If the built-in roles for Azure resources don't meet the specific needs of your organization, you can create your own custom roles. Just like built-in roles, you can assign custom roles to users, groups, and service principals at subscription, resource group, and resource scopes.
Custom roles are stored in an Azure Active Directory (Azure AD) directory and can be shared across subscriptions. Each directory can have up to 5000 custom roles. (For specialized clouds, such as Azure Government, Azure Germany, and Azure China 21Vianet, the limit is 2000 custom roles.) Custom roles can be created using Azure PowerShell, Azure CLI, or the REST API.
Custom role example
The following shows what a custom role looks like as displayed in JSON format. This custom role can be used for monitoring and restarting virtual machines.
JSON
{
"Name": "Virtual Machine Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "Can monitor and restart virtual machines.",
"Actions": [
"Microsoft.Storage/*/read",
"Microsoft.Network/*/read",
"Microsoft.Compute/*/read",
"Microsoft.Compute/virtualMachines/start/action",
"Microsoft.Compute/virtualMachines/restart/action",
"Microsoft.Authorization/*/read",
"Microsoft.ResourceHealth/availabilityStatuses/read",
"Microsoft.Resources/subscriptions/resourceGroups/read",
"Microsoft.Insights/alertRules/*",
"Microsoft.Insights/diagnosticSettings/*",
"Microsoft.Support/*"
],
"NotActions": [],
"DataActions": [],
"NotDataActions": [],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
]
}
When you create a custom role, it appears in the Azure portal with an orange resource icon.
Steps to create a custom role
- Decide how you want to create the custom roleYou can create custom roles using Azure PowerShell, Azure CLI, or the REST API.
- Determine the permissions you needWhen you create a custom role, you need to know the resource provider operations that are available to define your permissions. To view the list of operations, see the Azure Resource Manager resource provider operations. You will add the operations to the
Actions
orNotActions
properties of the role definition. If you have data operations, you will add those to theDataActions
orNotDataActions
properties. - Create the custom roleTypically, you start with an existing built-in role and then modify it for your needs. Then you use the New-AzRoleDefinition or az role definition create commands to create the custom role. To create a custom role, you must have the
Microsoft.Authorization/roleDefinitions/write
permission on allAssignableScopes
, such as Owner or User Access Administrator. - Test the custom roleOnce you have your custom role, you have to test it to verify that it works as you expect. If you need to make adjustments later, you can update the custom role.
For a step-by-step tutorial on how to create a custom role, see Tutorial: Create a custom role using Azure PowerShell or Tutorial: Create a custom role using Azure CLI.
Custom role properties
A custom role has the following properties.
Who can create, delete, update, or view a custom role
Just like built-in roles, the
AssignableScopes
property specifies the scopes that the role is available for assignment. The AssignableScopes
property for a custom role also controls who can create, delete, update, or view the custom role.
No comments:
Post a Comment