He everyone, I have a subscription where I want to create "sandbox" environments for people. My goal is to give folks a resource group, and make them owner of the Resource Group. They can do anything they want in this little resource group, but not touch anything outside of it in the subscription. Sure, there are some limitations on the resources they can deploy but for my purpose this is an acceptable solution.
My automated process would create an RG and then add some tags to it. Who owns it (email) and when it was created (created on date). After 30 days, I want to go through and toast any resource group that is 30 days old. Access to this environment is time limited. I figure I can read the tag and delete based on the tag date.
I need a way to prevent the owner of the RG from editing the tag in any way.
Enter Custom Role - Resource Group Owner
{
"id": "/subscriptions/<sub-guid>/providers/Microsoft.Authorization/roleDefinitions/1cae04e5-3bd2-4d8d-9c3b-ef5bd8e58408",
"properties": {
"roleName": "Resource Group Owner",
"description": "Assigned at the RG level owns everything within the RG, with the exception of editing tags.",
"assignableScopes": [
"/subscriptions/<sub-guid>"
],
"permissions": [
{
"actions": [
"*"
],
"notActions": [
"Microsoft.Resources/tags/write",
"Microsoft.Resources/tags/delete"
],
"dataActions": [],
"notDataActions": []
}
]
}
}
According to documentation, this is correct. I have specified the actions allowed, and then added the excluded actions, which should be subtracted from the allowed actions, on the scope assigned (in this case the resource group). I don't care if they can add or delete tags on resources within the RG, I just don't want them to mess with the RG tags.
With this role assigned to a user they can only see the RG in the subscription they've been assigned, but they can still edit the tags assigned to it.
What am I doing wrong?
I have looked into deny assignment with Azure Blueprints, but there's no example of how to create a deny assignment anywhere. There's docs on the properties but nothing that shows what it looks like in the blueprint.
Thanks for the help.
Although you put Microsoft.Resources/tags/write and Microsoft.Resources/tags/delete in the notActions, there is another resource provider operation Microsoft.Resources/subscriptions/resourceGroups/write which allows the user to edit tag.
You need to put it into notActions as well.
Although the document states: Microsoft.Resources/subscriptions/resourceGroups/write is to Creates or updates a resource group, I can create any other Azure resources in this resource group.
From my test results, I think the restricted part is only to update the resource group itself.
You can have a try to see if it meets your requirement.