Azure Container Registry roles directory reference

Container Registry Contributor and Data Access Configuration Administrator

• Use case: Ideal for registry administrators, CI/CD pipelines, or automated processes that need to create and configure registries, set up registry authentication mechanisms, manage registry network access, and manage registry policies—without needing permissions to push/pull images or assign roles.
• Permissions: Grants control plane access to create, configure, and manage registries and registry configurations, including authentication settings, tokens, private endpoints, network access, and registry policies. Doesn't include data plane operations (for example, image push/pull) or role assignment capabilities.
  • Control plane permissions:
    • Create, update, view, list, and delete registries (including registry SKUs and availability zones and zone redundancy)
    • View and list (but not manage) role assignments for registries
    • Manage geo-replications
    • Manage connected registries
    • Update registry configuration
      • Configure the registry's system-assigned managed identity. Note: to manage a registry's user-assigned managed identity, the separate Managed Identity Operator role is required.
      • Configure network access settings (public network access, trusted services bypass, network firewall rules, dedicated data endpoints, and Virtual Network (VNET) service endpoints)
      • Configure private endpoint settings (set up, approve, reject, and list private endpoint connections and private link resources)
      • Configure authentication access settings (admin user login credentials, anonymous pull, non-Microsoft Entra token-based repository permissions, and Microsoft Entra authentication-as-arm token audience)
      • Configure registry policies (configure retention policy, registry-wide quarantine enablement, soft-delete enablement, and data exfiltration export policy)
    • Configure registry diagnostics and monitoring settings (diagnostic settings, logs, metrics, webhooks for registries and geo-replications, and Event Grid)
  • Data plane permissions:
    • None

Container Registry Configuration Reader and Data Access Configuration Reader

• Use case: Ideal for auditors, monitoring systems, and vulnerability scanners that only need to view registries, audit registry authentication mechanisms, audit registry network access configurations, and view registry policies—without needing permissions to push/pull images or assign roles.
• Permissions: Grants control plane access to view and list registries and registry configurations, including authentication settings, tokens, private endpoints, network access, and registry policies. Doesn't include data plane operations (for example, image push/pull) or role assignment capabilities.
  • Control plane permissions:
    • View and list registries (including registry SKUs and availability zones and zone redundancy)
    • View and list (but not manage) role assignments for registries
    • View and list geo-replications
    • View and list connected registries
    • View registry configuration
      • View and list both the registry's system-assigned managed identity and user-assigned managed identity
      • View and list network access settings (public network access, trusted services bypass, network firewall rules, dedicated data endpoints, and Virtual Network (VNET) service endpoints)
      • View and list private endpoint settings (set up, approve, reject, and list private endpoint connections and private link resources)
      • View and list authentication access settings (admin user login credentials, anonymous pull, non-Microsoft Entra token-based repository permissions, and Microsoft Entra authentication-as-arm token audience)
      • View and list registry policies (configure retention policy, registry-wide quarantine enablement status, soft-delete enablement, and data exfiltration export policy)
    • Configure registry diagnostics and monitoring settings (diagnostic settings, logs, metrics, webhooks for registries and geo-replications, and Event Grid)
  • Data plane permissions:
    • None

Container Registry Tasks Contributor

• Use case: Assign to identities—such as CI/CD pipelines or automation tools—that need to manage ACR tasks and task-related resources without access to other registry operations or image data.
• Permissions: Grants control plane access to manage ACR tasks, including task definitions, runs, task agent pools, quick tasks (quick builds with az acr build and quick runs with az acr run), task logs, and task identities. Doesn't include data plane permissions or access to registry configuration outside of tasks.
  • Control plane permissions:
    • Manage ACR tasks, task runs, task agent pools, quick tasks (quick builds with az acr build and quick runs with az acr run), task logs, and task identities
      • Grants permissions to configure an ACR task's system-assigned managed identity. Note: to manage an ACR task's user-assigned managed identity, the separate Managed Identity Operator role is required.
      • Grants permissions to manage auto-purge on ACR tasks
      • For ABAC-enabled registries, ACR tasks, quick builds, and quick runs don't have default data plane permissions to push, pull, or delete images and tags within repositories.
        • ACR tasks belonging to ABAC-enabled registries must have the Container Registry Repository Reader/Writer/Contributor and Container Registry Repository Catalog Lister roles assigned to the task identity in order to perform data plane operations.
        • For quick builds and quick runs, the identity (caller) invoking the quick task must have the Container Registry Repository Reader/Writer/Contributor and Container Registry Repository Catalog Lister roles assigned to it in order to perform data plane operations.
  • Data plane permissions:
    • None

