Azure Subscription IAM - Custom role - Resource Group only

Chris Hamill 1 Reputation point
2020-11-16T11:26:31.487+00:00

Hi,

I want to create a role which limits the entities available within a subscription. E.g if a subscription has 100 entities, I want to provide a role which has read acess to a subset only ( e.g those with a similar tag or within the same resource group)

I thought this could be done using the assignable scopes option, but when I try to add a scope for the resource group only the Custom Role does not appear in the subscription. IT allows me to add a scope for the subscription and the resource group, but that returns all entities in the subscription.

Is it possible to a have custom role within a subscription with assignable scope only containing a resource group?

Is there an alternative way to tackle this challenge?

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
711 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Alfredo Revilla - Upwork Top Talent | IAM SWE SWA 27,426 Reputation points
    2020-11-16T15:57:21.217+00:00

    Hello @Chris Hamill , currently this is not possible. The workaround is to add the role assignment to the resource group.

    Let us know if this answer was helpful to you. If so, please remember to mark it as the answer so that others in the community with similar questions can more easily find a solution.