2.3.2. RBAC and Access Control

RBAC (Role-Based Access Control) controls what authenticated users can do after they've proven who they are. Following the principle of least privilege—assigning only the minimum permissions needed—reduces the blast radius if credentials are compromised.

What breaks without proper RBAC: A compromised credential with Owner permissions can delete resources, exfiltrate data, and rack up charges. With Cognitive Services User, the same compromise only allows API calls—still bad, but contained.

Key roles tested on the exam:

Required RBAC Roles:

• Cognitive Services User — Call APIs
• Cognitive Services Contributor — Manage resources