I'm trying to create a custom Azure RM role definition which scope for some resource groups inside one subscription. I don’t want to provide access to all subscription or only one resource group, and I can’t specify the list of resource groups because some of them are not created yet. I want to provide access only so some subset of subscription resource groups.
For that I use PowerShell cmdlet
New-AzureRmRoleDefinition -InputFile .\new-role.json
Where JSON is
{
"Name": "RoleAssignmentsWriter",
"Description": "Allow to perform role assignment",
"Actions": [
"Microsoft.Authorization/roleAssignments/write"
],
"AssignableScopes": [
"/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"
]
}
Where prefix is the prefix of existed and feature resource group names.
It works if AssignableScopes: [“/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx”] – whole subscription or if AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/ResourceGroupName”]
But don’t work if I specify AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"] or even AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/*"].
One important thing is that I want to create Role Definition for not existed resource groups yet, they will be created later.
The question is: is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes? Simple star mark doesn’t work.
Or maybe I can use resource group tags or something else?
Thank you very much in advance.
