RBAC Contd
- Not actions represent the actions user is denied,
- From the above rbac, if we remove the not actions that becomes admin role
- JSON
{
"id": "<your-id>",
"properties": {
"roleName": "admin",
"description": "",
"assignableScopes": [
"/subscriptions/<your-subscription>"
],
"permissions": [
{
"actions": [
"Microsoft.Compute/*",
"Microsoft.Network/*",
"Microsoft.Storage/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourcegroups/resources/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
{
"id": "<your id>",
"properties": {
"roleName": "tester",
"description": "",
"assignableScopes": [
"<your-subscription>"
],
"permissions": [
{
"actions": [
"Microsoft.Compute/*/read",
"Microsoft.Network/*/read",
"Microsoft.Storage/*/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourcegroups/resources/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
- Create a custom role called as storageadmin who can
- read anything (compute, network and storage)
- write permissions (update,delete) on storage
{
"properties": {
"roleName": "experiment",
"description": "",
"assignableScopes": [
"/subscriptions/20424120-c2c1-4a08-8563-c7f7b6401ed3"
],
"permissions": [
{
"actions": [
"Microsoft.Compute/*/read",
"Microsoft.Network/*/read",
"Microsoft.Storage/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourcegroups/resources/read"
],
"notActions": [],
"dataActions": [],
"notDataActions": []
}
]
}
}
- I want to create a role which allows users to do every thing on Azure Kubernetes Service, but not delete cluster and read permission of everything else
{
"properties": {
"roleName": "experiment",
"description": "",
"assignableScopes": [
"/subscriptions/20424120-c2c1-4a08-8563-c7f7b6401ed3"
],
"permissions": [
{
"actions": [
"*/read",
"Microsoft.ContainerService/*",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Resources/subscriptions/resourceGroups/moveResources/action",
"Microsoft.Resources/subscriptions/resourceGroups/write",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
"Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
"Microsoft.Resources/subscriptions/resourcegroups/resources/read"
],
"notActions": [
"Microsoft.ContainerService/managedClusters/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
- Next Steps:
- Azure Management Groups
Like this:
Like Loading...
