Permissions docs (#47793)

jaschrep-msft · web-flow · commit e1a01635a2c5 · 2025-01-14T11:54:13.000-05:00
* readmes

* docstring

* remove autoadded import
diff --git a/sdk/storage/Azure.Storage.DataMovement.Blobs/README.md b/sdk/storage/Azure.Storage.DataMovement.Blobs/README.md
@@ -45,6 +45,17 @@ az storage account create --name MyStorageAccount --resource-group MyResourceGro
 ### Authenticate the client
 The Azure.Storage.DataMovement.Blobs library uses clients from the Azure.Storage.Blobs package to communicate with the Azure Blob Storage service. For more information see the Azure.Storage.Blobs [authentication documentation](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/storage/Azure.Storage.Blobs#authenticate-the-client).
 
+### Permissions
+
+The authenticated blob storage resource needs the following permissions to perform a transfer:
+
+1. Read
+2. List (for container transfers)
+3. Write
+4. Add (specific to append blobs)
+5. Delete (for cleanup of a failed transfer item)
+6. Create
+
 ## Key concepts
 
 The Azure Storage Common client library contains shared infrastructure like
diff --git a/sdk/storage/Azure.Storage.DataMovement.Files.Shares/README.md b/sdk/storage/Azure.Storage.DataMovement.Files.Shares/README.md
@@ -47,6 +47,16 @@ az storage account create --name MyStorageAccount --resource-group MyResourceGro
 ### Authenticate the client
 The Azure.Storage.DataMovement.Files.Shares library uses clients from the Azure.Storage.Files.Shares package to communicate with the Azure File Storage service. For more information see the Azure.Storage.Files.Shares [authentication documentation](https://github.com/Azure/azure-sdk-for-net/tree/main/sdk/storage/Azure.Storage.Files.Shares#authenticate-the-client).
 
+### Permissions
+
+The authenticated share storage resource needs the following permissions to perform a transfer:
+
+1. Read
+2. List (for directory transfers)
+3. Write
+5. Delete (for cleanup of a failed transfer item)
+6. Create
+
 ## Key concepts
 
 The Azure Storage Common client library contains shared infrastructure like
diff --git a/sdk/storage/Azure.Storage.DataMovement/README.md b/sdk/storage/Azure.Storage.DataMovement/README.md
@@ -44,6 +44,14 @@ az storage account create --name MyStorageAccount --resource-group MyResourceGro
 
 Authentication is specific to the targeted storage service. Please see documentation for the individual services
 
+### Permissions
+
+Data Movement must have appropriate permissions to the storage resources.
+Permissions are specific to the type of storage Data Movement is connected to.
+
+- [Blob storage permissions](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/storage/Azure.Storage.DataMovement.Blobs/README.md#permissions)
+- [File share permissions](https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/storage/Azure.Storage.DataMovement.Files.Shares//README.md#permissions)
+
 ## Key concepts
 
 The Azure Storage DataMovement client library contains shared infrastructure like
diff --git a/sdk/storage/Azure.Storage.DataMovement/src/TransferManager.cs b/sdk/storage/Azure.Storage.DataMovement/src/TransferManager.cs
@@ -353,6 +353,7 @@ internal virtual Task<bool> TryRemoveTransferAsync(string id)
         #region Start Transfer
         /// <summary>
         /// Starts a transfer from the given source resource to the given destination resource.
+        /// Ensure <see cref="StorageResource"/> instances are built with <see href="https://github.com/Azure/azure-sdk-for-net/blob/main/sdk/storage/Azure.Storage.DataMovement/README.md#permissions">appropriate permissions</see>.
         /// </summary>
         /// <param name="sourceResource">A <see cref="StorageResource"/> representing the source.</param>
         /// <param name="destinationResource">A <see cref="StorageResource"/> representing the destination.</param>