Container Registry Transfer Pipeline Contributor

• Use case: Assign to CI/CD pipelines or automation processes that need to manage ACR transfer pipelines for moving artifacts across network, tenant, or air gap boundaries. This role is ideal when transfers must flow through an intermediary Azure Storage account to bridge isolated environments.
• Permissions: Grants control plane access to configure and operate ACR import/export transfer pipelines using intermediary storage accounts, enabling secure artifact transfer between disconnected or segmented environments. Doesn't include data plane permissions, broader registry access, or permissions to manage other Azure resource types such as storage accounts or key vaults.
  • Control plane permissions:
    • Manage ACR transfer pipelines for transferring artifacts between registries using intermediary storage accounts across network, tenant, or air gap boundaries (import pipelines, export pipelines, and import/export pipeline runs)
  • Data plane permissions:
    • None

Container Registry Data Importer and Data Reader

• Use case: Assign to identities—such as CI/CD pipelines—that need to import images from other registries with az acr import. The role also enables reading images and artifacts in a registry to validate the success of the import operation.
• Permissions: Grants control plane access to trigger image imports using az acr import, and data plane access to pull images and artifacts, view repository contents, Open Container Initiative (OCI) referrers, tags, and artifact streaming configurations. Doesn't allow pushing or modifying any content in the registry.
  • Control plane permissions:
    • Trigger ACR image imports with az acr import
  • Data plane permissions:
    • Pull images and artifacts within repositories in the registry
    • View and list OCI referrer artifacts
    • View and list image and artifact metadata such as tags
    • View and list repositories (image names) in the registry
    • View artifact streaming configuration for repositories and images (such as viewing repository policies for automatic artifact streaming conversion, and viewing artifact streaming configuration for an image)

Container Registry Contributor and Data Access Configuration Administrator

• Use case: Ideal for registry administrators, CI/CD pipelines, or automated processes that need to create and configure registries, set up registry authentication mechanisms, manage registry network access, and manage registry policies—without needing permissions to push/pull images or assign roles.
• Permissions: Grants control plane access to create, configure, and manage registries and registry configurations, including authentication settings, tokens, private endpoints, network access, and registry policies. Doesn't include data plane operations (for example, image push/pull) or role assignment capabilities.
  • Control plane permissions:
    • Create, update, view, list, and delete registries (including registry SKUs and availability zones and zone redundancy)
    • View and list (but not manage) role assignments for registries
    • Manage geo-replications
    • Manage connected registries
    • Update registry configuration
      • Configure the registry's system-assigned managed identity. Note: to manage a registry's user-assigned managed identity, the separate Managed Identity Operator role is required.
      • Configure network access settings (public network access, trusted services bypass, network firewall rules, dedicated data endpoints, and Virtual Network (VNET) service endpoints)
      • Configure private endpoint settings (set up, approve, reject, and list private endpoint connections and private link resources)
      • Configure authentication access settings (admin user login credentials, anonymous pull, non-Entra token-based repository permissions, and Entra authentication-as-arm token audience)
      • Configure registry policies (configure retention policy, registry-wide quarantine enablement, soft-delete enablement, and data exfiltration export policy)
    • Configure registry diagnostics and monitoring settings (diagnostic settings, logs, metrics, webhooks for registries and geo-replications, and Event Grid)
  • Data plane permissions:
    • None

