Difference between managing resources vs accessing resources in Azure RBAC

Question

What is the difference between managing resources vs accessing resource in Azure RBAC. If I can manage the resource then definitely I can access them. I am unable to understand the difference. Can someone pls provide me the clarity

Answer 1

If I can manage the resource then definitely I can access them.

Sure you can, lets take Azure Storage as an example, management can be done by assigning the Storage Account Contributor role. The docs learns us that this role

Permits management of storage accounts. Provides access to the account key, which can be used to access data via Shared Key authorization.

So yes, having management permissions can include having access to the data plane of Azure Resources.

So when assigning roles you need to be careful. Always assign roles based on the principle of least privilege. A DevOps person might need to have the Storage Account Contributor assigned. But a web app that uses a managed identity to read blobs inside the storage account is better of having the Storage Blob Data Reader assigned so it has no more access than it really needs preventing the web app from accidentally deleting blobs for example.

Another example: in my organisation some people have access to certain Azure Monitor logs and metrics. Instead of assigning them management permissions we assign them the Azure Monitoring Reader role instead of the Monitoring Contributor because we don't want them to modify any settings related to the monitoring.

Hope this clears things up regarding the different permission scopes and when to use them.