2

He everyone, I have a subscription where I want to create "sandbox" environments for people. My goal is to give folks a resource group, and make them owner of the Resource Group. They can do anything they want in this little resource group, but not touch anything outside of it in the subscription. Sure, there are some limitations on the resources they can deploy but for my purpose this is an acceptable solution.

My automated process would create an RG and then add some tags to it. Who owns it (email) and when it was created (created on date). After 30 days, I want to go through and toast any resource group that is 30 days old. Access to this environment is time limited. I figure I can read the tag and delete based on the tag date.

I need a way to prevent the owner of the RG from editing the tag in any way.

Enter Custom Role - Resource Group Owner

{
    "id": "/subscriptions/<sub-guid>/providers/Microsoft.Authorization/roleDefinitions/1cae04e5-3bd2-4d8d-9c3b-ef5bd8e58408",
    "properties": {
        "roleName": "Resource Group Owner",
        "description": "Assigned at the RG level owns everything within the RG, with the exception of editing tags.",
        "assignableScopes": [
            "/subscriptions/<sub-guid>"
        ],
        "permissions": [
            {
                "actions": [
                    "*"
                ],
                "notActions": [
                    "Microsoft.Resources/tags/write",
                    "Microsoft.Resources/tags/delete"
                ],
                "dataActions": [],
                "notDataActions": []
            }
        ]
    }
}

According to documentation, this is correct. I have specified the actions allowed, and then added the excluded actions, which should be subtracted from the allowed actions, on the scope assigned (in this case the resource group). I don't care if they can add or delete tags on resources within the RG, I just don't want them to mess with the RG tags.

With this role assigned to a user they can only see the RG in the subscription they've been assigned, but they can still edit the tags assigned to it.

What am I doing wrong?

I have looked into deny assignment with Azure Blueprints, but there's no example of how to create a deny assignment anywhere. There's docs on the properties but nothing that shows what it looks like in the blueprint.

Thanks for the help.

Chief
  • 130
  • 10

1 Answers1

2

Although you put Microsoft.Resources/tags/write and Microsoft.Resources/tags/delete in the notActions, there is another resource provider operation Microsoft.Resources/subscriptions/resourceGroups/write which allows the user to edit tag.

You need to put it into notActions as well.

Although the document states: Microsoft.Resources/subscriptions/resourceGroups/write is to Creates or updates a resource group, I can create any other Azure resources in this resource group.

From my test results, I think the restricted part is only to update the resource group itself.

You can have a try to see if it meets your requirement.

Allen Wu
  • 15,529
  • 1
  • 9
  • 20
  • Thank you, I had avoided that rule specifically because I wanted to allow the user to be able to write and create resources WITHIN the RG. Feeling like adding that action would prevent it. I'll give it a shot here. Using the assignable scopes, would I have to create a new Role for every RG? That would be unfortunate, and a blocker. – Chief May 11 '21 at 15:04
  • @Chief I thought the same as you before. But after testing, it is found that users can create resources in this resource group. Please have a try from your side. For "assignable scopes", it is unnecessary to set it to the specific resource group (I have tested it). So I delete the content in my answer. – Allen Wu May 12 '21 at 02:01