What additional role should I provision in an Azure resource group so that a contributor can see/accept/fix Azure SQL security recomendations?

We are receiving security recommendations for one of our Azure SQL databases. I'm owner of the subscription and can see those recommendations in the Azure SQL Security Center. I would like to delegate the resolution to one of the resource group contributors, but the same recommendations doesn't appear to them.

What additional permissions an Azure resource group contributor needs to see/accept/fix alerts from an Azure SQL in that resource group?


To be able to see alerts in security centre you want to grant them the "security reader" role. If they need to dismiss alerts then this is a bit trickier as the only roles that have this are "Security Admin" or subscription contributor or owner. You can see the role definitions here. If you don't want to grant those roles you can create a custom role that has the "Microsoft.Security/locations/alerts/dismiss/action" permission.

To fix the issues in the alerts will come down to what needs to be done. The user fixing them will need to appropriate rights on the SQL Server to apply the fixes, but without knowing what they are it's difficult to say.