Activity 5: Create a custom role for the following scenario
- Create a policy where user can perform
- any storage account action But not delete the storage account.
- any action on virtual machine but not delete the virtual machine
- The policy created is as shown below
{
"properties": {
"roleName": "activity",
"description": "Learning activity",
"assignableScopes": [
"/subscriptions/<subscription-id>"
],
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Network/virtualNetworks/subnets/joinViaServiceEndpoint/action",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/deployments/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Storage/storageAccounts/*",
"Microsoft.Support/*",
],
"notActions": [
"Microsoft.Storage/storageAccounts/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
- Refer Here for the above policy.
-
Can you expand this policy to include actions w.r.t any operation on Virtual machine and not giving access to delete virtual machine. Refer Here for the changes done.
-
Data Actions: These permissions specifes action that role allows to be performed to your data within that object.
- Not Data Action: Subtracting the permission to role deny the particular data action.
Like this:
Like Loading...
