Skip to content

Commit 3e25a77

Browse files
brown9804brown9804
authored
note custom role
1 parent 9242c9b commit 3e25a77

1 file changed

Lines changed: 68 additions & 65 deletions

File tree

  • 0_Azure/5_DataProtectionMng/3_CustomRole

0_Azure/5_DataProtectionMng/3_CustomRole/README.md

Lines changed: 68 additions & 65 deletions
Original file line numberDiff line numberDiff line change
@@ -76,71 +76,74 @@ Custom roles can be created using various methods:
7676

7777
2. Create a file. E.g., named `custom_role.json` with the required structure. Below is an example of a custom role for subscription access. Click [here to see the example file](./src/custom_role.json)
7878

79-
```json
80-
{
81-
"Name": "{YOUR_CUSTOM_ROLE}",
82-
"Description": "",
83-
"AssignableScopes": [
84-
"/subscriptions/{your-subscription-id}"
85-
],
86-
"Actions": [
87-
"*",
88-
"Microsoft.Authorization/roleAssignments/write",
89-
"Microsoft.Resources/deployments/read",
90-
"Microsoft.Resources/deployments/write",
91-
"Microsoft.Resources/deployments/delete",
92-
"Microsoft.Resources/deployments/cancel/action",
93-
"Microsoft.Resources/deployments/validate/action",
94-
"Microsoft.Resources/deployments/whatIf/action",
95-
"Microsoft.Resources/deployments/exportTemplate/action"
96-
],
97-
"NotActions": [
98-
"Microsoft.Authorization/*/Delete",
99-
"Microsoft.Authorization/elevateAccess/Action",
100-
"Microsoft.Blueprint/blueprintAssignments/write",
101-
"Microsoft.Blueprint/blueprintAssignments/delete",
102-
"Microsoft.Compute/galleries/share/action",
103-
"Microsoft.Purview/consents/write",
104-
"Microsoft.Purview/consents/delete",
105-
"Microsoft.Authorization/classicAdministrators/write",
106-
"Microsoft.Authorization/classicAdministrators/delete",
107-
"Microsoft.Authorization/denyAssignments/write",
108-
"Microsoft.Authorization/denyAssignments/delete",
109-
"Microsoft.Authorization/diagnosticSettings/write",
110-
"Microsoft.Authorization/diagnosticSettings/delete",
111-
"Microsoft.Authorization/locks/write",
112-
"Microsoft.Authorization/locks/delete",
113-
"Microsoft.Authorization/policyAssignments/delete",
114-
"Microsoft.Authorization/policyAssignments/write",
115-
"Microsoft.Authorization/policyAssignments/exempt/action",
116-
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/write",
117-
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/delete",
118-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/write",
119-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/delete",
120-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/write",
121-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/delete",
122-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/write",
123-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/delete",
124-
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/validate/action",
125-
"Microsoft.Authorization/policyDefinitions/write",
126-
"Microsoft.Authorization/policyDefinitions/delete",
127-
"Microsoft.Authorization/policyExemptions/write",
128-
"Microsoft.Authorization/policyExemptions/delete",
129-
"Microsoft.Authorization/policySetDefinitions/write",
130-
"Microsoft.Authorization/policySetDefinitions/delete",
131-
"Microsoft.Authorization/roleAssignments/delete",
132-
"Microsoft.Authorization/roleAssignmentScheduleRequests/write",
133-
"Microsoft.Authorization/roleAssignmentScheduleRequests/cancel/action",
134-
"Microsoft.Authorization/roleDefinitions/write",
135-
"Microsoft.Authorization/roleDefinitions/delete",
136-
"Microsoft.Authorization/roleEligibilityScheduleRequests/write",
137-
"Microsoft.Authorization/roleEligibilityScheduleRequests/cancel/action",
138-
"Microsoft.Authorization/roleManagementPolicies/write"
139-
],
140-
"DataActions": []
141-
}
142-
143-
```
79+
