0

I need to outline the permissions I need to create a few Azure resources for a client. Its unlikely I will be assigned elevated permissions like Owner on the resource group or subscription where my resources will live. Before I send anything over and potentially get my roles/permissions wrong I have a few questions I need clarification on:

  1. In order to deploy or read resources in a resource group, does a user need to first be assigned roles/permissions on the subscription where this resource group resides?
  2. If a user is assigned the Reader role to a subscription and they're assigned the Owner role of a resource group will they be able to create/deploy resources in the RG or will the Reader role on the subscription take precedence?

The plan is to deploy a web app, app insights and azure sql database. I will have more elevated permissions to start (like contributor im assuming) but they will be reduced once im dome. I need to ensure that I have enough permissions to do the deployment and also have enough permissions to view app insights dashboards and reports afterwards in case there are problems.

Any help/clarification on this would be greatly appreciated!

jrd1989
  • 698
  • 15
  • 48

1 Answers1

1

To read or create resources in a resource group, you do not need subscription-wide permissions; they can also be applied just at resource group level.

The role that takes precedence is the highest role, regardless of wide/narrow scope.

If you are contributor on the group or the subscription, you can create the resources in the group. If you are reader in the group, and contributor in the subscription, you can also create the resources.

The subscription is a wider scope and applies to all resource groups within, but reader on the group does not apply to anything else in the subscription.

Stefano d'Antonio
  • 378
  • 2
  • 3
  • 8