Azure Classroom Series – 02/Aug/2020

Create a custom role to deny access to resources

  • Not Action: To explicitly deny permission at a particular scop
  • Examples are
{
    "properties": {
      "roleName": "qt vm reader",
      "description": "vm reader for the quality thought",
      "assignableScopes": [
        
      ],
      "permissions": [
        {
          "actions": [
              "Microsoft.Compute/*/read"
  
          ],
          "notActions": [
            "Microsoft.Compute/*/write",
            "Microsoft.Compute/*/delete",
            "Microsoft.Compute/*/action"
          ],
          "dataActions": [],
          "notDataActions": []
        }
      ]
    }
  }
  • At Assignable scope resource group
{
    "properties": {
      "roleName": "qt test",
      "description": "vm test for the quality thought",
      "assignableScopes": [
        "/subscriptions/*/resourceGroups/linuxlearning"
      ],
      "permissions": [
        {
          "actions": ["*"],
          "notActions": [
              "Microsoft.Compute/*",
              "Microsoft.Network/*"
          ],
          "dataActions": [],
          "notDataActions": []
        }
      ]
    }
  }
  • Exercise: Create a custom role for a resource group to allow network access, storage but to deny virtual machine access and ensure you test the access.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Please turn AdBlock off
Animated Social Media Icons by Acurax Responsive Web Designing Company

Discover more from Direct DevOps from Quality Thought

Subscribe now to keep reading and get access to the full archive.

Continue reading

Visit Us On FacebookVisit Us On LinkedinVisit Us On Youtube