Share via


az dt role-assignment

Note

This reference is part of the azure-iot extension for the Azure CLI (version 2.46.0 or higher). The extension will automatically install the first time you run an az dt role-assignment command. Learn more about extensions.

Manage RBAC role assignments for a Digital Twins instance.

Note that in order to perform role assignments, the logged in principal needs permissions such as Owner or User Access Administrator at the assigned scope.

This command group is provided for convenience. For more complex role assignment scenarios use the 'az role assignment' command group.

Commands

Name Description Type Status
az dt role-assignment create

Assign a user, group or service principal to a role against a Digital Twins instance.

Extension GA
az dt role-assignment delete

Remove a user, group or service principal role assignment from a Digital Twins instance.

Extension GA
az dt role-assignment list

List the existing role assignments of a Digital Twins instance.

Extension GA

az dt role-assignment create

Assign a user, group or service principal to a role against a Digital Twins instance.

Note that in order to perform role assignments, the logged in principal needs permissions such as Owner or User Access Administrator at the assigned scope.

az dt role-assignment create --assignee
                             --dt-name
                             --role
                             [--resource-group]

Examples

Assign a user (by email) the built-in Digital Twins Owner role against a target instance.

az dt role-assignment create -n {instance_name} --assignee "owneruser@microsoft.com" --role "Azure Digital Twins Data Owner"

Assign a user (by object Id) the built-in Digital Twins Reader role against a target instance.

az dt role-assignment create -n {instance_name} --assignee "97a89267-0966-4054-a156-b7d86ef8e216" --role "Azure Digital Twins Data Reader"

Assign a service principal a custom role against a target instance.

az dt role-assignment create -n {instance_name} --assignee {service_principal_name_or_id} --role {role_name_or_id}

Required Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--dt-name --dtn -n

Digital Twins instance name.

--role

Role name or Id.

Optional Parameters

--resource-group -g

Digital Twins instance resource group. You can configure the default group using az configure --defaults group={name}.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az dt role-assignment delete

Remove a user, group or service principal role assignment from a Digital Twins instance.

Note that in order to perform role assignments, the logged in principal needs permissions such as Owner or User Access Administrator at the assigned scope.

az dt role-assignment delete --dt-name
                             [--assignee]
                             [--resource-group]
                             [--role]

Examples

Remove a user from a specific role assignment of a Digital Twins instance.

az dt role-assignment delete -n {instance_name} --assignee "removeuser@microsoft.com" --role "Azure Digital Twins Data Reader"

Remove a user from all assigned roles of a Digital Twins instance.

az dt role-assignment delete -n {instance_name} --assignee "removeuser@microsoft.com"

Required Parameters

--dt-name --dtn -n

Digital Twins instance name.

Optional Parameters

--assignee

Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.

--resource-group -g

Digital Twins instance resource group. You can configure the default group using az configure --defaults group={name}.

--role

Role name or Id.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.

az dt role-assignment list

List the existing role assignments of a Digital Twins instance.

az dt role-assignment list --dt-name
                           [--include-inherited {false, true}]
                           [--resource-group]
                           [--role]

Examples

List the role assignments on a target instance.

az dt role-assignment list -n {instance_name}

List the role assignments on a target instance and filter by role.

az dt role-assignment list -n {instance_name} --role {role_name_or_id}

Required Parameters

--dt-name --dtn -n

Digital Twins instance name.

Optional Parameters

--include-inherited

Include assignments applied on parent scopes.

Accepted values: false, true
Default value: False
--resource-group -g

Digital Twins instance resource group. You can configure the default group using az configure --defaults group={name}.

--role

Role name or Id.

Global Parameters
--debug

Increase logging verbosity to show all debug logs.

--help -h

Show this help message and exit.

--only-show-errors

Only show errors, suppressing warnings.

--output -o

Output format.

Accepted values: json, jsonc, none, table, tsv, yaml, yamlc
Default value: json
--query

JMESPath query string. See http://jmespath.org/ for more information and examples.

--subscription

Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.

--verbose

Increase logging verbosity. Use --debug for full debug logs.