even as the owner of a digital twin instance, how can I get my root level space admin rights back? in our case, we were lucky and had a second mega boss person at hand to "reinstate" me. will digital twin allow you to delete the "last" root level space admin role assignment? is there a way to push one back in from the azure portal? it's not clear to us what the access control in the azure portal does - it doesn't seem to influence access rights in the space graph. kind regards, Gregor
I locked myselft out of Digital Twins by deleting my '/' space admin RoleAssignment
129 views Asked by Gregor AtThere are 2 answers
Thanks for your inquiry and patience! The Azure Digital Twins service and documentation are undergoing continuous improvement.
Additional resources have been added to the documentation and previous content has been updated. Perhaps you'll find the two articles describing RBAC to be more helpful: https://learn.microsoft.com/azure/digital-twins/security-role-based-access-control and https://learn.microsoft.com/azure/digital-twins/security-create-manage-role-assignments.
In general, there are two ways to have your role reinstated. First, you can recreate your personal Azure Digital Twins instance. That's not ideal since multiple users might be associated with it. If you are required to go down that path, the good news is that you have the entire JSON describing your role permissions available to you through the Management APIs. Thus, restoring the desired degree of access is possible provided someone preserved the role descriptions before you reprovision.
The other alternative is to call upon your Service Principal or equivalent superadmin user to personally reissue the role as (now) described in the documentation above.
Thanks!
Thanks for the question @Gregor Currently the Digital Twins APIs do allow you to lock yourself out--and delete even the "last" "/" role assignment. Re-instating through the portal or otherwise is not an option so it's good that you had another mega boss at hand. If this does happen you'd have to engage the product team by creating a support ticket