Search code examples
azurepowershellrbac

Azure custom RM role definition with special AssignableScopes

I'm trying to create a custom Azure RM role definition which scope for some resource groups inside one subscription. I don’t want to provide access to all subscription or only one resource group, and I can’t specify the list of resource groups because some of them are not created yet. I want to provide access only so some subset of subscription resource groups.

For that I use PowerShell cmdlet 

New-AzureRmRoleDefinition -InputFile .\new-role.json

Where JSON is

{
  "Name": "RoleAssignmentsWriter",
  "Description": "Allow to perform role assignment",
  "Actions": [
    "Microsoft.Authorization/roleAssignments/write"
  ],
  "AssignableScopes": [
    "/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"
  ]
}

Where prefix is the prefix of existed and feature resource group names.

It works if AssignableScopes: [“/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx”] – whole subscription or if AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/ResourceGroupName”]

But don’t work if I specify AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"] or even AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/*"].

One important thing is that I want to create Role Definition for not existed resource groups yet, they will be created later.

The question is: is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes? Simple star mark doesn’t work. Or maybe I can use resource group tags or something else?

Thank you very much in advance.

Solution

  • is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes?

    AFAIK, you could not use wildcard within assignableScopes, the New-AzureRmRoleDefinition powershell command essentially calls the Role Definitions - Create Or Update REST API, the assignableScopes only accept three types, refer to this link.

    enter image description here

    If you want to specify AssignableScopes to only some subset of subscription resource groups, you need to specific them one by one in the assignableScopes, like

     "assignableScopes": [
      "subscriptions/{subscriptionId}/resourceGroups/myresourcegroup1",
      "subscriptions/{subscriptionId}/resourceGroups/myresourcegroup2",
      "subscriptions/{subscriptionId}/resourceGroups/myresourcegroup3",
    ]

    Or maybe I can use resource group tags or something else?

    No, the possible properties are all listed in the REST API doc, there is no other ones.