I have assigned with Owner role to a resource group. I am unable to create a new resource group.
For creating a resource group whether I need owner/contributor role to subscription?
And When a user is assigned with Owner and Reader role, which role controls the user access?
OP asks for RBAC permissions necesssary to create a new resource group. @jason-ye suggests subscription Owner role. This is more permissions than necessary hence not a good answer for production or related environments.
Per Built-in roles for Azure resources, Contributor role on subscription is sufficient to create all resources, including resource groups. Following are the permissions assignments for Contributor role, "*" means everything, some things are explicitly denied:
Actions
*
NotActions
Microsoft.Authorization/*/Delete
Microsoft.Authorization/*/Write
Microsoft.Authorization/elevateAccess/Action
Microsoft.Blueprint/blueprintAssignments/write
Microsoft.Blueprint/blueprintAssignments/delete
I would like a means to grant "Create New Resource Group" without granting "*" to existing resources.
Update: Based on Azure built-in [RBAC] roles, there is no other built-in role that provides the necessary permission to create (or write) resource groups.
However, now that Azure supports custom RBAC roles, you can create a custom role with the Microsoft.Resources resource provider operation
Microsoft.Resources/subscriptions/resourceGroups/write
which would provide the least privileges to achieve the desired result.
"*/read", "Microsoft.Resources/subscriptions/resourceGroups/write"Here is how you do that.
create a file newrole.json and add below text.
Create role with below command
New-AzRoleDefinition -InputFile newrole.json
{
"Name": "XXX ReadOnly",
"Id": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
"IsCustom": false,
"Description": "Lets you view everything, Create Resource Groups but not make any changes.",
"Actions": [
"*/read",
"Microsoft.Resources/subscriptions/resourceGroups/write"
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/id"
]
}
Azure provides four levels of scope (ordered from high to low): management groups, subscriptions, resource groups, and resources.
You apply management settings at any of these levels of scope. The level you select determines how widely the setting is applied. Lower levels inherit settings from higher levels. For example, when you apply a policy to the subscription, the policy is applied to all resource groups and resources in your subscription. When you apply a policy on the resource group, that policy is applied to the resource group and all its resources. However, another resource group doesn't have that policy assignment. For more info, check here
I have assigned with Owner role to a resource group. I unable to create new resource group.
It is a by design behavior because the owner permission works for that resource group, not for the subscription.
If you want to grant create resource group permission to that account, we can set it here:
Grant the owner permission of this subscription to that account, in this way that account will have permission to create new resource group.
Note: If we grant owner permission of this subscription to that account, that account will get all permission of all resource group.
