I would like create a custom role which will diable someone from viewing cost of subscription. For example if i give read access to a person he is able to see cost. I need a RBAC role to be created to disable that view.
Asked
Active
Viewed 39 times
1 Answers
0
To be able to disable that you need to find out what permissions are required to be able to view billing data and then deny them.
The easiest way to do this is to look at the "Billing Reader" role that is already defined in Azure. You can view the permissions by going to the "Access Control(IAM)" section on any resource, then click the roles button at the top. Find the "Billing Reader" role, click on it, then in the window that opens this will show you the providers allocted to this, click on each of them to see permisisons
Based on the information here, you will see that you need to deny access to the following permissions:
Microsoft.Consumption/*
Microsoft Commerce/*
Microsoft Billing/*
With custom roles you have two options, you can define Actions (things you can do) and NotActions (things you can't do). So you can either create a role that has all the required permissions and not include these billing ones, or set these billing permissions as NotActions.
I've written a post on custom roles that can provide more details on this - https://samcogan.com/custom-azure-rbac-roles/
Sam Cogan
- 38,736
- 6
- 78
- 114