Create a custom role to deny access to resources
- Not Action: To explicitly deny permission at a particular scop
- Examples are
{
"properties": {
"roleName": "qt vm reader",
"description": "vm reader for the quality thought",
"assignableScopes": [
],
"permissions": [
{
"actions": [
"Microsoft.Compute/*/read"
],
"notActions": [
"Microsoft.Compute/*/write",
"Microsoft.Compute/*/delete",
"Microsoft.Compute/*/action"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
- At Assignable scope resource group
{
"properties": {
"roleName": "qt test",
"description": "vm test for the quality thought",
"assignableScopes": [
"/subscriptions/*/resourceGroups/linuxlearning"
],
"permissions": [
{
"actions": ["*"],
"notActions": [
"Microsoft.Compute/*",
"Microsoft.Network/*"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
- Exercise: Create a custom role for a resource group to allow network access, storage but to deny virtual machine access and ensure you test the access.
Like this:
Like Loading...
