Note
Access to this page requires authorization. You can try signing in or .
Access to this page requires authorization. You can try .
Microsoft.DocumentDB databaseAccounts/sqlRoleDefinitions
- Latest
- 2026-04-01-preview
- 2026-03-15
- 2025-11-01-preview
- 2025-10-15
- 2025-05-01-preview
- 2025-04-15
- 2024-12-01-preview
- 2024-11-15
- 2024-09-01-preview
- 2024-08-15
- 2024-05-15
- 2024-05-15-preview
- 2024-02-15-preview
- 2023-11-15
- 2023-11-15-preview
- 2023-09-15
- 2023-09-15-preview
- 2023-04-15
- 2023-03-15
- 2023-03-15-preview
- 2023-03-01-preview
- 2022-11-15
- 2022-11-15-preview
- 2022-08-15
- 2022-08-15-preview
- 2022-05-15
- 2022-05-15-preview
- 2022-02-15-preview
- 2021-11-15-preview
- 2021-10-15
- 2021-10-15-preview
- 2021-07-01-preview
- 2021-06-15
- 2021-05-15
- 2021-04-15
- 2021-04-01-preview
- 2021-03-01-preview
- 2020-06-01-preview
Bicep resource definition
The databaseAccounts/sqlRoleDefinitions resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions resource, add the following Bicep to your template.
resource symbolicname 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2026-04-01-preview' = {
parent: resourceSymbolicName
name: 'string'
properties: {
assignableScopes: [
'string'
]
permissions: [
{
dataActions: [
'string'
]
id: 'string'
notDataActions: [
'string'
]
}
]
roleName: 'string'
type: 'string'
}
}
Property Values
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent | In Bicep, you can specify the parent resource for a child resource. You only need to add this property when the child resource is declared outside of the parent resource. For more information, see Child resource outside parent resource. |
Symbolic name for resource of type: databaseAccounts |
| properties | Properties to create and update an Azure Cosmos DB SQL Role Definition. | SqlRoleDefinitionResource |
Permission
| Name | Description | Value |
|---|---|---|
| dataActions | An array of data actions that are allowed. | string[] |
| id | The id for the permission. | string |
| notDataActions | An array of data actions that are denied. | string[] |
SqlRoleDefinitionResource
| Name | Description | Value |
|---|---|---|
| assignableScopes | A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist. | string[] |
| permissions | The set of operations allowed through this Role Definition. | Permission[] |
| roleName | A user-friendly name for the Role Definition. Must be unique for the database account. | string |
| type | Indicates whether the Role Definition was built-in or user created. | 'BuiltInRole' 'CustomRole' |
Usage Examples
Bicep Samples
A basic example of deploying Cosmos DB SQL Role Definition.
param location string = 'westeurope'
param resourceName string = 'acctest0001'
resource databaseAccount 'Microsoft.DocumentDB/databaseAccounts@2021-10-15' = {
name: resourceName
location: location
kind: 'GlobalDocumentDB'
properties: {
capabilities: []
consistencyPolicy: {
defaultConsistencyLevel: 'Strong'
maxIntervalInSeconds: 5
maxStalenessPrefix: 100
}
databaseAccountOfferType: 'Standard'
defaultIdentity: 'FirstPartyIdentity'
disableKeyBasedMetadataWriteAccess: false
disableLocalAuth: false
enableAnalyticalStorage: false
enableAutomaticFailover: false
enableFreeTier: false
enableMultipleWriteLocations: false
ipRules: []
isVirtualNetworkFilterEnabled: false
locations: [
{
failoverPriority: 0
isZoneRedundant: false
locationName: 'West Europe'
}
]
networkAclBypass: 'None'
networkAclBypassResourceIds: []
publicNetworkAccess: 'Enabled'
virtualNetworkRules: []
}
}
resource sqlRoleDefinition 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-10-15' = {
name: 'c3ce1661-d0b9-3476-0a7c-2654ce2f3055'
parent: databaseAccount
properties: {
assignableScopes: [
databaseAccount.id
]
permissions: [
{
dataActions: [
'Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read'
]
}
]
roleName: resourceName
type: 'CustomRole'
}
}
Azure Verified Modules
The following Azure Verified Modules can be used to deploy this resource type.
| Module | Description |
|---|---|
| Cosmos DB - SQL Role Definition | AVM Child Module for Cosmos DB - SQL Role Definition |
Azure Quickstart Samples
The following Azure Quickstart templates contain Bicep samples for deploying this resource type.
| Bicep File | Description |
|---|---|
| Create an Azure Cosmos DB SQL Account with data plane RBAC | This template will create a SQL Cosmos account, a natively maintained Role Definition, and a natively maintained Role Assignment for an AAD identity. |
ARM template resource definition
The databaseAccounts/sqlRoleDefinitions resource type can be deployed with operations that target:
- Resource groups - See resource group deployment commands
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions resource, add the following JSON to your template.
