Azure Classroom Series – 02/Aug/2020

Create a custom role to deny access to resources

  • Not Action: To explicitly deny permission at a particular scop
  • Examples are
{
    "properties": {
      "roleName": "qt vm reader",
      "description": "vm reader for the quality thought",
      "assignableScopes": [
        
      ],
      "permissions": [
        {
          "actions": [
              "Microsoft.Compute/*/read"
  
          ],
          "notActions": [
            "Microsoft.Compute/*/write",
            "Microsoft.Compute/*/delete",
            "Microsoft.Compute/*/action"
          ],
          "dataActions": [],
          "notDataActions": []
        }
      ]
    }
  }
  • At Assignable scope resource group
{
    "properties": {
      "roleName": "qt test",
      "description": "vm test for the quality thought",
      "assignableScopes": [
        "/subscriptions/*/resourceGroups/linuxlearning"
      ],
      "permissions": [
        {
          "actions": ["*"],
          "notActions": [
              "Microsoft.Compute/*",
              "Microsoft.Network/*"
          ],
          "dataActions": [],
          "notDataActions": []
        }
      ]
    }
  }
  • Exercise: Create a custom role for a resource group to allow network access, storage but to deny virtual machine access and ensure you test the access.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

About learningthoughtsadmin