Restrict users in accessing Resource Group using ARM Policies

Question

Is there a way to create policy in ARM for restricting user in DEV group to create resources in ResourceGroup of Production. Currently v have added some of the users to production Resource Group, but we would like to restrict them in creating of any Resource or modification of any resource or deletion of resources. Is it possible to through Policy to get alias or Distribution Group to validate and allow to perform any operation on this prod RG.

Answer 1

1. ARM policies are used to do things like restricting to create resources in a particular data center/region or to restrict the resource creation if they don't contain any specific tags.

2. The best way i can think of is to use RBAC for your users whose are added to your Prod RG, to cater your need. YOu can assign them only reader role in the prodRG and create a custom RBAC role out of it wherein those users will not be eligible to delete or modify any resources in the prodRG.

   Hope this helps!

Answer 2

Haven't yet managed anything this advanced with Policies. Would normally achieve just by their prod resource group access being assigned in the Reader Role. From the governance perspective you could always write an Azure Automation script that inspects the users in each group periodically and downgrades any Dev user to become a Reader of a prod resource group.