{
"type": "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions",
"apiVersion": "2026-04-01-preview",
"name": "string",
"properties": {
"assignableScopes": [ "string" ],
"permissions": [
{
"dataActions": [ "string" ],
"id": "string",
"notDataActions": [ "string" ]
}
],
"roleName": "string",
"type": "string"
}
}
Property Values
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions
| Name | Description | Value |
|---|---|---|
| apiVersion | The api version | '2026-04-01-preview' |
| name | The resource name | string (required) |
| properties | Properties to create and update an Azure Cosmos DB SQL Role Definition. | SqlRoleDefinitionResource |
| type | The resource type | 'Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions' |
Permission
| Name | Description | Value |
|---|---|---|
| dataActions | An array of data actions that are allowed. | string[] |
| id | The id for the permission. | string |
| notDataActions | An array of data actions that are denied. | string[] |
SqlRoleDefinitionResource
| Name | Description | Value |
|---|---|---|
| assignableScopes | A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist. | string[] |
| permissions | The set of operations allowed through this Role Definition. | Permission[] |
| roleName | A user-friendly name for the Role Definition. Must be unique for the database account. | string |
| type | Indicates whether the Role Definition was built-in or user created. | 'BuiltInRole' 'CustomRole' |
Usage Examples
Azure Quickstart Templates
The following Azure Quickstart templates deploy this resource type.
| Template | Description |
|---|---|
| Create an Azure Cosmos DB SQL Account with data plane RBAC 👁 Deploy to Azure |
This template will create a SQL Cosmos account, a natively maintained Role Definition, and a natively maintained Role Assignment for an AAD identity. |
Terraform (AzAPI provider) resource definition
The databaseAccounts/sqlRoleDefinitions resource type can be deployed with operations that target:
- Resource groups
For a list of changed properties in each API version, see change log.
Resource format
To create a Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions resource, add the following Terraform to your template.
resource "azapi_resource" "symbolicname" {
type = "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2026-04-01-preview"
name = "string"
parent_id = "string"
body = {
properties = {
assignableScopes = [
"string"
]
permissions = [
{
dataActions = [
"string"
]
id = "string"
notDataActions = [
"string"
]
}
]
roleName = "string"
type = "string"
}
}
}
Property Values
Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions
| Name | Description | Value |
|---|---|---|
| name | The resource name | string (required) |
| parent_id | The ID of the resource that is the parent for this resource. | ID for resource of type: databaseAccounts |
| properties | Properties to create and update an Azure Cosmos DB SQL Role Definition. | SqlRoleDefinitionResource |
| type | The resource type | "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2026-04-01-preview" |
Permission
| Name | Description | Value |
|---|---|---|
| dataActions | An array of data actions that are allowed. | string[] |
| id | The id for the permission. | string |
| notDataActions | An array of data actions that are denied. | string[] |
SqlRoleDefinitionResource
| Name | Description | Value |
|---|---|---|
| assignableScopes | A set of fully qualified Scopes at or below which Role Assignments may be created using this Role Definition. This will allow application of this Role Definition on the entire database account or any underlying Database / Collection. Must have at least one element. Scopes higher than Database account are not enforceable as assignable Scopes. Note that resources referenced in assignable Scopes need not exist. | string[] |
| permissions | The set of operations allowed through this Role Definition. | Permission[] |
| roleName | A user-friendly name for the Role Definition. Must be unique for the database account. | string |
| type | Indicates whether the Role Definition was built-in or user created. | 'BuiltInRole' 'CustomRole' |
Usage Examples
Terraform Samples
A basic example of deploying Cosmos DB SQL Role Definition.
terraform {
required_providers {
azapi = {
source = "Azure/azapi"
}
}
}
provider "azapi" {
skip_provider_registration = false
}
variable "resource_name" {
type = string
default = "acctest0001"
}
variable "location" {
type = string
default = "westeurope"
}
resource "azapi_resource" "resourceGroup" {
type = "Microsoft.Resources/resourceGroups@2020-06-01"
name = var.resource_name
location = var.location
}
resource "azapi_resource" "databaseAccount" {
type = "Microsoft.DocumentDB/databaseAccounts@2021-10-15"
parent_id = azapi_resource.resourceGroup.id
name = var.resource_name
location = var.location
body = {
kind = "GlobalDocumentDB"
properties = {
capabilities = [
]
consistencyPolicy = {
defaultConsistencyLevel = "Strong"
maxIntervalInSeconds = 5
maxStalenessPrefix = 100
}
databaseAccountOfferType = "Standard"
defaultIdentity = "FirstPartyIdentity"
disableKeyBasedMetadataWriteAccess = false
disableLocalAuth = false
enableAnalyticalStorage = false
enableAutomaticFailover = false
enableFreeTier = false
enableMultipleWriteLocations = false
ipRules = [
]
isVirtualNetworkFilterEnabled = false
locations = [
{
failoverPriority = 0
isZoneRedundant = false
locationName = "West Europe"
},
]
networkAclBypass = "None"
networkAclBypassResourceIds = [
]
publicNetworkAccess = "Enabled"
virtualNetworkRules = [
]
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
resource "azapi_resource" "sqlRoleDefinition" {
type = "Microsoft.DocumentDB/databaseAccounts/sqlRoleDefinitions@2021-10-15"
parent_id = azapi_resource.databaseAccount.id
name = "c3ce1661-d0b9-3476-0a7c-2654ce2f3055"
body = {
properties = {
assignableScopes = [
azapi_resource.databaseAccount.id,
]
permissions = [
{
dataActions = [
"Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/read",
]
},
]
roleName = var.resource_name
type = "CustomRole"
}
}
schema_validation_enabled = false
response_export_values = ["*"]
}
Feedback
Was this page helpful?