Required permissions for the Connector in Azure

Contributors netapp-bcammett

Cloud Manager requires permissions to perform actions in your cloud provider. These permissions are included in the policies provided by NetApp. You might want to understand what Cloud Manager does with these permissions.

The Cloud Manager Azure policy includes the permissions that Cloud Manager needs to deploy and manage Cloud Volumes ONTAP in Azure.

Actions Purpose

"Microsoft.Compute/locations/operations/read",
"Microsoft.Compute/locations/vmSizes/read",
"Microsoft.Compute/operations/read",
"Microsoft.Compute/virtualMachines/instanceView/read",
"Microsoft.Compute/virtualMachines/powerOff/action",
"Microsoft.Compute/virtualMachines/read",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/deallocate/action",
"Microsoft.Compute/virtualMachines/vmSizes/read",
"Microsoft.Compute/virtualMachines/write",

Creates Cloud Volumes ONTAP and stops, starts, deletes, and obtains the status of the system.

"Microsoft.Compute/images/write",
"Microsoft.Compute/images/read",

Enables Cloud Volumes ONTAP deployment from a VHD.

"Microsoft.Compute/disks/delete",
"Microsoft.Compute/disks/read",
"Microsoft.Compute/disks/write",
"Microsoft.Storage/checknameavailability/read",
"Microsoft.Storage/operations/read",
"Microsoft.Storage/storageAccounts/listkeys/action",
"Microsoft.Storage/storageAccounts/read",
"Microsoft.Storage/storageAccounts/regeneratekey/action",
"Microsoft.Storage/storageAccounts/write"
"Microsoft.Storage/storageAccounts/delete",
"Microsoft.Storage/usages/read",

Manages Azure storage accounts and disks, and attaches the disks to Cloud Volumes ONTAP.

"Microsoft.Storage/storageAccounts/blobServices/containers/read",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/accessPolicies/write"

Enables backups to Azure Blob storage and encryption of storage accounts

"Microsoft.Network/networkInterfaces/read",
"Microsoft.Network/networkInterfaces/write",
"Microsoft.Network/networkInterfaces/join/action",

Creates and manages network interfaces for Cloud Volumes ONTAP in the target subnet.

"Microsoft.Network/networkSecurityGroups/read",
"Microsoft.Network/networkSecurityGroups/write",
"Microsoft.Network/networkSecurityGroups/join/action",

Creates predefined network security groups for Cloud Volumes ONTAP.

"Microsoft.Resources/subscriptions/locations/read",
"Microsoft.Network/locations/operationResults/read",
"Microsoft.Network/locations/operations/read",
"Microsoft.Network/virtualNetworks/read",
"Microsoft.Network/virtualNetworks/checkIpAddressAvailability/read",
"Microsoft.Network/virtualNetworks/subnets/read",
"Microsoft.Network/virtualNetworks/subnets/virtualMachines/read",
"Microsoft.Network/virtualNetworks/virtualMachines/read",
"Microsoft.Network/virtualNetworks/subnets/join/action",

Gets network information about regions, the target VNet and subnet, and adds Cloud Volumes ONTAP to VNets.

"Microsoft.Network/virtualNetworks/subnets/write",
"Microsoft.Network/routeTables/join/action",

Enables VNet service endpoints for data tiering.

"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",

Deploys Cloud Volumes ONTAP from a template.

"Microsoft.Resources/deployments/operations/read",
"Microsoft.Resources/deployments/read",
"Microsoft.Resources/deployments/write",
"Microsoft.Resources/resources/read",
"Microsoft.Resources/subscriptions/operationresults/read",
"Microsoft.Resources/subscriptions/resourceGroups/delete",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourcegroups/resources/read",
"Microsoft.Resources/subscriptions/resourceGroups/write",

Creates and manages resource groups for Cloud Volumes ONTAP.

"Microsoft.Compute/snapshots/write",
"Microsoft.Compute/snapshots/read",
"Microsoft.Compute/snapshots/delete",
"Microsoft.Compute/disks/beginGetAccess/action",

Creates and manages Azure managed snapshots.

