Forum Discussion
Deny Assignment in Read / Access ( DenySettingsMode )
Hello,
I would like to confirm with you that it is currently not supported within Azure through any api / cli to set a denyRead type of assignment to a resource ?
So are we really only limited to these 3 options : denyDelete, denyWriteAndDelete, None
https://learn.microsoft.com/en-us/javascript/api/@azure/arm-resourcesdeploymentstacks/knowndenysettingsmode?view=azure-node-latest
I checked the cli and it correlates.
I find the concept of denyAssignment to be tremendously valuable from a security perspective, why is it so limited, and doesn't let us expand to other rights such as read or access ?
It would be a much appreciated addition.
Thank you !
2 Replies
You may also consider
deny-settings-excluded-actionsparameter to exclude read actions (such asMicrosoft.Resources/*/read- As far as i understand, that parameter determines which actions are excluded from the deny assignment.
which is weird considering that the deny assignment itself is so limited, but it would encompass a situation where you deny write assignment but authorize an action like "rename" for instance.
