Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
APPLIES TO: 
Azure Database for PostgreSQL flexible server
To create and monitor migrations using the PostgreSQL Migration Service, users need specific permissions. Here's a guide on the permissions required and steps to configure them effectively.
The following permissions are the minimum required for a user to successfully create and monitor migrations:
Resource Group and Subscription Permissions
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/read
- Microsoft.Resources/subscriptions/locations/read
- Microsoft.Resources/subscriptions/resourceGroups/deployments/read
- Microsoft.Resources/deployments/read
- Microsoft.Resources/subscriptions/resourceGroups/resources/read
Migration-Specific Permissions
- Microsoft.DBforPostgreSQL/flexibleServers/checkMigrationNameAvailability/action
- Microsoft.DBforPostgreSQL/flexibleServers/migrations/write
- Microsoft.DBforPostgreSQL/flexibleServers/migrations/read
- Microsoft.DBforPostgreSQL/flexibleServers/migrations/delete
Flexible Server Access Permissions
- Microsoft.DBforPostgreSQL/flexibleServers/read
- Microsoft.DBforPostgreSQL/flexibleServers/databases/read
Source Server Access Permissions (Required for Single Server Sources only)
- Microsoft.DBforPostgreSQL/servers/read
- Microsoft.DBforPostgreSQL/servers/administrators/read
- Microsoft.DBforPostgreSQL/servers/databases/read
Connectivity and Database List Actions
- Microsoft.DBforPostgreSQL/flexibleServers/testConnectivity/action
- Microsoft.DBforPostgreSQL/flexibleServers/getSourceDatabaseList/action
Configuration Access Permissions
- Microsoft.DBforPostgreSQL/flexibleServers/configurations/read
- Microsoft.DBforPostgreSQL/servers/configurations/read
By default, privileged administrator roles such as Owner or Contributor at the subscription level have the necessary permissions enabled.
If you want to grant permissions specifically for creating and monitoring migrations, without additional database admin privileges, consider creating a custom role.
Create a custom role with the permissions listed above.
Assign the custom role's scope at the subscription level for both the single server and flexible server involved in the migration.
Assign this custom role to the user responsible for conducting the migration.
If a runtime server is part of your migration setup, ensure the permissions Microsoft.DBforPostgreSQL/flexibleServers/migrations/* are included in the scope of the runtime server.
By setting up these permissions, you ensure that your migration process is both secure and aligned with PostgreSQL Migration Service requirements.