"Microsoft.Compute/availabilitySets/write",
"Microsoft.Compute/availabilitySets/read",

Creates and manages availability sets for Cloud Volumes ONTAP.

"Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/read",
"Microsoft.MarketplaceOrdering/offertypes/publishers/offers/plans/agreements/write",

Enables programmatic deployments from the Azure Marketplace.

"Microsoft.Network/loadBalancers/read",
"Microsoft.Network/loadBalancers/write",
"Microsoft.Network/loadBalancers/delete",
"Microsoft.Network/loadBalancers/backendAddressPools/read",
"Microsoft.Network/loadBalancers/backendAddressPools/join/action",
"Microsoft.Network/loadBalancers/frontendIPConfigurations/read",
"Microsoft.Network/loadBalancers/loadBalancingRules/read",
"Microsoft.Network/loadBalancers/probes/read",
"Microsoft.Network/loadBalancers/probes/join/action",

Manages an Azure load balancer for HA pairs.

"Microsoft.Authorization/locks/*",

Enables management of locks on Azure disks.

"Microsoft.Authorization/roleDefinitions/write",
"Microsoft.Authorization/roleAssignments/write",
"Microsoft.Web/sites/*"

Manages failover for HA pairs.

"Microsoft.Network/privateEndpoints/write",
"Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action",
"Microsoft.Storage/storageAccounts/privateEndpointConnections/read",
"Microsoft.Network/privateEndpoints/read",
"Microsoft.Network/privateDnsZones/write",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/write",
"Microsoft.Network/virtualNetworks/join/action",
"Microsoft.Network/privateDnsZones/A/write",
"Microsoft.Network/privateDnsZones/read",
"Microsoft.Network/privateDnsZones/virtualNetworkLinks/read",

Enables the management of private endpoints. Private endpoints are used when connectivity isn’t provided to outside the subnet. Cloud Manager creates the storage account for HA with only internal connectivity within the subnet.

"Microsoft.NetApp/netAppAccounts/capacityPools/volumes/delete",

Enables Cloud Manager to delete volumes for Azure NetApp Files.

"Microsoft.Resources/deployments/operationStatuses/read"

Azure requires this permission for some virtual machine deployments (it depends on the underlying physical hardware that’s used during deployment).

"Microsoft.Resources/deployments/operationStatuses/read",
"Microsoft.Insights/Metrics/Read",
"Microsoft.Compute/virtualMachines/extensions/write",
"Microsoft.Compute/virtualMachines/extensions/read",
"Microsoft.Compute/virtualMachines/extensions/delete",
"Microsoft.Compute/virtualMachines/delete",
"Microsoft.Network/networkInterfaces/delete",
"Microsoft.Network/networkSecurityGroups/delete",
"Microsoft.Resources/deployments/delete",

Enables you to use Global File Cache.

"Microsoft.Network/privateEndpoints/delete",
"Microsoft.Compute/availabilitySets/delete",

Enables Cloud Manager to remove resources from a resource group that belong to Cloud Volumes ONTAP in case of deployment failure or deletion.

"Microsoft.Compute/diskEncryptionSets/read"
"Microsoft.Compute/diskEncryptionSets/write",
"Microsoft.Compute/diskEncryptionSets/delete"
"Microsoft.KeyVault/vaults/deploy/action",
"Microsoft.KeyVault/vaults/read",
"Microsoft.KeyVault/vaults/accessPolicies/write",

Enables use of customer-managed encryption keys with Cloud Volumes ONTAP. This feature is supported using APIs.

"Microsoft.Resources/tags/read",
"Microsoft.Resources/tags/write",
"Microsoft.Resources/tags/delete"

Enables you to manage tags on your Azure resources using the Cloud Manager Tagging service.

"Microsoft.Network/applicationSecurityGroups/write",
"Microsoft.Network/applicationSecurityGroups/read",
"Microsoft.Network/applicationSecurityGroups/joinIpConfiguration/action",
"Microsoft.Network/networkSecurityGroups/securityRules/write",
"Microsoft.Network/applicationSecurityGroups/delete",
"Microsoft.Network/networkSecurityGroups/securityRules/delete"

Enables Cloud Manager to configure an application security group for an HA pair, which isolates the HA interconnect and cluster network NICs.