Azure RBAC Custom Role Best Practices or Common Build Patterns
As a platform admin, I want to grant application admins Contributor access while removing their ability to write or delete most Microsoft.Network resource types, with a few exceptions such as Private Endpoints, Network Interfaces, and Application Gateways. Based on the effective control plane permissions logic, we designed two custom roles. The first role is a duplicate of the Contributor role, but with Microsoft.Network//Write and Microsoft.Network//Delete added to notActions. The second role adds back specific Microsoft.Network operations using wildcarded resource types, such as Microsoft.Network/networkInterfaces/*. Application Admin Effective Permissions = Role 1 (Contributor - Microsoft.Network) + Role 2 (for example, Microsoft.Network/networkInterfaces/, Microsoft.Network/networkSecurityGroups/, Microsoft.Network/applicationGateways/write, etc.) I understand that Microsoft RBAC best practices recommend avoiding wildcard (*) operations. However, my team has found that building roles with individual operations is extremely tedious and time-consuming, especially when trying to understand the impact of each operation. Does anyone have suggestions for a simpler or more maintainable pattern for implementing this type of custom RBAC design?Azure Inherited roles, but still access denied
Hi, In e.g. Key Vault, when looking for the Access Control I can see that user account have custom contributor role inherited from the subscription level. When looking for the role more deeply it shows: "Showing 500 of 15937 permissions View all (will take a moment to load)" E.g. having the following permissions: Read Secret Properties and Write Secret. So all should be kind of okay..? 🙂 But when I'm looking for the e.g. secrets in the key vault, it gives me back "The operation is not allowed by RBAC." and "You are unauthorized to view these contents.". I thought there could be a "deny" rules, but nothing in there either. What could be the trick on here? What might be blocking or missing the access to the resources. Btw, I just tested, I was able to create the Key Vault by myself.
