Helo @Razzi29
To assign the least you need is :
Reader Role on the VM: The user needs to have at least Reader permissions on the virtual machine (VM) they are accessing.
Reader Role on the NIC: Similar permissions on the Network Interface Card (NIC) associated with the VM.
Bastion Service Reader Role: To use Azure Bastion, the user also needs to have Reader permissions on the Bastion service itself.
Aftr you create the Role you can assign it on Subscription Level , Resource Group or specific resources
If the grouping is done by Resource Group i suggest that approach
usually it is better to assign it to a Root resource , or directly on the VMs , i would not try to do that on VNETs, you need either to inherit the role or get it directly on the VM
https://video2.skills-academy.com/en-us/azure/role-based-access-control/role-assignments-steps
Here is a great LINK:
I hope this helps!
Kindly mark the answer as Accepted and Upvote in case it helped!
Regards