Let create custom roles
Lets create a custom role Azure Virtual Machine Readonly Permissions
- Scope: Subcription
{
"properties": {
"roleName": "marchroles",
"description": "",
"assignableScopes": [
"/subscriptions/7ee23928-6bf0-4a1b-8e1d-b854f8f98d81"
],
"permissions": [
{
"actions": [
"Microsoft.Compute/*/read"
],
"notActions": [
],
"dataActions": [],
"notDataActions": []
}
]
}
}
- For any action in virtual machines but not delete
{
"properties": {
"roleName": "marchroles",
"description": "",
"assignableScopes": [
"/subscriptions/7ee23928-6bf0-4a1b-8e1d-b854f8f98d81"
],
"permissions": [
{
"actions": [
"Microsoft.Compute/*"
],
"notActions": [
"*/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
- Any permission in Storage account but not delete and read permissions on all services
{
"properties": {
"roleName": "marchroles",
"description": "",
"assignableScopes": [
"/subscriptions/7ee23928-6bf0-4a1b-8e1d-b854f8f98d81"
],
"permissions": [
{
"actions": [
"Microsoft.Storage/*",
"*/read"
],
"notActions": [
"*/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
Findout what are possible conditions available in Azure custom roles
{
"Name": "Custom AKS Role for East US",
"IsCustom": true,
"Description": "Custom role to provide access to AKS resources in East US region.",
"Actions": [
"Microsoft.ContainerService/managedClusters/read",
"Microsoft.ContainerService/managedClusters/write",
"Microsoft.ContainerService/managedClusters/delete",
"Microsoft.ContainerService/managedClusters/listClusterUserCredential/action",
"Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscription-id}"
],
"Condition": {
"AllOf": [
{
"Field": "location",
"Equals": "eastus"
}
]
}
}
“`