Container Registry Configuration Reader and Data Access Configuration Reader

• Use case: Ideal for auditors, monitoring systems, and vulnerability scanners that only need to view registries, audit registry authentication mechanisms, audit registry network access configurations, and view registry policies—without needing permissions to push/pull images or assign roles.
• Permissions: Grants control plane access to view and list registries and registry configurations, including authentication settings, tokens, private endpoints, network access, and registry policies. Doesn't include data plane operations (for example, image push/pull) or role assignment capabilities.
  • Control plane permissions:
    • View and list registries (including registry SKUs and availability zones and zone redundancy)
    • View and list (but not manage) role assignments for registries
    • View and list geo-replications
    • View and list connected registries
    • View registry configuration
      • View and list both the registry's system-assigned managed identity and user-assigned managed identity
      • View and list network access settings (public network access, trusted services bypass, network firewall rules, dedicated data endpoints, and Virtual Network (VNET) service endpoints)
      • View and list private endpoint settings (set up, approve, reject, and list private endpoint connections and private link resources)
      • View and list authentication access settings (admin user login credentials, anonymous pull, non-Entra token-based repository permissions, and Entra authentication-as-arm token audience)
      • View and list registry policies (configure retention policy, registry-wide quarantine enablement status, soft-delete enablement, and data exfiltration export policy)
    • Configure registry diagnostics and monitoring settings (diagnostic settings, logs, metrics, webhooks for registries and geo-replications, and Event Grid)
  • Data plane permissions:
    • None

Container Registry Tasks Contributor

• Use case: Assign to identities—such as CI/CD pipelines or automation tools—that need to manage ACR tasks and task-related resources without access to other registry operations or image data.
• Permissions: Grants control plane access to manage ACR tasks, including task definitions, runs, task agent pools, quick tasks (quick builds with az acr build and quick runs with az acr run), task logs, and task identities. Doesn't include data plane permissions or access to registry configuration outside of tasks.
  • Control plane permissions:
    • Manage ACR tasks, task runs, task agent pools, quick tasks (quick builds with az acr build and quick runs with az acr run), task logs, and task identities
      • Configure an ACR task's system-assigned managed identity. Note: to manage an ACR task's user-assigned managed identity, the separate Managed Identity Operator role is required.
      • Manage auto-purge on ACR Tasks
  • Data plane permissions:
    • None

Container Registry Transfer Pipeline Contributor

• Use case: Assign to CI/CD pipelines or automation processes that need to manage ACR transfer pipelines for moving artifacts across network, tenant, or air gap boundaries. This role is ideal when transfers must flow through an intermediary Azure Storage account to bridge isolated environments.
• Permissions: Grants control plane access to configure and operate ACR import/export transfer pipelines using intermediary storage accounts, enabling secure artifact transfer between disconnected or segmented environments. Doesn't include data plane permissions, broader registry access, or permissions to manage other Azure resource types such as storage accounts or key vaults.
  • Control plane permissions:
    • Manage ACR transfer pipelines for transferring artifacts between registries using intermediary storage accounts across network, tenant, or air gap boundaries (import pipelines, export pipelines, and import/export pipeline runs)
  • Data plane permissions:
    • None

Container Registry Data Importer and Data Reader

• Use case: Assign to identities—such as CI/CD pipelines—that need to import images from other registries with az acr import. The role also enables reading images and artifacts in a registry to validate the success of the import operation.
• Permissions: Grants control plane access to trigger image imports using az acr import, and data plane access to pull images and artifacts, view repository contents, Open Container Initiative (OCI) referrers, tags, and artifact streaming configurations. Doesn't allow pushing or modifying any content in the registry.
  • Control plane permissions:
    • Trigger ACR image imports with az acr import
  • Data plane permissions:
    • Pull images and artifacts within repositories in the registry
    • View and list OCI referrer artifacts
    • View and list image and artifact metadata such as tags
    • View and list repositories (image names) in the registry
    • View artifact streaming configuration for repositories and images (such as viewing repository policies for automatic artifact streaming conversion, and viewing artifact streaming configuration for an image)

Container Registry Repository Reader

• Use case: Assign to container host nodes, orchestrators, vulnerability scanners, or developers that only need to pull images and read repository metadata—without permissions to push or modify content.
• Permissions: Grants data plane read-only access to pull images and artifacts, view tags, repositories, Open Container Initiative (OCI) referrers, and artifact streaming configurations. Doesn't include any control plane or write permissions.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • Pull images and artifacts within repositories in the registry
    • View and list OCI referrer artifacts
    • View and list image and artifact metadata such as tags
    • View and list repositories (image names) in the registry
    • View artifact streaming configuration for repositories and images (such as viewing repository policies for automatic artifact streaming conversion, and viewing artifact streaming configuration for an image)
    • Doesn't grant repository catalog list permissions.
  • ABAC support: Supports optional Microsoft Entra ABAC conditions to scope role assignments to specific repositories.

