0

I have a requirement to customize the contributor role at Azure Subscription level, such that, people added to that customized contributor role can NOT view or read the data from the storage account (under that subscription).

This is how i'm doing this:

Step1 Clone Subscription contributor Basic

Step2 Permission

Step3 ( Actions shows * ) JSON

Review and Create

This MSFT link does NOT show me the JSON details that can be removed or added so that the read access to the storage account can be blocked.

Hence, I'm trying below ways to customize this (two assignable scopes to cover subscription as well as block viewing the storage data):

2 assignable scope

Note, The idea is to People need a contributor role to manage the subscription. However, they MUST NOT view the data from the storage under this particular subscription.

I think this is not the right approach. Are there any other ways to achieve this? Thanks.

AskMe
  • 2,495
  • 8
  • 49
  • 102

2 Answers2

0

If you want to create a custom role, then you should have a look at the resource provider operations. From there, you can see all the available actions per resource provider.

You would probably be interested in the DataActions such as Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read and others depending on what you want to filter out.

Jul_DW
  • 1,036
  • 6
  • 20
0

If you want to block particularly Azure Storage under Subscription Scope Level.

Kindly Exclude Azure Storage under Add Permission Section in order to block Azure Storage only while creating RBAC Role

Jinnyroy
  • 15
  • 6