Go to the resource group where you could like the role to be implemented/ scoped to.
Select Access Control (IAM)->Add-> Add Custom Role:
Give a suitable name and description for the role.
The Baseline permission parameters helps with deciding whether you want to create your custom role by cloning and then modifying an existing role or by starting from scratch.
Here, I would be choosing the option of <Clone a Role >
Role to clone: I would be choosing is <Storage Blob Data Contributor> as it inclines more to the custom role that I would create. You could choose any other roles to clone as per your use case.
Under the Permissions Tab, I would be altering the permissions as per my use case. I would be making changes to the below highlighted permissions as it aligns to my use case:
To Add/ Exclude permissions
Choose the option either add/ exclude and then you search for the resource you would like to assign the permission.
As I would like to exclude the permission for deletion operation at the storage account, I have used the below:
Excluding the required permissions:
Under Not Actions : This is more inclined to management plane permissions. I have chosen the below 2 permissions:
For Not Data Actions: This is more inclined to Data Plane operations
The final format of the Custom RBAC role is as below, with scope at resource group level. This has been created by clicking on the create option
Once the role has been created the role, we can assign it to the user as below
Azure portal -> Resource group
Access control (IAM) -> add-> role assignment
From the role assignment choose the custom role you have created and assign it to the user
Along with the above permission, I have given the user Reader permission at the subscription level. You could give the Reader permission at the resource group level too.
We mainly have Management Plane and Data Plane while providing permissions to the user.
The Management plane consists of operation related to storage account such as getting the list of storage accounts in a subscription, retrieve storage account keys or regenerate the storage account keys, etc.
The Data plane access refers to the access to read, write or delete data present inside the containers.