Container Registry Repository Writer

• Use case: Assign to CI/CD pipelines, automation tools, or developers that need to push and pull container images, manage tags, and work with artifacts—without needing control over registry configuration or settings. Also assign to automated processes or services that sign images as part of a trusted supply chain.
• Permissions: Grants data plane access to push and pull images and artifacts, read/manage tags, read/manage OCI referrers, and enable (but not disable) artifact streaming for repositories and images. Doesn't include any control plane permissions.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • Push and pull images and artifacts within repositories in the registry
    • Create, view, and list OCI referrer artifacts
    • Manage image and artifact metadata such as tags (creating, reading, listing, retagging, and untagging tags)
    • View and list repositories (image names) in the registry
    • Configure artifact streaming for repositories and images (such as setting repository policies for automatic artifact streaming conversion, and enabling (but not disabling) artifact streaming conversion for specific images)
    • Doesn't grant repository catalog list permissions.
  • ABAC support: Supports optional Microsoft Entra ABAC conditions to scope role assignments to specific repositories.

Container Registry Repository Contributor

• Use case: Assign to identities or services responsible for managing image lifecycle and cleanup.
• Permissions: Grants permissions to read, write, update, and delete images and artifacts, read/manage/delete tags, read/manage/delete OCI referrers, and enable/disable artifact streaming for repositories and images. Doesn't include any control plane permissions.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • Push, pull, and delete images and artifacts within repositories in the registry
    • Create, view, list, and delete OCI referrer artifacts
    • Manage and delete image and artifact metadata such as tags (creating, reading, listing, retagging, untagging, and deleting tags)
    • View and list repositories (image names) in the registry
    • Configure artifact streaming for repositories and images (such as setting repository policies for automatic artifact streaming conversion, and enabling/disabling artifact streaming conversion for specific images)
    • Doesn't grant repository catalog list permissions.
  • ABAC support: Supports optional Microsoft Entra ABAC conditions to scope role assignments to specific repositories.

Container Registry Repository Catalog Lister

• Use case: Assign to identities or services that need to list all repositories in a registry, such as CI/CD pipelines, developers, vulnerability scanners, or registry monitoring and auditing tools.
• Permissions: Grants data plane access to list all repositories in the registry. Doesn't include any control plane permissions or permissions to push/pull images.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • List all repositories (image names) in the registry
    • Grants permissions to invoke the {loginServerURL}/acr/v1/_catalog or {loginServerURL}/v2/_catalog registry API endpoints to list all repositories in the registry.
    • Doesn't grant permissions to view or list images, artifacts, tags, or OCI referrers within repositories.
  • ABAC support: This role doesn't support Entra ABAC conditions. As such, this role assignment will grant permissions to list all repositories in the registry.

AcrQuarantineWriter

• Use case: Assign to automated processes or services that manage quarantined images, such as CI/CD pipelines and vulnerability scanners.
• Permissions: Manage quarantined images in a registry.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • Manage quarantined artifacts (list and read quarantined artifacts, modify artifact quarantine status)
  • ABAC support: Doesn't support Microsoft Entra ABAC conditions.

AcrQuarantineReader

• Use case: Assign to automated processes or services that list, read, and pull quarantined images, such as CI/CD pipelines and vulnerability scanners.
• Permissions: List, read, and pull quarantined images in a registry.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • View and list (but not manage) quarantined artifacts
  • ABAC support: Doesn't support Microsoft Entra ABAC conditions.

