Skip to content

Commit 2d5cdc1

Browse files
brown9804brown9804
authored
Merge 3e25a77 into 9242c9b 
2 parents 9242c9b + 3e25a77 commit 2d5cdc1

1 file changed

Lines changed: 68 additions & 65 deletions

File tree

  • 0_Azure/5_DataProtectionMng/3_CustomRole

0_Azure/5_DataProtectionMng/3_CustomRole/README.md

Lines changed: 68 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -76,71 +76,74 @@ Custom roles can be created using various methods:
7676

7777
2. Create a file. E.g., named `custom_role.json` with the required structure. Below is an example of a custom role for subscription access. Click [here to see the example file](./src/custom_role.json)
7878

79-
```json
80-
{
81-
"Name": "{YOUR_CUSTOM_ROLE}",
82-
"Description": "",
83-
"AssignableScopes": [
84-
"/subscriptions/{your-subscription-id}"
85-
],
86-
"Actions": [
87-
"*",
88-
"Microsoft.Authorization/roleAssignments/write",
89-
"Microsoft.Resources/deployments/read",
90-
"Microsoft.Resources/deployments/write",
91-
"Microsoft.Resources/deployments/delete",
92-
"Microsoft.Resources/deployments/cancel/action",
93-
"Microsoft.Resources/deployments/validate/action",
94-
"Microsoft.Resources/deployments/whatIf/action",
95-
"Microsoft.Resources/deployments/exportTemplate/action"
96-
],
97-
"NotActions": [
98-
"Microsoft.Authorization/*/Delete",
99-
"Microsoft.Authorization/elevateAccess/Action",
100-
"Microsoft.Blueprint/blueprintAssignments/write",
101-
"Microsoft.Blueprint/blueprintAssignments/delete",
102-
"Microsoft.Compute/galleries/share/action",
103-
"Microsoft.Purview/consents/write",
104-
"Microsoft.Purview/consents/delete",
105-
"Microsoft.Authorization/classicAdministrators/write",
106-
"Microsoft.Authorization/classicAdministrators/delete",
107-
"Microsoft.Authorization/denyAssignments/write",
108-
"Microsoft.Authorization/denyAssignments/delete",
109-
"Microsoft.Authorization/diagnosticSettings/write",
110-
"Microsoft.Authorization/diagnosticSettings/delete",
111-
"Microsoft.Authorization/locks/write",
112-
"Microsoft.Authorization/locks/delete",
113-
"Microsoft.Authorization/policyAssignments/delete",
114-
"Microsoft.Authorization/policyAssignments/write",
115-
"Microsoft.Authorization/policyAssignments/exempt/action",
116-
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/write",
117-
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/delete",
118-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/write",
119-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/delete",
120-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/write",
121-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/delete",
122-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/write",
123-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/delete",
124-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/validate/action",
125-
"Microsoft.Authorization/policyDefinitions/write",
126-
"Microsoft.Authorization/policyDefinitions/delete",
127-
"Microsoft.Authorization/policyExemptions/write",
128-
"Microsoft.Authorization/policyExemptions/delete",
129-
"Microsoft.Authorization/policySetDefinitions/write",
130-
"Microsoft.Authorization/policySetDefinitions/delete",
131-
"Microsoft.Authorization/roleAssignments/delete",
132-
"Microsoft.Authorization/roleAssignmentScheduleRequests/write",
133-
"Microsoft.Authorization/roleAssignmentScheduleRequests/cancel/action",
134-
"Microsoft.Authorization/roleDefinitions/write",
135-
"Microsoft.Authorization/roleDefinitions/delete",
136-
"Microsoft.Authorization/roleEligibilityScheduleRequests/write",
137-
"Microsoft.Authorization/roleEligibilityScheduleRequests/cancel/action",
138-
"Microsoft.Authorization/roleManagementPolicies/write"
139-
],
140-
"DataActions": []
141-
}
142-
143-
```
79+
> [!IMPORTANT]
80+
> This custom role example provides extensive permissions for managing resources and deployments within the subscription, including full access to all actions and specific permissions for role assignments and resource deployments. However, it explicitly denies permissions for critical authorization, policy, and administrative actions to ensure security and compliance, preventing unauthorized changes to key configurations and settings.
81+
82+
```json
83+
{
84+
"Name": "{YOUR_CUSTOM_ROLE}",
85+
"Description": "",
86+
"AssignableScopes": [
87+
"/subscriptions/{your-subscription-id}"
88+
],
89+
"Actions": [
90+
"*",
91+
"Microsoft.Authorization/roleAssignments/write",
92+
"Microsoft.Resources/deployments/read",
93+
"Microsoft.Resources/deployments/write",
94+
"Microsoft.Resources/deployments/delete",
95+
"Microsoft.Resources/deployments/cancel/action",
96+
"Microsoft.Resources/deployments/validate/action",
97+
"Microsoft.Resources/deployments/whatIf/action",
98+
"Microsoft.Resources/deployments/exportTemplate/action"
99+
],
100+
"NotActions": [
101+
"Microsoft.Authorization/*/Delete",
102+
"Microsoft.Authorization/elevateAccess/Action",
103+
"Microsoft.Blueprint/blueprintAssignments/write",
104+
"Microsoft.Blueprint/blueprintAssignments/delete",
105+
"Microsoft.Compute/galleries/share/action",
106+
"Microsoft.Purview/consents/write",
107+
"Microsoft.Purview/consents/delete",
108+
"Microsoft.Authorization/classicAdministrators/write",
109+
"Microsoft.Authorization/classicAdministrators/delete",
110+
"Microsoft.Authorization/denyAssignments/write",
111+
"Microsoft.Authorization/denyAssignments/delete",
112+
"Microsoft.Authorization/diagnosticSettings/write",
113+
"Microsoft.Authorization/diagnosticSettings/delete",
114+
"Microsoft.Authorization/locks/write",
115+
"Microsoft.Authorization/locks/delete",
116+
"Microsoft.Authorization/policyAssignments/delete",
117+
"Microsoft.Authorization/policyAssignments/write",
118+
"Microsoft.Authorization/policyAssignments/exempt/action",
119+
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/write",
120+
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/delete",
121+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/write",
122+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/delete",
123+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/write",
124+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/delete",
125+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/write",
126+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/delete",
127+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/validate/action",
128+
"Microsoft.Authorization/policyDefinitions/write",
129+
"Microsoft.Authorization/policyDefinitions/delete",
130+
"Microsoft.Authorization/policyExemptions/write",
131+
"Microsoft.Authorization/policyExemptions/delete",
132+
"Microsoft.Authorization/policySetDefinitions/write",
133+
"Microsoft.Authorization/policySetDefinitions/delete",
134+
"Microsoft.Authorization/roleAssignments/delete",
135+
"Microsoft.Authorization/roleAssignmentScheduleRequests/write",
136+
"Microsoft.Authorization/roleAssignmentScheduleRequests/cancel/action",
137+
"Microsoft.Authorization/roleDefinitions/write",
138+
"Microsoft.Authorization/roleDefinitions/delete",
139+
"Microsoft.Authorization/roleEligibilityScheduleRequests/write",
140+
"Microsoft.Authorization/roleEligibilityScheduleRequests/cancel/action",
141+
"Microsoft.Authorization/roleManagementPolicies/write"
142+
],
143+
"DataActions": []
144+
}
145+
146+
```
144147

145148
3. Create the custom role: Use the following command to create the role using the JSON file.
146149

0 commit comments

Comments
 (0)