Azure custom RM role definition with special AssignableScopes
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I'm trying to create a custom Azure RM role definition which scope for some resource groups inside one subscription. I don’t want to provide access to all subscription or only one resource group, and I can’t specify the list of resource groups because some of them are not created yet. I want to provide access only so some subset of subscription resource groups.
For that I use PowerShell cmdlet
New-AzureRmRoleDefinition -InputFile .new-role.json
Where JSON is
"Name": "RoleAssignmentsWriter",
"Description": "Allow to perform role assignment",
"Actions": [
"Microsoft.Authorization/roleAssignments/write"
],
"AssignableScopes": [
"/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"
]
Where prefix is the prefix of existed and feature resource group names.
It works if AssignableScopes: [“/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx”] – whole subscription or if AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/ResourceGroupName”]
But don’t work if I specify AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"] or even AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/*"].
One important thing is that I want to create Role Definition for not existed resource groups yet, they will be created later.
The question is: is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes? Simple star mark doesn’t work.
Or maybe I can use resource group tags or something else?
Thank you very much in advance.
azure powershell rbac asked Nov 13 '18 at 22:16
Vasyl ZvarydchukVasyl Zvarydchuk
2,8451429
add a comment |
I'm trying to create a custom Azure RM role definition which scope for some resource groups inside one subscription. I don’t want to provide access to all subscription or only one resource group, and I can’t specify the list of resource groups because some of them are not created yet. I want to provide access only so some subset of subscription resource groups.
For that I use PowerShell cmdlet
New-AzureRmRoleDefinition -InputFile .new-role.json
Where JSON is
"Name": "RoleAssignmentsWriter",
"Description": "Allow to perform role assignment",
"Actions": [
"Microsoft.Authorization/roleAssignments/write"
],
"AssignableScopes": [
"/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"
]
Where prefix is the prefix of existed and feature resource group names.
It works if AssignableScopes: [“/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx”] – whole subscription or if AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/ResourceGroupName”]
But don’t work if I specify AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"] or even AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/*"].
One important thing is that I want to create Role Definition for not existed resource groups yet, they will be created later.
The question is: is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes? Simple star mark doesn’t work.
Or maybe I can use resource group tags or something else?
Thank you very much in advance.
azure powershell rbac asked Nov 13 '18 at 22:16
Vasyl ZvarydchukVasyl Zvarydchuk
2,8451429
1
i dont think it supports wildcard matches
– 4c74356b41
Nov 13 '18 at 22:17
add a comment |
I'm trying to create a custom Azure RM role definition which scope for some resource groups inside one subscription. I don’t want to provide access to all subscription or only one resource group, and I can’t specify the list of resource groups because some of them are not created yet. I want to provide access only so some subset of subscription resource groups.
For that I use PowerShell cmdlet
New-AzureRmRoleDefinition -InputFile .new-role.json
Where JSON is
"Name": "RoleAssignmentsWriter",
"Description": "Allow to perform role assignment",
"Actions": [
"Microsoft.Authorization/roleAssignments/write"
],
"AssignableScopes": [
"/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"
]
Where prefix is the prefix of existed and feature resource group names.
It works if AssignableScopes: [“/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx”] – whole subscription or if AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/ResourceGroupName”]
But don’t work if I specify AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"] or even AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/*"].
One important thing is that I want to create Role Definition for not existed resource groups yet, they will be created later.
The question is: is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes? Simple star mark doesn’t work.
Or maybe I can use resource group tags or something else?
Thank you very much in advance.
azure powershell rbac asked Nov 13 '18 at 22:16
Vasyl ZvarydchukVasyl Zvarydchuk
2,8451429
I'm trying to create a custom Azure RM role definition which scope for some resource groups inside one subscription. I don’t want to provide access to all subscription or only one resource group, and I can’t specify the list of resource groups because some of them are not created yet. I want to provide access only so some subset of subscription resource groups.
For that I use PowerShell cmdlet
New-AzureRmRoleDefinition -InputFile .new-role.json
Where JSON is
"Name": "RoleAssignmentsWriter",
"Description": "Allow to perform role assignment",
"Actions": [
"Microsoft.Authorization/roleAssignments/write"
],
"AssignableScopes": [
"/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"
]
Where prefix is the prefix of existed and feature resource group names.
It works if AssignableScopes: [“/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx”] – whole subscription or if AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/ResourceGroupName”]
But don’t work if I specify AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/prefix*"] or even AssignableScopes: ["/subscriptions/xxxxx-xxxxx-xxxx-xxx-xxxxxxx/resourceGroups/*"].
One important thing is that I want to create Role Definition for not existed resource groups yet, they will be created later.
The question is: is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes? Simple star mark doesn’t work.
Or maybe I can use resource group tags or something else?
Thank you very much in advance.
azure powershell rbac azure powershell rbac asked Nov 13 '18 at 22:16
Vasyl ZvarydchukVasyl Zvarydchuk
2,8451429
asked Nov 13 '18 at 22:16
Vasyl ZvarydchukVasyl Zvarydchuk
2,8451429
edited Nov 13 '18 at 22:35
Vasyl Zvarydchuk
asked Nov 13 '18 at 22:16
Vasyl ZvarydchukVasyl Zvarydchuk
2,8451429
asked Nov 13 '18 at 22:16
Vasyl ZvarydchukVasyl Zvarydchuk
2,8451429
asked Nov 13 '18 at 22:16
Vasyl ZvarydchukVasyl Zvarydchuk
2,8451429
2,8451429
1
i dont think it supports wildcard matches
– 4c74356b41
Nov 13 '18 at 22:17
add a comment |
1
i dont think it supports wildcard matches
– 4c74356b41
Nov 13 '18 at 22:17
1
1
i dont think it supports wildcard matches
– 4c74356b41
Nov 13 '18 at 22:17
i dont think it supports wildcard matches
– 4c74356b41
Nov 13 '18 at 22:17
add a comment |
1 Answer
1
active
oldest
votes
is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes?
AFAIK, you could not use wildcard within assignableScopes, the New-AzureRmRoleDefinition powershell command essentially calls the Role Definitions - Create Or Update REST API, the assignableScopes only accept three types, refer to this link.
If you want to specify AssignableScopes to only some subset of subscription resource groups, you need to specific them one by one in the assignableScopes, like
"assignableScopes": [
"subscriptions/subscriptionId/resourceGroups/myresourcegroup1",
"subscriptions/subscriptionId/resourceGroups/myresourcegroup2",
"subscriptions/subscriptionId/resourceGroups/myresourcegroup3",
]
Or maybe I can use resource group tags or something else?
No, the possible properties are all listed in the REST API doc, there is no other ones.
answered Nov 14 '18 at 1:51
Joy WangJoy Wang
8,5722315
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53290344%2fazure-custom-rm-role-definition-with-special-assignablescopes%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes?
AFAIK, you could not use wildcard within assignableScopes, the New-AzureRmRoleDefinition powershell command essentially calls the Role Definitions - Create Or Update REST API, the assignableScopes only accept three types, refer to this link.
If you want to specify AssignableScopes to only some subset of subscription resource groups, you need to specific them one by one in the assignableScopes, like
"assignableScopes": [
"subscriptions/subscriptionId/resourceGroups/myresourcegroup1",
"subscriptions/subscriptionId/resourceGroups/myresourcegroup2",
"subscriptions/subscriptionId/resourceGroups/myresourcegroup3",
]
Or maybe I can use resource group tags or something else?
No, the possible properties are all listed in the REST API doc, there is no other ones.
answered Nov 14 '18 at 1:51
Joy WangJoy Wang
8,5722315
add a comment |
is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes?
AFAIK, you could not use wildcard within assignableScopes, the New-AzureRmRoleDefinition powershell command essentially calls the Role Definitions - Create Or Update REST API, the assignableScopes only accept three types, refer to this link.
If you want to specify AssignableScopes to only some subset of subscription resource groups, you need to specific them one by one in the assignableScopes, like
"assignableScopes": [
"subscriptions/subscriptionId/resourceGroups/myresourcegroup1",
"subscriptions/subscriptionId/resourceGroups/myresourcegroup2",
"subscriptions/subscriptionId/resourceGroups/myresourcegroup3",
]
Or maybe I can use resource group tags or something else?
No, the possible properties are all listed in the REST API doc, there is no other ones.
answered Nov 14 '18 at 1:51
Joy WangJoy Wang
8,5722315
add a comment |
is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes?
AFAIK, you could not use wildcard within assignableScopes, the New-AzureRmRoleDefinition powershell command essentially calls the Role Definitions - Create Or Update REST API, the assignableScopes only accept three types, refer to this link.
If you want to specify AssignableScopes to only some subset of subscription resource groups, you need to specific them one by one in the assignableScopes, like
"assignableScopes": [
"subscriptions/subscriptionId/resourceGroups/myresourcegroup1",
"subscriptions/subscriptionId/resourceGroups/myresourcegroup2",
"subscriptions/subscriptionId/resourceGroups/myresourcegroup3",
]
Or maybe I can use resource group tags or something else?
No, the possible properties are all listed in the REST API doc, there is no other ones.
answered Nov 14 '18 at 1:51
Joy WangJoy Wang
8,5722315
is it possible to specify AssignableScopes to only some subset of subscription resource groups? Maybe I can use some kind of wildcard within AssignableScopes?
AFAIK, you could not use wildcard within assignableScopes, the New-AzureRmRoleDefinition powershell command essentially calls the Role Definitions - Create Or Update REST API, the assignableScopes only accept three types, refer to this link.
If you want to specify AssignableScopes to only some subset of subscription resource groups, you need to specific them one by one in the assignableScopes, like
"assignableScopes": [
"subscriptions/subscriptionId/resourceGroups/myresourcegroup1",
"subscriptions/subscriptionId/resourceGroups/myresourcegroup2",
"subscriptions/subscriptionId/resourceGroups/myresourcegroup3",
]
Or maybe I can use resource group tags or something else?
No, the possible properties are all listed in the REST API doc, there is no other ones.
answered Nov 14 '18 at 1:51
Joy WangJoy Wang
8,5722315
answered Nov 14 '18 at 1:51
Joy WangJoy Wang
8,5722315
answered Nov 14 '18 at 1:51
Joy WangJoy Wang
8,5722315
answered Nov 14 '18 at 1:51
Joy WangJoy Wang
8,5722315
8,5722315
add a comment |
add a comment |
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53290344%2fazure-custom-rm-role-definition-with-special-assignablescopes%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
1
i dont think it supports wildcard matches
– 4c74356b41
Nov 13 '18 at 22:17