
    "$schema": "",
    "type": "object",
    "title": "Azure Management RBAC Permissions Schema",
    "description": "Azure Permissions",
    "default": {},
    "examples": [],
    "required": [
    "properties": {
        "permissions": {
            "$id": "#/properties/permissions",
            "type": "array",
            "title": "The permissions schema",
            "description": "Each object defines a permission to be deployed",
            "default": [],
            "examples": [],
            "additionalItems": false,
            "items": {
                "$id": "#/properties/permissions/items",
                "anyOf": [
                        "$id": "#/properties/permissions/items/anyOf/0",
                        "type": "object",
                        "title": "Azure RBAC Permission",
                        "description": "Apply an AAD Role to any scoped object",
                        "default": {},
                        "examples": [
                                "comment": "Security SP Needs to be able to manage lake permissions",
                                "type": "rbac",
                                "scope": "/subscriptions/312312-23123123-23131231/resourceGroups/RGNAME/providers/Microsoft.Storage/storageAccounts/strgAccountName",
                                "principalType": "Application",
                                "principalName": "my-application-name-from-aad",
                                "role": "Storage Blob Data Reader"
                        "required": [
                        "properties": {
                            "comment": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/comment",
                                "type": "string",
                                "title": "Comment",
                                "description": "Description or explanation for the permission",
                                "default": "",
                                "examples": [
                                    "Application SP needs to read data in the lake"
                            "type": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/type",
                                "type": "string",
                                "enum": [
                                "title": "The type of permissions",
                                "description": "An explanation about the purpose of this instance.",
                                "default": "rbac",
                                "examples": [
                            "scope": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/scope",
                                "type": "string",
                                "title": "The scope schema",
                                "description": "Scope to the Azure Resource (See the properties Blade in the portal)",
                                "default": "/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}",
                                "examples": [
                            "principalType": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/principalType",
                                "type": "string",
                                "title": "AAD Object Type",
                                "description": "Application/Group/User/MSI",
                                "default": "Group",
                                "enum": ["Group", "Application", "User", "MSI"],
                                "examples": [
                            "principalName": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/principalName",
                                "type": "string",
                                "title": "Principal Name",
                                "description": "AAD Display Name of the principal - must be exact match",
                                "default": "",
                                "examples": []
                            "role": {
                                "$id": "#/properties/permissions/items/anyOf/0/properties/role",
                                "type": "string",
                                "title": "Azure Role",
                                "description": "The name of the Azure Role - such as Contributor",
                                "default": "Reader",
                                "examples": [
                                    "Storage Blob Data Contributor",
                        "additionalProperties": false
                        "$id": "#/properties/permissions/items/anyOf/1",
                        "type": "object",
                        "title": "SQL Database Role Permission",
                        "description": "Add an AAD Group, User or Application to a database role",
                        "default": {},
                        "examples": [
                                "comment": "Reader access for the Developers AD Group",
                                "type": "sql",
                                "scope": "Control",
                                "principalType": "AAD",
                                "principalName": "My AAD Group Name",
                                "databaseRole": "db_datareader"
                        "required": [
                        "properties": {
                            "comment": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/comment",
                                "type": "string",
                                "title": "Comment",
                                "description": "Description or explanation for the permission",
                                "default": "",
                                "examples": [
                                    "Application SP needs to read data in the database"
                            "type": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/type",
                                "type": "string",
                                "title": "Type",
                                "description": "Type of permission",
                                "enum": ["sql"],
                                "default": "sql",
                                "examples": [
                            "scope": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/scope",
                                "type": "string",
                                "title": "Database Name",
                                "description": "Database name",
                                "default": "",
                                "examples": [
                            "principalType": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/principalType",
                                "type": "string",
                                "title": "Pprincipal Type",
                                "description": "Type of SQL Prinicpal (AAD Account/SQL Login)",
                                "default": "AAD",
                                "enum": ["AAD","SQL"],
                                "examples": [
                                    "AAD", "SQL"
                            "principalName": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/principalName",
                                "type": "string",
                                "title": "Principal Name",
                                "description": "Name of the database principal to be created/added to role",
                                "default": "MyUserName",
                                "examples": []
                            "databaseRole": {
                                "$id": "#/properties/permissions/items/anyOf/1/properties/databaseRole",
                                "type": "string",
                                "title": "Ddatabase Role",
                                "description": "Role to add the user to - will be created if it does not exist",
                                "default": "",
                                "examples": [
                        "additionalProperties": false
                        "$id": "#/properties/permissions/items/anyOf/datalake",
                        "type": "object",
                        "title": "Data Lake ACL Permission",
                        "description": "Apply data lake ACL - all are recursive",
                        "default": {},
                        "examples": [
                                "comment": "Example Lake permission for subfolder/AAD Group",
                                "type": "datalake",
                                "path": "LANDED/TEST1/",
                                "principalType": "group",
                                "principalName": "GDAI_Imperial_GDP",
                                "permission": "xrw",
                                "ignoreUpperFolders": true
                        "required": [
                        "properties": {
                            "comment": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/comment",
                                "type": "string",
                                "title": "Comment",
                                "description": "Description or explanation for the permission",
                                "default": "",
                                "examples": [ ]
                            "type": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/type",
                                "type": "string",
                                "title": "Type",
                                "description": "Type of permission",
                                "enum": ["datalake"],
                                "default": "datalake",
                                "examples": [
                            "path": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/path",
                                "type": "string",
                                "title": "Path",
                                "description": "Folder path from root (preceeding and trailing / is ignored) Slashes must be forward. Single / for root.",
                                "default": "",
                                "examples": [
                            "principalType": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/principalType",
                                "type": "string",
                                "title": "Principal Type",
                                "description": "Type of AAD Prinicpal",
                                "default": "AAD",
                                "enum": ["Group","User","MSI", "Application"],
                                "examples": [
                                    "AAD", "SQL"
                            "principalName": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/principalName",
                                "type": "string",
                                "title": "Principal Name",
                                "description": "Name of the principal to be added",
                                "default": "My AAD Group Name",
                                "examples": []
                            "permission": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/databaseRole",
                                "type": "string",
                                "title": "Ddatabase Role",
                                "description": "X = Execute (always required), R = Read, W = Write. Order required. Blank removes permissions.",
                                "default": "xrw",
                                "enum": ["xrw",
                                "examples": [
                            "ignoreUpperFolder": {
                                "$id": "#/properties/permissions/items/anyOf/datalake/properties/databaseRole",
                                "type": "bool",
                                "title": "Ignore Upper Folder",
                                "description": "Boolean value indicating whether or not ACL permissions should be propagated to parent folders.",
                                "default": false,
                                "examples": [true, false]
                        "additionalProperties": false
    "additionalProperties": true