AcrPush

• Use case: Assign to CI/CD pipelines, automation tools, or developers that need to push and pull container images, manage tags, and work with artifacts—without needing control over registry configuration or settings.
• Permissions: Grants data plane access to push and pull images and artifacts, manage tags, work with OCI referrers, and configure artifact streaming for repositories and images. Doesn't include any control plane permissions.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • Push and pull images and artifacts within repositories in the registry
    • Create, view, list, and delete OCI referrer artifacts
    • Manage image and artifact metadata such as tags (creating, reading, listing, retagging, and untagging tags)
    • View and list repositories (image names) in the registry
    • Configure artifact streaming for repositories and images (such as setting repository policies for automatic artifact streaming conversion, and enabling (but not disabling) artifact streaming conversion for specific images)

AcrPull

• Use case: Assign to container host nodes, orchestrators, vulnerability scanners, or developers that only need to pull images and read repository metadata—without permissions to push or modify content.
• Permissions: Grants data plane read-only access to pull images and artifacts, view tags, repositories, OCI referrers, and artifact streaming configurations. Doesn't include any control plane or write permissions.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • Pull images and artifacts within repositories in the registry
    • View and list OCI referrer artifacts
    • View and list image and artifact metadata such as tags
    • View and list repositories (image names) in the registry
    • View artifact streaming configuration for repositories and images (such as viewing repository policies for automatic artifact streaming conversion, and viewing artifact streaming configuration for an image)

AcrDelete

• Use case: Assign to identities or services responsible for managing image lifecycle and cleanup.
• Permissions: Delete artifacts and tags in the registry.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • Delete images, artifacts, digests, and tags
    • Disable artifact streaming support for a specific image by deleting an image's streaming OCI referrer artifact

AcrImageSigner

• Use case: Assign to automated processes or services that sign images as part of a trusted supply chain, such as CI/CD pipelines.
• Permissions: Sign images in the registry with Docker Content Trust (DCT). Take note that Docker Content Trust is being deprecated.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • Sign container images with Docker Content Trust (DCT)

AcrQuarantineWriter

• Use case: Assign to automated processes or services that manage quarantined images, such as CI/CD pipelines and vulnerability scanners.
• Permissions: Manage quarantined images in a registry.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • Manage quarantined artifacts (list and read quarantined artifacts, modify artifact quarantine status)

AcrQuarantineReader

• Use case: Assign to automated processes or services that list, read, and pull quarantined images, such as CI/CD pipelines and vulnerability scanners.
• Permissions: List, read, and pull quarantined images in a registry.
  • Control plane permissions:
    • None
  • Data plane permissions:
    • View and list (but not manage) quarantined artifacts

Owner

• Use case: Assign to administrators who need complete control over the registry, including the ability to assign roles to other identities and perform role assignments for the registry.
• Permissions: Full access to all registry control plane operations, including role assignment permissions and managing Microsoft Entra-based repository permissions.
  • Control plane permissions:
    • Create, update, view, list, and delete registries (including registry SKUs and availability zones and zone redundancy)
    • Manage role assignments for registries
    • Manage geo-replications
    • Manage connected registries
    • Manage ACR tasks, task runs, task agent pools, quick tasks (quick builds with az acr build and quick runs with az acr run), task logs, and task identities
      • Grants permissions to configure an ACR task's system-assigned managed identity. Note: to manage an ACR task's user-assigned managed identity, the separate Managed Identity Operator role is required.
      • Grants permissions to manage auto-purge on ACR tasks
      • For ABAC-enabled registries, ACR tasks, quick builds, and quick runs don't have default data plane permissions to push, pull, or delete images and tags within repositories.
        • ACR tasks belonging to ABAC-enabled registries must have the Container Registry Repository Reader/Writer/Contributor and Container Registry Repository Catalog Lister roles assigned to the task identity in order to perform data plane operations.
        • For quick builds and quick runs, the identity (caller) invoking the quick task must have the Container Registry Repository Reader/Writer/Contributor and Container Registry Repository Catalog Lister roles assigned to it in order to perform data plane operations.
    • Configure artifact cache rules and credential sets
    • Trigger ACR image imports with az acr import
    • Manage ACR transfer pipelines for transferring artifacts between registries using intermediary storage accounts across network, tenant, or air gap boundaries (import pipelines, export pipelines, and import/export pipeline runs)
    • Update registry configuration
      • Configure the registry's system-assigned managed identity. Note: to manage a registry's user-assigned managed identity, the separate Managed Identity Operator role is required.
      • Configure network access settings (public network access, trusted services bypass, network firewall rules, dedicated data endpoints, and Virtual Network (VNET) service endpoints)
      • Configure private endpoint settings (set up, approve, reject, and list private endpoint connections and private link resources)
      • Configure authentication access settings (admin user login credentials, anonymous pull, non-Microsoft Entra token-based repository permissions, and Microsoft Entra authentication-as-arm token audience)
      • Configure registry policies (configure retention policy, quarantine enablement, soft-delete enablement, and data exfiltration export policy)
    • Configure registry diagnostics and monitoring settings (diagnostic settings, logs, metrics, webhooks for registries and geo-replications, and Event Grid)
    • View registry usage (storage usage)
  • Data plane permissions:
    • None - ABAC-enabled registries don't have data plane permissions for the built-in Owner role.

