We recommend that you use the control plane operations.Ī read-only lock on a storage account doesn't prevent data within that account from being deleted or modified. If the request uses Delete Share, which is a data plane operation, the deletion succeeds. However, if the request uses control plane operations, the lock protects those resources.įor example, if a request uses File Shares - Delete, which is a control plane operation, the deletion is denied. If a request uses data plane operations, the lock on the storage account doesn't protect blob, queue, table, or file data within that storage account. This type of lock only protects the storage account itself from being deleted. A read-only lock also prevents the assignment of Azure RBAC roles that are scoped to the storage account or to a data container (blob container or queue).Ī cannot-delete lock on a storage account doesn't prevent data within that account from being deleted or modified. When a read-only lock is configured for a storage account, users who don't have the account keys must use Azure AD credentials to access blob or queue data. The Azure Storage List Keys operation is handled through a POST request to protect access to the account keys, which provide complete access to data in the storage account. Some common examples of the operations that are blocked by locks are:Ī read-only lock on a storage account prevents users from listing the account keys. Locks will prevent any operations that require a POST request to the Azure Resource Manager API. Considerations before applying locksĪpplying locks can lead to unexpected results because some operations that don't seem to modify the resource actually require actions that are blocked by the lock. More examples of the differences between control and data plane operations are described in the next section. Data transactions are permitted because those operations aren't sent to. It doesn't prevent you from creating, updating, or deleting data in the databases on that server. For example, a ReadOnly lock on a SQL Database logical server prevents you from deleting or modifying the server. This distinction means locks prevent changes to a resource, but they don't restrict how resources perform their own functions. To discover which operations use the control plane URL, see the Azure REST API. For more information, see Azure control plane and data plane. Data plane operations are operations sent to your instance of a service, such as. Locks only apply to control plane operations.Ĭontrol plane operations are operations sent to. Azure operations can be divided into two categories - control plane and data plane. It's important to understand that locks don't apply to all types of operations. The most restrictive lock in the inheritance takes precedence. Even resources you add later inherit the lock from the parent. When you apply a lock at a parent scope, all resources within that scope inherit the same lock. To learn about setting permissions for users and roles, see Azure role-based access control (Azure RBAC). Unlike role-based access control, you use management locks to apply a restriction across all users and roles. Applying this lock is similar to restricting all authorized users to the permissions granted by the Reader role. Internet lock 6.0.4 key update#
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |