I have a resource group contains Logic App, Function App, Machine learning workspace and Azure Storage. Clients have a set of users falls under dev and admin category. dev's should not have delete access and admin have all the access. Should I create a role for each service and assigned them at resource level? (That is what I am doing right now) or Should I create 2 Roles and assigned them at resource group level? I have cloned contributor role and added dev service principle with the custom contributor role on function app level. So the users falls under the dev service principle can only access Function App.
Is there any inbuild role with no delete permission for all the resources deployed inside resource group?
You can create the custom role with setting the particular resource provider operations in notActions and assign them at resource group level.
For example, if you don't want the dev's to delete storage and web app, you can set the custom role like this:
Clone the contributor.
Put Microsoft.Web/sites/Delete and Microsoft.Storage/storageAccounts/delete into notActions.
"notActions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete",
"Microsoft.Compute/galleries/share/action",
"Microsoft.Web/sites/Delete",
"Microsoft.Storage/storageAccounts/delete"
],
After create the custom role, assign it to dev's at the resource group level.