Reputation: 5
Blocking RBAC inheritance
I'm creating subscriptions in Azure with a number of RBAC roles assigned: hosting team and project team. The hosting team should have full access to everything, and the project team should have full access to everything baring a few exception, e.g. no access to the 'Networking' resource group (although they are allowed to create their own resource group(s) containing networking). We have set the RBAC owner for the project team at the subscription level, but in doing so, this also allows them to fully manage the restricted areas.
In principal the 'deny' assignments in Azure Portal would fit our needs, however they are currently only available for Azure Blueprints. Any ideas?
Upvotes: 0
Views: 778
Answers (1)
Reputation: 72171
Block inheritance doesnt exist yet, your only option is to carefully craft and assing custom rbac roles or carefully assing built-in roles (so, never at sub level, only at resource group level).
Or use Azure Blueprints, it appears they added support for that there.
Upvotes: 2
Related Questions
- How to create Azure Policy?
- Azure Blueprint deny read access to some admins
- Azure RBAC Permission
- Azure RBAC Custom Roles
- Is There a Way to Block Adding Users to Azure Resources via Policy?
- Azure RBAC - modularity and custom roles inheritance
- Azure Policy not denying Custom Role creation
- Resource-Based Policies in Azure
- Can we restrict user access from a resource group?
- Can I block Inheritance in Azure