Reputation: 1699
Azure RBAC Permissions Tree?
Is there a way to query Azure (via REST or CLI) to see which permissions are required/granted for certain actions?
For example, if I wanted to assign an SPN with Microsoft.Compute/virtualMachines/write permissions so it could create a VM, I would want to review what other permissions are granted/required before assigning it to said SPN.
Upvotes: 1
Views: 417
Answers (2)
Reputation: 12788
The Actions property of a custom role specifies the Azure operations to which the role grants access. It is a collection of operation strings that identify securable operations of Azure resource providers. Operation strings follow the format of
Microsoft.<ProviderName>/<ChildResourceType>/<action>
Use Get-AzureRmProviderOperation (in PowerShell) or azure provider operations show (in Azure CLI) to list operations of Azure resource providers.
For more details, refer "Create custom roles for Azure Role-Based Access Control".
Upvotes: 1
Reputation: 477
As far as I know there is no way to list dependencies in the way you describe. The Powershell cmdlet Get-AzureRmProviderOperation gives some good information on what permissions needed. https://learn.microsoft.com/en-us/powershell/module/azurerm.resources/get-azurermprovideroperation?view=azurermps-5.0.0
Upvotes: 1
Related Questions
- azure role : owner, global administrator AAD
- Azure RBAC Permission
- Azure role assignment precedence
- Azure RBAC Custom Roles
- Application-specific permissions with Azure AD RBAC
- How to assign roles to the users in Azure Active Directory
- Azure RBAC - modularity and custom roles inheritance
- Resource based authorization with Azure AD?
- Azure Active Directory - Role based Store Manager
- Microsoft Azure Active Directory Permission check implementation/RBAC