> [!IMPORTANT]
80+
> This custom role example provides extensive permissions for managing resources and deployments within the subscription, including full access to all actions and specific permissions for role assignments and resource deployments. However, it explicitly denies permissions for critical authorization, policy, and administrative actions to ensure security and compliance, preventing unauthorized changes to key configurations and settings.
81+
82+
```json
83+
{
84+
"Name": "{YOUR_CUSTOM_ROLE}",
85+
"Description": "",
86+
"AssignableScopes": [
87+
"/subscriptions/{your-subscription-id}"
88+
],
89+
"Actions": [
90+
"*",
91+
"Microsoft.Authorization/roleAssignments/write",
92+
"Microsoft.Resources/deployments/read",
93+
"Microsoft.Resources/deployments/write",
94+
"Microsoft.Resources/deployments/delete",
95+
"Microsoft.Resources/deployments/cancel/action",
96+
"Microsoft.Resources/deployments/validate/action",
97+
"Microsoft.Resources/deployments/whatIf/action",
98+
"Microsoft.Resources/deployments/exportTemplate/action"
99+
],
100+
"NotActions": [
101+
"Microsoft.Authorization/*/Delete",
102+
"Microsoft.Authorization/elevateAccess/Action",
103+
"Microsoft.Blueprint/blueprintAssignments/write",
104+
"Microsoft.Blueprint/blueprintAssignments/delete",
105+
"Microsoft.Compute/galleries/share/action",
106+
"Microsoft.Purview/consents/write",
107+
"Microsoft.Purview/consents/delete",
108+
"Microsoft.Authorization/classicAdministrators/write",
109+
"Microsoft.Authorization/classicAdministrators/delete",
110+
"Microsoft.Authorization/denyAssignments/write",
111+
"Microsoft.Authorization/denyAssignments/delete",
112+
"Microsoft.Authorization/diagnosticSettings/write",
113+
"Microsoft.Authorization/diagnosticSettings/delete",
114+
"Microsoft.Authorization/locks/write",
115+
"Microsoft.Authorization/locks/delete",
116+
"Microsoft.Authorization/policyAssignments/delete",
117+
"Microsoft.Authorization/policyAssignments/write",
118+
"Microsoft.Authorization/policyAssignments/exempt/action",
119+
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/write",
120+
"Microsoft.Authorization/policyAssignments/privateLinkAssociations/delete",
121+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/write",
122+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/delete",
123+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/write",
124+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnections/delete",
125+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/write",
126+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/delete",
127+
"Microsoft.Authorization/policyAssignments/resourceManagementPrivateLinks/privateEndpointConnectionProxies/validate/action",
128+
"Microsoft.Authorization/policyDefinitions/write",
129+
"Microsoft.Authorization/policyDefinitions/delete",
130+
"Microsoft.Authorization/policyExemptions/write",
131+
"Microsoft.Authorization/policyExemptions/delete",
132+
"Microsoft.Authorization/policySetDefinitions/write",
133+
"Microsoft.Authorization/policySetDefinitions/delete",
134+
"Microsoft.Authorization/roleAssignments/delete",
135+
"Microsoft.Authorization/roleAssignmentScheduleRequests/write",
136+
"Microsoft.Authorization/roleAssignmentScheduleRequests/cancel/action",
137+
"Microsoft.Authorization/roleDefinitions/write",
138+
"Microsoft.Authorization/roleDefinitions/delete",
139+
"Microsoft.Authorization/roleEligibilityScheduleRequests/write",
140+
"Microsoft.Authorization/roleEligibilityScheduleRequests/cancel/action",
141+
"Microsoft.Authorization/roleManagementPolicies/write"
142+
],
143+
"DataActions": []
144+
}
145+
146+
```
144147

145148
3. Create the custom role: Use the following command to create the role using the JSON file.
146149

0 commit comments

Comments
 (0)