a sufficient permission level to dismiss recommendations.
Tip
After you dismiss a recommendation, you must manually reactivate it before it is added in your list of recommendations. If you dismiss a recommendation, you may miss important advice that optimizes your Azure deployment.
To postpone or dismiss a recommendation, verify that your permission level for the resource associated with the recommendation is set to Contributor or better. To learn how to change your permission level, see Tutorial: Grant a user access to Azure resources using the Azure portal.
This article provided an overview of how Advisor uses Azure role-based access control (Azure RBAC) to control user permissions and how to resolve common problems. To learn more about Advisor, see the following articles.