Use the following Azure permissions to protect Azure database workloads with Commvault. You can assign permissions at the subscription, resource group, or resource level depending on your organization's security requirements.
You can assign the required Azure permissions by using Azure built-in roles or Commvault custom roles. For downloadable custom role JSON files and role assignment guidance, see Role requirements for protecting Azure resources with Commvault.
Common Azure permissions
The following permissions are required across multiple Azure database workloads.
| Permission | Usage |
|---|---|
Microsoft.Resources/subscriptions/resourceGroups/read |
Get or list resource groups |
Microsoft.Resources/subscriptions/resourceGroups/* |
Perform actions for resource groups |
Microsoft.Storage/storageAccounts/read |
Return storage account properties |
Microsoft.Storage/storageAccounts/listkeys/action |
Return storage account access keys |
Microsoft.Storage/storageAccounts/tableServices/* |
Perform actions for table services |
Azure SQL Database permissions
Use the following permissions to protect Azure SQL Database workloads.
| Permission | Usage |
|---|---|
Microsoft.Sql/servers/read |
Return the list of SQL servers or get the properties for the specified server |
Microsoft.Sql/servers/databases/read |
Return the list of SQL databases or get the properties for the specified database |
Microsoft.Sql/servers/databases/write |
Create a SQL database or update the properties or tags for the specified database |
Microsoft.Sql/servers/databases/delete |
Delete an existing SQL database |
Microsoft.Sql/servers/databases/export/action |
Export Azure SQL Database |
Microsoft.Sql/servers/databases/import/action |
Import Azure SQL Database |
Microsoft.Sql/servers/import/action |
Import a new Azure SQL database |
Microsoft.Sql/servers/importExportOperationResults/read |
Get in-progress import or export operations |
Microsoft.Sql/servers/recoverableDatabases/read |
List or get recoverable databases |
Microsoft.Sql/servers/restorableDroppedDatabases/read |
List or get restorable dropped databases |
Microsoft.Sql/locations/longTermRetentionBackups/read |
List long-term retention backups for databases in a location |
Microsoft.Sql/locations/longTermRetentionServers/longTermRetentionBackups/read |
List long-term retention backups for databases on a server |
Microsoft.Sql/locations/*/read |
Get available Azure SQL locations |
Azure SQL Managed Instance permissions
Use the following permissions to protect Azure SQL Managed Instance workloads.
Important
Line breaks in the Permission column are used for readability only. Each entry represents a single permission path.
| Permission | Usage |
|---|---|
Microsoft.Sql/managedInstances/read |
Return the list of SQL managed instances or get the properties for the specified managed instance |
Microsoft.Sql/managedInstances/databases/read |
Get existing managed databases |
Microsoft.Sql/managedInstances/databases/write |
Create a new managed database or update an existing managed database |
Microsoft.Sql/managedInstances/restorableDroppedDatabases/read |
List or get restorable dropped managed databases |
Microsoft.Sql/locations/*/read |
Get available Azure SQL locations |
Microsoft.Sql/locations/longTermRetentionManagedInstanceBackups/read |
List or get managed instance long-term retention backups for a location |
Microsoft.Sql/locations/longTermRetentionManagedInstances/longTermRetentionManagedInstanceBackups/read |
List or get managed instance long-term retention backups |
Microsoft.Sql/locations/longTermRetentionManagedInstances/longTermRetentionDatabases/longTermRetentionManagedInstanceBackups/read |
List or get long-term retention backups for a managed instance database |
Microsoft.Sql/locations/longTermRetentionManagedInstanceBackupAzureAsyncOperation/read |
Get managed instance long-term retention backup operation status |
Microsoft.Sql/locations/managedDatabaseRestoreAzureAsyncOperation/completeRestore/action |
Complete managed database restore operations |
Azure Cosmos DB permissions
Use the following permissions to protect Azure Cosmos DB workloads.
| Permission | Usage |
|---|---|
Microsoft.DocumentDB/databaseAccounts/read |
Read database accounts |
Microsoft.DocumentDB/databaseAccounts/listKeys/action |
List database account keys |
Microsoft.DocumentDB/databaseAccounts/readonlykeys/action |
Read database account readonly keys |
Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/* |
Perform actions for SQL containers |
Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/* |
Perform actions for MongoDB databases |
Microsoft.DocumentDB/databaseAccounts/mongodbDatabases/collections/* |
Perform actions for MongoDB collections |
Microsoft.DocumentDB/databaseAccounts/cassandraKeyspaces/* |
Perform actions for Cassandra keyspaces |
Microsoft.DocumentDB/databaseAccounts/tables/* |
Perform actions for tables |
Microsoft.DocumentDB/cassandraClusters/read |
Read managed Cassandra clusters |
Azure Database for PostgreSQL permissions
Use the following permissions to protect Azure Database for PostgreSQL workloads.
| Permission | Usage |
|---|---|
Microsoft.DBforPostgreSQL/locations/* |
Get PostgreSQL server operations |
Microsoft.DBforPostgreSQL/servers/* |
Perform actions for PostgreSQL servers |
Microsoft.DBforPostgreSQL/flexibleServers/* |
Perform actions for PostgreSQL Flexible Server |
Azure Database for MySQL permissions
Use the following permissions to protect Azure Database for MySQL workloads.
| Permission | Usage |
|---|---|
Microsoft.DBforMySQL/locations/* |
Get MySQL server operations |
Microsoft.DBforMySQL/servers/* |
Perform actions for MySQL servers |
Microsoft.DBforMySQL/flexibleServers/* |
Perform actions for MySQL Flexible Server |
Azure Database for MariaDB permissions
Azure Database for MariaDB is supported only for applicable Azure deployments.
| Permission | Usage |
|---|---|
Microsoft.DBforMariaDB/locations/* |
Get MariaDB server operations |
Microsoft.DBforMariaDB/servers/* |
Perform actions for MariaDB servers |