To configure and use inventory scan for Azure Blob Storage, you must assign specific Azure permissions at the subscription level. These permissions enable Commvault to create and manage inventory policies and access inventory reports.
Required Roles
Configure the following roles at the subscription level for the service principal or user account used by Commvault:
Standard Roles
-
Storage Blob Data Owner
-
Reader Role
Custom Role for Inventory Management
Create a custom role with granular permissions for inventory policy management and assign at the storage account level:
Role Name: custom-inventory-role
Permissions:
{
"id": "/subscriptions/{subscription-id}/providers/Microsoft.Authorization/roleDefinitions/{role-id}",
"properties": {
"roleName": "custom-inventory-role",
"description": "Custom role for Azure Storage inventory management",
"assignableScopes": [
"/subscriptions/{subscription-id}"
],
"permissions": [
{
"actions": [
"Microsoft.Storage/storageAccounts/inventoryPolicies/read",
"Microsoft.Storage/storageAccounts/inventoryPolicies/write"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
Alternative: Built-in Role
If you prefer to use a built-in role instead of creating a custom role, you can use the Storage Account Contributor Role at the storage account level.