Forum Discussion
How to prevent changes to the Firewalls and virtual network section for resources?
Hi to prevent changes on any resources you have to define an IAM strategy for your resources
Giving Owner role to those who need full access
Giving Contributor role to those who need to modify resources
Giving Reader role for those who need to read only
Giving Custom roles for specific needs
Giving role tied to resource for specific operations ( Virtual machine contributor for example )
You may know that roles are inherited from subscription and resource group so you need to consider that and finally create a map to be able to retrieve who have access to which and then revoke if necessary.
Once you have done that you can add read only lock at the resource group level so only people with right access will be able to remove them(That's why i suggest to identify those people above) . This lock will prevent any changes on any resource in resource group scope .
Thx for the info on IAM.
We looked at custom roles, but there are thousands of permissions per role and I have yet to find any documentation that specifically lists what permissions to remove from networking that would prevent a user from making changes
In the process of creating the custom role through the portal you can exclude some permissions .
In the screenshot for example i can add or remove the permission to delete an Azure Firewall Application Rule Collection . Another way to do that is also starting by reader role and add necessary write permissions . But as you see it can be a big management overhead if your goal is only to prevent changes ?
In my Opinion the simplest way is to add a lock and put a process to move the lock if necessary .
As contributor you can delete locks at the resource level but not at the subscription level (Only owners can ).
