@@ -6,7 +6,7 @@ Costa Rica
66[ ![ GitHub] ( https://img.shields.io/badge/--181717?logo=github&logoColor=ffffff )] ( https://github.com/ )
77[ brown9804] ( https://github.com/brown9804 )
88
9- Last updated: 2025-01-13
9+ Last updated: 2025-02-21
1010
1111----------
1212
@@ -76,71 +76,74 @@ Custom roles can be created using various methods:
7676
77772 . Create a file. E.g., named ` custom_role.json ` with the required structure. Below is an example of a custom role for subscription access. Click [ here to see the example file] ( ./src/custom_role.json )
7878
79- ``` json
80- {
81- "Name" : " {YOUR_CUSTOM_ROLE}"
82- "Description" : " "
83- "AssignableScopes" : [
84- " /subscriptions/{your-subscription-id}"
85- ],
86- "Actions" : [
87- " *"
88- " Microsoft.Authorization/roleAssignments/write"
89- " Microsoft.Resources/deployments/read"
90- " Microsoft.Resources/deployments/write"
91- " Microsoft.Resources/deployments/delete"
92- " Microsoft.Resources/deployments/cancel/action"
93- " Microsoft.Resources/deployments/validate/action"
94- " Microsoft.Resources/deployments/whatIf/action"
95- " Microsoft.Resources/deployments/exportTemplate/action"
96- ],
97- "NotActions" : [
98- " Microsoft.Authorization/*/Delete"
99- " Microsoft.Authorization/elevateAccess/Action"
100- " Microsoft.Blueprint/blueprintAssignments/write"
101- " Microsoft.Blueprint/blueprintAssignments/delete"
102- " Microsoft.Compute/galleries/share/action"
103- " Microsoft.Purview/consents/write"
104- " Microsoft.Purview/consents/delete"
105- " Microsoft.Authorization/classicAdministrators/write"
106- " Microsoft.Authorization/classicAdministrators/delete"
107- " Microsoft.Authorization/denyAssignments/write"
108- " Microsoft.Authorization/denyAssignments/delete"
109- " Microsoft.Authorization/diagnosticSettings/write"
110- " Microsoft.Authorization/diagnosticSettings/delete"
111- " Microsoft.Authorization/locks/write"
112- " Microsoft.Authorization/locks/delete"
113- " Microsoft.Authorization/policyAssignments/delete"
114- " Microsoft.Authorization/policyAssignments/write"
115- " Microsoft.Authorization/policyAssignments/exempt/action"
116- " Microsoft.Authorization/policyAssignments/privateLinkAssociations/write"
117- " Microsoft.Authorization/policyAssignments/privateLinkAssociations/delete"
118- " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/write"
119- " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/delete"
120- " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/write"
121- " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/delete"
122- " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/write"
123- " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/delete"
124- " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/validate/action"
125- " Microsoft.Authorization/policyDefinitions/write"
126- " Microsoft.Authorization/policyDefinitions/delete"
127- " Microsoft.Authorization/policyExemptions/write"
128- " Microsoft.Authorization/policyExemptions/delete"
129- " Microsoft.Authorization/policySetDefinitions/write"
130- " Microsoft.Authorization/policySetDefinitions/delete"
131- " Microsoft.Authorization/roleAssignments/delete"
132- " Microsoft.Authorization/roleAssignmentScheduleRequests/write"
133- " Microsoft.Authorization/roleAssignmentScheduleRequests/cancel/action"
134- " Microsoft.Authorization/roleDefinitions/write"
135- " Microsoft.Authorization/roleDefinitions/delete"
136- " Microsoft.Authorization/roleEligibilityScheduleRequests/write"
137- " Microsoft.Authorization/roleEligibilityScheduleRequests/cancel/action"
138- " Microsoft.Authorization/roleManagementPolicies/write"
139- ],
140- "DataActions" : []
141- }
142-
143- ```
79+ > [ !IMPORTANT]
80+ > This custom role example provides extensive permissions for managing resources and deployments within the subscription, including full access to all actions and specific permissions for role assignments and resource deployments. However, it explicitly denies permissions for critical authorization, policy, and administrative actions to ensure security and compliance, preventing unauthorized changes to key configurations and settings.
81+
82+ ``` json
83+ {
84+ "Name" : " {YOUR_CUSTOM_ROLE}"
85+ "Description" : " "
86+ "AssignableScopes" : [
87+ " /subscriptions/{your-subscription-id}"
88+ ],
89+ "Actions" : [
90+ " *"
91+ " Microsoft.Authorization/roleAssignments/write"
92+ " Microsoft.Resources/deployments/read"
93+ " Microsoft.Resources/deployments/write"
94+ " Microsoft.Resources/deployments/delete"
95+ " Microsoft.Resources/deployments/cancel/action"
96+ " Microsoft.Resources/deployments/validate/action"
97+ " Microsoft.Resources/deployments/whatIf/action"
98+ " Microsoft.Resources/deployments/exportTemplate/action"
99+ ],
100+ "NotActions" : [
101+ " Microsoft.Authorization/*/Delete"
102+ " Microsoft.Authorization/elevateAccess/Action"
103+ " Microsoft.Blueprint/blueprintAssignments/write"
104+ " Microsoft.Blueprint/blueprintAssignments/delete"
105+ " Microsoft.Compute/galleries/share/action"
106+ " Microsoft.Purview/consents/write"
107+ " Microsoft.Purview/consents/delete"
108+ " Microsoft.Authorization/classicAdministrators/write"
109+ " Microsoft.Authorization/classicAdministrators/delete"
110+ " Microsoft.Authorization/denyAssignments/write"
111+ " Microsoft.Authorization/denyAssignments/delete"
112+ " Microsoft.Authorization/diagnosticSettings/write"
113+ " Microsoft.Authorization/diagnosticSettings/delete"
114+ " Microsoft.Authorization/locks/write"
115+ " Microsoft.Authorization/locks/delete"
116+ " Microsoft.Authorization/policyAssignments/delete"
117+ " Microsoft.Authorization/policyAssignments/write"
118+ " Microsoft.Authorization/policyAssignments/exempt/action"
119+ " Microsoft.Authorization/policyAssignments/privateLinkAssociations/write"
120+ " Microsoft.Authorization/policyAssignments/privateLinkAssociations/delete"
121+ " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/write"
122+ " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/delete"
123+ " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/write"
124+ " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/delete"
125+ " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/write"
126+ " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/delete"
127+ " Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/validate/action"
128+ " Microsoft.Authorization/policyDefinitions/write"
129+ " Microsoft.Authorization/policyDefinitions/delete"
130+ " Microsoft.Authorization/policyExemptions/write"
131+ " Microsoft.Authorization/policyExemptions/delete"
132+ " Microsoft.Authorization/policySetDefinitions/write"
133+ " Microsoft.Authorization/policySetDefinitions/delete"
134+ " Microsoft.Authorization/roleAssignments/delete"
135+ " Microsoft.Authorization/roleAssignmentScheduleRequests/write"
136+ " Microsoft.Authorization/roleAssignmentScheduleRequests/cancel/action"
137+ " Microsoft.Authorization/roleDefinitions/write"
138+ " Microsoft.Authorization/roleDefinitions/delete"
139+ " Microsoft.Authorization/roleEligibilityScheduleRequests/write"
140+ " Microsoft.Authorization/roleEligibilityScheduleRequests/cancel/action"
141+ " Microsoft.Authorization/roleManagementPolicies/write"
142+ ],
143+ "DataActions" : []
144+ }
145+
146+ ```
144147
1451483 . Create the custom role: Use the following command to create the role using the JSON file.
146149
0 commit comments