IAM Roles Created for Ansys Access on Microsoft Azure

Ansys Access Reader Role

The Ansys Access Reader role includes read-only permissions that must be applied at the subscription scope. The permissions within the reader role are used to retrieve metadata (such as pricing, quotas, and so on) for the cloud resources in Azure.

This role also includes the permissions required to register resource providers in your Azure subscription. The Network, NetApp, Compute, and Storage resource providers must be present in the subscription provided during the setup process. Any missing resource providers will be registered during setup.

Ansys Access Writer Role

The Ansys Access Writer role includes the necessary permissions to manage resources in your Azure Active Directory. These permissions are assigned at the resource group level.

Specifically, this role contains the permissions required to create virtual machines, manage storage, and configure networking essential for creating virtual desktops and autoscaling clusters.

Additionally, this role grants the permissions needed to manage deployments via Azure Resource Manager (ARM) templates.

Scope of Assignment

The Ansys Access Reader role is assigned to a service principal at the subscription scope, in the subscription that you specify during setup. The Ansys Access Writer role is assigned to a service principal at the resource group scope, in the resource group specified during setup.

The required read permissions (limited to the subscription scope) and the write permissions (limited to the resource group scope) ensure the principle of least privilege recommended by Microsoft.