Installing ModelOps 1.1, the acrpush/acrpull permissions do not work, so the only alternative is to assign the ModelOps application the Owner role. This weakens security. Is there a way to install and run ModelOps without the Owner role for the application?

Microsoft Azure AKS

The duration of the ModelOps application requiring the Owner role is limited to the installation period.

Without Owner role for the application, the following command fails with this error:

> az aks create  --resource-group tibcomodelops  --service-principal ******  --client-secret ******  --name tibcomodelops  --max-pods 200  --node-count 1  --enable-cluster-autoscaler  --min-count 1  --max-count 5  --no-ssh-key   --windows-admin-password ****** --windows-admin-username *****  --vm-set-type VirtualMachineScaleSets  --node-vm-size Standard_B8ms   --network-plugin azure  --attach-acr tibcomodelops  --output table

Waiting for AAD role to propagate[#####    ]  90.0000%Could not create a role assignment for ACR. Are you an Owner on this subscription?

Refer to documentation page:
  TIBCO ModelOps Documentation:AKS Installation
 
When registering the application at step:
  REGISTER THE APPLICATION, OBTAIN REQUIRED SERVICE PRINCIPAL AND CLIENT SECRET
assign the Owner role to avoid the problem with acrpush and acrpull permissions. The Azure Owner role is needed only for the duration of the 'az aks create' command after which the application role may be set to Contributor. ModelOps will then run correctly with only Contributor permissions. 

Installation requires the application to have Owner role only for the 'az aks create' command.