0

I want a group of people to be able to completely manage a subscription, including managing access to resources within it, except for managing the subscription itself. So (for example) when a new resource group with a storage account is added to the subscription, I want them to be automatically (by inheritance) have all rights to the storage account, including the right to give people roles on that storage account. I just don't want them to be able to give other people roles on the subscription itself, so no adding administrators to the subscription etc.

Is a role (or combination of roles) built-in that I can use for that? Will I have to look into creating a custom role, or is what I'm looking for not possible?

standardModel
  • 355
  • 3
  • 11
  • Thats not using roles assignment directly but you could look into Azure Automation and trigger a role assignment on resource/resource group creation. – Jul_DW Dec 23 '19 at 13:38
  • yeah, you could use Azure Monitor Alert to fire off a runbook\function\webhook on resource group creation. – 4c74356b41 Dec 23 '19 at 13:44

1 Answers1

1

well, I might be wrong, but I dont see how this could be possible:

  1. You want a user to inherit rights from subscription level (only way to get rights to a newly created resource group)
  2. you want rights to assign permissions
  3. you want to block rights to assign permissions on subscription level

so, essentially you are asking for 2 things that conflict. this would not be possible even when using Azure Blueprints, because you cannot block inheritance yet. so you cannot block rights on a specific level, you can only block rights on that level and all "downward" levels

4c74356b41
  • 69,186
  • 6
  • 100
  • 141