1

  1. A user should be able to read a resource group. Not allowing the user to create/delete a resource group.

    i. I have created a custom role using json script with the following permissions:

    Actions: Microsoft.Resources/subscriptions/resourceGroups/read

NotActions: Microsoft.Resources/subscriptions/resourceGroups/write,
            Microsoft.Resources/subscriptions/resourceGroups/delete

    ii. Added it using PowerShell cmdlet New-AzureRMRoleDefinition. But when I assigned this custom role to a user in IAM, user is still able to create/delete a resource group.

Note: I have used RBAC and IAM services of Azure

Madhur Asati
  • 185
  • 3
  • 13
  • Can you check if this is the only role that is assigned to a user? – trailmax Mar 29 '18 at 09:44
  • @trailmax : this was the custom role which i have tried to create it.As there is as such no built-in role available for restricting the user to create/delete the resource group. – Madhur Asati Mar 29 '18 at 11:17
  • That's not true....You can use built-in `Reader` role and assign that role to the user. – Gaurav Mantri Mar 29 '18 at 11:20
  • @GauravMantri : Reader role will make a user to read the azure portal. I have to restrict the user to specific group which i have assigned to them.Within in that RG user can create their respective services.Hope this would give you a brief idea about the scenario. – Madhur Asati Mar 29 '18 at 11:23
  • So 2 things: 1) The role is not restricted to portal only. It will be enforced when users interact with Azure Subscription using PowerShell or CLI tools. 2) In your scenario, you can use built-in `Contributor` role and assign that role to a user on her/his resource group. Then that user will be able to add/update/delete services in that resource group only. They will not be able to do anything in other resource groups (provided you grant them access to a single resource group). Furthermore, with contributor role, they will not be able to assign roles to other users. HTH. – Gaurav Mantri Mar 29 '18 at 11:28
  • To clarify further, you need to assign role to a user on a specify resource group and not on the entire subscription. – Gaurav Mantri Mar 29 '18 at 11:29
  • @GauravMantri : Can you provide please steps to do it. my mail id is madhur9827@gmail.com ..Thanks in advance. – Madhur Asati Mar 29 '18 at 11:55
  • If you search for “RBAC Azure Portal”, you’ll find tutorials on how to accomplish this. – Gaurav Mantri Mar 29 '18 at 12:04
  • I tried but dint find luck may be i am missing some of the settings in the portal – Madhur Asati Mar 29 '18 at 12:07

1 Answers1

0

Go to resource group blade >> IAM >> Add (at the top of the blade).

Select contributor. Select User. you are done.

4c74356b41
  • 69,186
  • 6
  • 100
  • 141
  • Thanks for the suggestion,I am able to see the specific group assigned to the group but I don't have the permission to create WebAPP due to this error "The subscription ABC Account doesn't have permissions to register the resource provider(s): microsoft.insights.". Also I dont have access to create support. So basically I want to assign full access to the RG for the user but on subscription level the user should have limited access. – Madhur Asati Mar 30 '18 at 07:00
  • support requests are subscription wide permissions, you cant assign those to the resource group. if you did assign the permission and you are getting that error you are doing something wrong. like you are logged in as wrong user or you didnt relogin etc – 4c74356b41 Mar 30 '18 at 07:37
  • As per the above mentioned steps I have done the changes.However i got some success as I was able to assigned group only.As when i went to created webapp, i got an error as mentioned. Note : In the active I have assigned the user as "User" out of Global admin and Limited Access. – Madhur Asati Mar 30 '18 at 09:39