Forum Discussion
How to prevent changes to the Firewalls and virtual network section for resources?
Thx for the info on IAM.
We looked at custom roles, but there are thousands of permissions per role and I have yet to find any documentation that specifically lists what permissions to remove from networking that would prevent a user from making changes
In the process of creating the custom role through the portal you can exclude some permissions .
In the screenshot for example i can add or remove the permission to delete an Azure Firewall Application Rule Collection . Another way to do that is also starting by reader role and add necessary write permissions . But as you see it can be a big management overhead if your goal is only to prevent changes ?
In my Opinion the simplest way is to add a lock and put a process to move the lock if necessary .
As contributor you can delete locks at the resource level but not at the subscription level (Only owners can ).
