Use Azure role-based access control with the de-identification service

Microsoft Entra ID authorizes access rights to secured resources through Azure role-based access control (RBAC). The de-identification service defines a set of built-in roles that encompass common sets of permissions used to access de-identification functionality.

Microsoft Entra ID uses the concept of a security principal, which can be a user, a group, an application service principal, or a managed identity for Azure resources.

When an Azure role is assigned to a Microsoft Entra ID security principal over a specific scope, Azure grants access to that scope for that security principal. For more information about scopes, see Understand scope for Azure RBAC.

Prerequisites

Available built-in roles

The de-identification service has the following built-in roles available:

Role Description
DeID Data Owner Full access to de-identification functionality.
DeID Real-time Data User Execute requests against de-identification API endpoints.
DeID Batch Owner Create and manage de-identification batch jobs.
DeID Batch Reader Read-only access to de-identification batch jobs.

Assign a built-in role

Keep in mind the following points about Azure role assignments with the de-identification service:

  • When you create a de-identification service, you aren't automatically assigned permissions to access data via Microsoft Entra ID. You need to explicitly assign yourself an applicable Azure role. You can assign it at the level of your subscription, resource group, or de-identification service.
  • When roles are assigned, it can take up to 10 minutes for changes to take effect.
  • When the de-identification service is locked with an Azure Resource Manager read-only lock, the lock prevents the assignment of Azure roles that are scoped to the de-identification service.
  • When Azure deny assignments have been applied, your access might be blocked even if you have a role assignment. For more information, see Understand Azure deny assignments.

You can use different tools to assign built-in roles. Select the tab that applies for details.

To use the de-identification service, with Microsoft Entra ID credentials, a security principal must be assigned one of the built-in roles. To learn how to assign these roles to a security principal, follow the steps in Assign Azure roles using the Azure portal.