You are developing a Java application that uses Cassandra to store key and value data.
You plan to use a new Azure Cosmos DB resource and the Cassandra API in the application.
You create an Azure Active Directory (Azure AD) group named Cosmos DB Creators to enable provisioning of Azure Cosmos accounts, databases, and containers.
The Azure AD group must not be able to access the keys that are required to access the data.
You need to restrict access to the Azure AD group.
Which role-based access control should you use?
Click on the arrows to vote for the correct answer
A. B. C. D.C.
Azure Cosmos DB now provides a new RBAC role, Cosmos DB Operator.
This new role lets you provision Azure Cosmos accounts, databases, and containers, but can't access the keys that are required to access the data.
This role is intended for use in scenarios where the ability to grant access to Azure Active Directory service principals to manage deployment operations for Cosmos DB is needed, including the account, database, and containers.
https://azure.microsoft.com/en-us/updates/azure-cosmos-db-operator-role-for-role-based-access-control-rbac-is-now-available/Based on the scenario, you are developing a Java application that uses Cassandra to store key and value data. You plan to use a new Azure Cosmos DB resource and the Cassandra API in the application. You have created an Azure AD group named Cosmos DB Creators to enable provisioning of Azure Cosmos accounts, databases, and containers. However, the Azure AD group must not be able to access the keys that are required to access the data. Therefore, you need to restrict access to the Azure AD group using role-based access control.
Azure Cosmos DB provides various built-in roles that you can use to assign permissions to users or groups to access your Cosmos DB account and its resources. In this case, you need to restrict the access of the Azure AD group to the keys required to access the data, so the appropriate role-based access control to use would be the Cosmos DB Account Reader.
The Cosmos DB Account Reader role provides read-only access to the Cosmos DB account and its resources, including keys, but does not allow any modifications or management operations. Therefore, this role is ideal for scenarios where you want to grant users or groups read-only access to the Cosmos DB account and its resources without allowing them to make any changes.
Option A (DocumentDB Accounts Contributor) is not the correct answer as this role provides full access to the Cosmos DB account, including read, write, and management operations.
Option B (Cosmos Backup Operator) is not the correct answer as this role is specifically for performing backup and restore operations for Cosmos DB resources.
Option C (Cosmos DB Operator) is not the correct answer as this role provides full access to the Cosmos DB account, including read, write, and management operations.
Therefore, the correct answer is option D (Cosmos DB Account Reader).