2

I want to create a custom role for developers.

enter image description here

With this custom role the developers should have contributor access to the resource group "TestRessourceGroup" and all its stored resources but the developers should not have the permission to delete this resource group or individual resources within the resource group.

This is what I have so far:

{
       "properties": {
        "roleName": "Contributor without permission to delete resources",
        "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, share image galleries, or delete resources.",
        "assignableScopes": [
            "/"
        ],
        "permissions": [
            {
                "actions": [
                    "*"
                ],
                "notActions": [
                    "Microsoft.Authorization/*/Delete",
                    "Microsoft.Authorization/*/Write",
                    "Microsoft.Authorization/elevateAccess/Action",
                    "Microsoft.Blueprint/blueprintAssignments/write",
                    "Microsoft.Blueprint/blueprintAssignments/delete",
                    "Microsoft.Compute/galleries/share/action",
                    "Microsoft.Resources/subscriptions/resourceGroups/delete"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

The developers should still be able to:

  • delete blobs and containers within a Storage Account
  • delete compute instances or compute clusters within AMLS

What do I need to add so that users with this custom role cannot delete a resource group or individual resources (like Storage Accounts, Databricks, Key Vaults, AMLS .....) within the resource group but anything else is working like with the normal contributor access?

Daniel
  • 171
  • 1
  • 9

1 Answers1

1

In you don't want to include resource deletion, the easiest way is to add */delete in the the notActions array:

{
  "properties": {
    "roleName": "Contributor without permission to delete resources",
    "description": "Grants full access to manage all resources, but does not allow you to assign roles in Azure RBAC, manage assignments in Azure Blueprints, share image galleries, or delete resources.",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "*"
        ],
        "notActions": [
          "*/delete",
          "Microsoft.Authorization/*/Write",
          "Microsoft.Authorization/elevateAccess/Action",
          "Microsoft.Blueprint/blueprintAssignments/write",
          "Microsoft.Compute/galleries/share/action"
        ],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

You could then having another role to allow users to delete resources inside Machine learning workspace:

{
  "properties": {
    "roleName": "Allow ML workspace resources deletion",
    "description": "",
    "assignableScopes": [
      "/"
    ],
    "permissions": [
      {
        "actions": [
          "Microsoft.MachineLearningServices/workspaces/*/delete"
        ],
        "notActions": [],
        "dataActions": [],
        "notDataActions": []
      }
    ]
  }
}

If you create an AAD group and assign these two roles to the group, it should work.

Thomas
  • 24,234
  • 6
  • 81
  • 125
  • no, I do not think that this will solve the issue because this will interfere with "Microsoft.MachineLearningServices/workspaces/*/delete" and "Microsoft.MachineLearningServices/workspaces/computes/*/delete" – Daniel Aug 05 '22 at 04:53
  • you said you dont want people to delete anything ? should they be able to delete some resources ? – Thomas Aug 05 '22 at 04:55
  • they should not be able to delete Azure resources, like AMLS, Storage Account, Databricks, Key Vault ....., but they should be able to delete computes, and clusters within AMLS. – Daniel Aug 05 '22 at 05:01
  • could you please edit your answer with the additional information ? – Thomas Aug 05 '22 at 05:15
  • 1
    you are right! I will do this! – Daniel Aug 05 '22 at 05:23
  • Also have you check the `AzureML Data Scientist` builtin role: https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#azureml-data-scientist ? – Thomas Aug 08 '22 at 04:28
  • we did but we decided that we need contributor access without the permission to delete a resource group or individual resources (like Storage Accounts, Databricks, Key Vaults, AMLS .....) within the resource group. – Daniel Aug 08 '22 at 06:34
  • @Daniel let me know if my new answer make sense for you – Thomas Aug 08 '22 at 06:51
  • sry, it does not – Daniel Aug 08 '22 at 19:59