Azure Cosmos DB for NoSQL data plane built-in roles reference
APPLIES TO: 
NoSQL
Diagram of the sequence of the deployment guide including these locations, in order: Overview, Concepts, Prepare, Role-based access control, Network, and Reference. The 'Reference' location is currently highlighted.
Azure Cosmos DB for NoSQL includes built-in data plane roles within its native role-based access control implementation. This article includes a list of those roles and descriptions on what permissions are granted for each role.
Built-in data plane roles
Azure Cosmos DB for NoSQL defines data plane-specific role definitions. These roles are distinct from Azure role-based access control role definitions.
Cosmos DB Built-in Data Reader
ID: 00000000-0000-0000-0000-000000000001
- Included actions
Microsoft.DocumentDB/databaseAccounts/readMetadataMicrosoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/readMicrosoft.DocumentDB/databaseAccounts/sqlDatabases/containers/executeQueryMicrosoft.DocumentDB/databaseAccounts/sqlDatabases/containers/readChangeFeed
Cosmos DB Built-in Data Contributor
ID: 00000000-0000-0000-0000-000000000002
- Included actions
Microsoft.DocumentDB/databaseAccounts/readMetadataMicrosoft.DocumentDB/databaseAccounts/sqlDatabases/containers/*Microsoft.DocumentDB/databaseAccounts/sqlDatabases/containers/items/*