Contributor

• Use case: Assign to identities that need to manage registries, but don't require role assignment permissions.
• Permissions: Full access to all registry control plane operations, except role assignment permissions.
  • Control plane permissions:
    • Same as Owner, except for managing or performing role assignments for registries. Only permissions for viewing and listing role assignments for a registry are granted.
    • Note: to manage or perform role assignments for registries, the Role Based Access Control Administrator role is required. This less privileged role is recommended in lieu of the Owner role for managing role assignments.
  • Data plane permissions:
    • None - ABAC-enabled registries don't have data plane permissions for the built-in Contributor role.

Reader

• Use case: Assign to identities who only need to view and list registries and registry configuration.
• Permissions: Grants the same visibility as Owner and Contributor, but restricted to read-only operations. Doesn't permit create, update, or delete actions on registries.
  • Control plane permissions:
    • View and list registries (including registry SKUs and availability zones and zone redundancy)
    • View and list (but not manage) role assignments for registries
    • View and list geo-replications
    • View and list connected registries
    • View and list ACR tasks, task runs, task agent pools, task logs, and task identities
    • View and list artifact cache rules and credential sets
    • View and list ACR transfer pipelines for transferring artifacts between registries using intermediary storage accounts across network, tenant, or air gap boundaries (import pipelines, export pipelines, and import/export pipeline runs)
    • View registry configuration
      • View and list both the registry's system-assigned managed identity and user-assigned managed identity
      • View and list network access settings (public network access, trusted services bypass, network firewall rules, dedicated data endpoints, and Virtual Network (VNET) service endpoints)
      • View and list private endpoint settings (set up, approve, reject, and list private endpoint connections and private link resources)
      • View and list authentication access settings (admin user login credentials, anonymous pull, non-Microsoft Entra token-based repository permissions, and Microsoft Entra authentication-as-arm token audience)
      • View and list registry policies (configure retention policy, quarantine enablement, soft-delete enablement, and data exfiltration export policy)
    • View and list registry diagnostics and monitoring settings (diagnostic settings, logs, metrics, webhooks for registries and geo-replications, and Event Grid)
    • View registry usage (storage usage)
  • Data plane permissions:
    • None - ABAC-enabled registries don't have data plane permissions for the built-in Reader role.

