Query on Custom RBAC Role for API Metadata Editing in Azure API Center
Hi,
I am working as part of the API Platform team managing a centralized API governance model using Azure API Center and Azure RBAC. As part of our platform enablement and least‑privilege access strategy, we are evaluating the feasibility of defining a custom role with restricted permissions.
Requirement
We would like to understand whether it is possible to create a custom RBAC role in Azure API Center with the following scope:
- Allow users (e.g., API Product Owners) to:
- Edit/update API metadata only (e.g., title, description, owners, business metadata, tags, etc.)
- Restrict users from:
- Modifying API definitions (OpenAPI specs)
- Deleting APIs
- Managing environments, deployments, or other platform-level configurations
- Making changes outside metadata scope
If possible, please share:
- A list of RBAC actions relevant to API Center metadata operations
- Share the custom role definition in API Center to Edit/update API metadata only
I'm thinking to create custom role like this, not sure it will work or not
{
"Name": "API Center Metadata Editor",
"Description": "Can view APIs and update metadata (via API write operation).",
"IsCustom": true,
"Actions": [
"Microsoft.ApiCenter/services/read",
"Microsoft.ApiCenter/services/apis/read",
"Microsoft.ApiCenter/services/apis/metadata/read",
"Microsoft.ApiCenter/services/apis/metadata/write"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP_NAME"
]
}
Thank you for your support.
-
Praveen Kumar Kushwaha 0 Reputation points
Need inputs to define custom role in API Center to Edit/update API metadata only.
-
Siddhesh Desai 7,480 Reputation points • Microsoft External Staff • Moderator
Thank you for reaching out to Microsoft Q&A.
Azure API Center uses Azure RBAC for access control; however, based on the currently published Azure API Center resource provider operations, there are no documented RBAC permissions such as
Microsoft.ApiCenter/services/apis/metadata/readorMicrosoft.ApiCenter/services/apis/metadata/write. API metadata is managed as part of the API resource itself, and Azure API Center documentation does not currently expose separate RBAC actions that distinguish metadata updates from API definition updates. Because of this, granting write permissions on APIs would generally allow modifications to the API resource as a whole, making it difficult to enforce a strict "metadata-only editor" role using Azure RBAC alone. Therefore, the custom role definition shared in the question is unlikely to work because the referenced metadata-specific operations are not documented Azure API Center permissions.Refer below points to resolve this issue or as a workaround:
1. Metadata-specific RBAC actions do not appear to be available
The following actions are not currently documented Azure API Center resource provider operations:
"Microsoft.ApiCenter/services/apis/metadata/read", "Microsoft.ApiCenter/services/apis/metadata/write"Therefore, Azure RBAC cannot validate or grant permissions using these action names. [
2. API write permission may allow broader modifications
To update API properties, users typically require API-level write permissions such as:
1 "Microsoft.ApiCenter/services/apis/write"However, this permission is not documented as being limited to metadata updates only and may allow changes to other API properties, including API definitions. Therefore, RBAC alone may not provide the level of separation required between metadata management and API definition management.
3. Verify the available API Center operations in your tenant
To confirm the exact operations currently exposed by the Azure API Center resource provider in your environment, run the following command:
PowerShell
Get-AzProviderOperation Microsoft.ApiCenter/* | Select-Object OperationAzure CLI
az provider operation show --namespace Microsoft.ApiCenterReview the output to determine whether Microsoft has introduced granular operations for metadata management that are not yet reflected in public documentation. [learn.microsoft.com]
4. Consider a custom role with API write and delete restrictions
If your objective is to prevent API deletion while still allowing API updates, you can consider a role similar to:
JSON
{ "Name": "API Center Metadata Editor", "Description": "Can read and update APIs in API Center", "Actions": [ "Microsoft.ApiCenter/services/read", "Microsoft.ApiCenter/services/apis/read", "Microsoft.ApiCenter/services/apis/write" ], "NotActions": [ "Microsoft.ApiCenter/services/apis/delete" ], "AssignableScopes": [ "/subscriptions/<subscription-id>" ] }Please note that this approach may still allow broader API modifications and does not guarantee metadata-only access.
5. Recommended workaround – Use governance controls outside RBAC
A common governance approach is to:
- Allow API Product Owners to maintain API metadata in API Center.
- Store OpenAPI specifications in GitHub or Azure DevOps repositories.
- Protect API definitions through:
- Pull Request approvals
- Branch protection policies
- CODEOWNERS
- CI/CD validation pipelines
- Use API Center primarily for API inventory, discovery, and metadata governance.
- CODEOWNERS
- Branch protection policies
- Pull Request approvals
This provides stronger separation between metadata management and API definition management than RBAC currently offers. Azure API Center documentation emphasizes metadata governance, custom metadata, API inventory management, and integration with automation workflows for governance scenarios.
Conclusion
At present, Azure API Center documentation does not show support for a dedicated RBAC role that can update only API metadata while preventing modifications to API definitions. The proposed custom role is therefore unlikely to function as expected because the metadata-specific permissions referenced are not documented API Center operations. The recommended approach is to verify the currently available provider operations and complement RBAC with repository, approval, and CI/CD governance controls
Sign in to comment