is it possible to restrict an AD user/group to only be able to deploy ARM templates which were shared with them in the ARM Template library by a PowerUser?
the user should have not other rights (maybe not even seeing the template code?) but should be able to deploy it
any ideas?
The short answer is - no.
The long answer is - yes, kind of.
To do this you would restrict users access to Microsoft.Deployments Provider and allow access to managed application.
That would allow you to gate users to deploy only pre approved templates, basically. But that would require a lot of work.
You can also look at using Policies on Resource Groups to limit what the users can deploy