Owner

• Use case: Assign to administrators who need complete control over the registry, including the ability to assign roles to other identities and perform role assignments for the registry.
• Permissions: Full access to all registry control plane operations and data plane operations, including role assignment permissions and managing Microsoft Entra-based repository permissions.
  • Control plane permissions:
    • Create, update, view, list, and delete registries (including registry SKUs and availability zones and zone redundancy)
    • Manage role assignments for registries
    • Manage geo-replications
    • Manage connected registries
    • Manage ACR tasks, task runs, task agent pools, quick tasks (quick builds with az acr build and quick runs with az acr run), task logs, and task identities
      • Grants permissions to configure an ACR task's system-assigned managed identity. Note: to manage an ACR task's user-assigned managed identity, the separate Managed Identity Operator role is required.
      • Grants permissions to manage auto-purge on ACR tasks
    • Configure artifact cache rules and credential sets
    • Trigger ACR image imports with az acr import
    • Manage ACR transfer pipelines for transferring artifacts between registries using intermediary storage accounts across network, tenant, or air gap boundaries (import pipelines, export pipelines, and import/export pipeline runs)
    • Update registry configuration
      • Configure the registry's system-assigned managed identity. Note: to manage a registry's user-assigned managed identity, the separate Managed Identity Operator role is required.
      • Configure network access settings (public network access, trusted services bypass, network firewall rules, dedicated data endpoints, and Virtual Network (VNET) service endpoints)
      • Configure private endpoint settings (set up, approve, reject, and list private endpoint connections and private link resources)
      • Configure authentication access settings (admin user login credentials, anonymous pull, non-Microsoft Entra token-based repository permissions, and Microsoft Entra authentication-as-arm token audience)
      • Configure registry policies (configure retention policy, quarantine enablement, soft-delete enablement, and data exfiltration export policy)
    • Configure registry diagnostics and monitoring settings (diagnostic settings, logs, metrics, webhooks for registries and geo-replications, and Event Grid)
    • View registry usage (storage usage)
  • Data plane permissions:
    • Push and pull images and artifacts within repositories in the registry
    • Create, view, list, and delete OCI referrer artifacts
    • Manage image and artifact metadata such as tags (creating, reading, listing, retagging, and untagging tags)
    • View and list repositories (image names) in the registry
    • Configure artifact streaming for repositories and images (such as setting repository policies for automatic artifact streaming conversion, and enabling/disabling artifact streaming conversion for specific images)
    • Manage quarantined artifacts (list and read quarantined artifacts, modify artifact quarantine status)
    • Manage soft deleted artifacts (list and restore soft deleted artifacts)
    • Configure policies for repositories and images (including repository, image, digest, and tag locking)
    • Sign container images with Docker Content Trust (DCT)

Contributor

• Use case: Assign to identities that need to manage registries, but don't require role assignment permissions.
• Permissions: Full access to all registry control plane operations and all data plane operations, except role assignment permissions.
  • Control plane permissions:
    • Same as Owner, except for managing or performing role assignments for registries. Only permissions for viewing and listing role assignments for a registry are granted.
    • Note: to manage or perform role assignments for registries, the Role Based Access Control Administrator role is required. This less privileged role is recommended in lieu of the Owner role for managing role assignments.
  • Data plane permissions:
    • Same as Owner - full data plane access.

Reader

• Use case: Assign to identities who only need to view and list registries and registry configuration.
• Permissions: Grants the same visibility as Owner and Contributor, but restricted to read-only operations. Doesn't permit create, update, or delete actions on registries.
  • Control plane permissions:
    • View and list registries (including registry SKUs and availability zones and zone redundancy)
    • View and list (but not manage) role assignments for registries
    • View and list geo-replications
    • View and list connected registries
    • View and list ACR tasks, task runs, task agent pools, task logs, and task identities
    • View and list artifact cache rules and credential sets
    • View and list ACR transfer pipelines for transferring artifacts between registries using intermediary storage accounts across network, tenant, or air gap boundaries (import pipelines, export pipelines, and import/export pipeline runs)
    • View registry configuration
      • View and list both the registry's system-assigned managed identity and user-assigned managed identity
      • View and list network access settings (public network access, trusted services bypass, network firewall rules, dedicated data endpoints, and Virtual Network (VNET) service endpoints)
      • View and list private endpoint settings (set up, approve, reject, and list private endpoint connections and private link resources)
      • View and list authentication access settings (admin user login credentials, anonymous pull, non-Microsoft Entra token-based repository permissions, and Microsoft Entra authentication-as-arm token audience)
      • View and list registry policies (configure retention policy, quarantine enablement, soft-delete enablement, and data exfiltration export policy)
    • View and list registry diagnostics and monitoring settings (diagnostic settings, logs, metrics, webhooks for registries and geo-replications, and Event Grid)
    • View registry usage (storage usage)
  • Data plane permissions:
    • Pull images and artifacts within repositories in the registry
    • View and list OCI referrer artifacts
    • View and list image and artifact metadata such as tags
    • View and list repositories (image names) in the registry
    • View artifact streaming configuration for repositories and images (such as viewing repository policies for automatic artifact streaming conversion, and viewing artifact streaming configuration for an image)
    • View and list (but not manage) quarantined artifacts
    • View and list (but not manage) soft deleted artifacts
    • View policies for repositories and images (including repository, image, digest, and tag locking)