CloudWiki
Resource
Get a free AWS Well-Architected Assessment ->

Microsoft Azure

Role Definition

Azure Role Definitions are a set of permissions that define the actions that a user, group, or application can perform on Azure resources. Role definitions are used to grant access to Azure resources and manage permissions for users and groups. Each role definition consists of a set of permissions that define what actions are allowed or denied on specific Azure resources. The permissions are defined using Azure Resource Manager templates and are stored as JSON files in Azure. The role definitions can be customized to suit the specific needs of an organization. Azure provides a set of built-in role definitions that can be used to grant access to resources, such as Owner, Contributor, Reader, and User Access Administrator. These built-in roles have pre-defined permissions that can be assigned to users and groups. In addition to the built-in roles, users can create custom role definitions with specific permissions tailored to their needs. Custom role definitions can be created using Azure Resource Manager templates or the Azure portal. Users can define the permissions for each role, specify the scope of the role, and assign the role to users and groups.‍
aws cost
Costs
Direct Cost
Indirect Cost
No items found.
Terraform Name
terraform
azurerm_role_definition
Role Definition
attributes:

The following arguments are supported:

  • role_definition_id - (Optional) A unique UUID/GUID which identifies this role - one will be generated if not specified. Changing this forces a new resource to be created.
  • name - (Required) The name of the Role Definition.
  • scope - (Required) The scope at which the Role Definition applies to, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM. It is recommended to use the first entry of the assignable_scopes. Changing this forces a new resource to be created.
  • description - (Optional) A description of the Role Definition.
  • permissions - (Optional) A permissions block as defined below.
  • assignable_scopes - (Optional) One or more assignable scopes for this Role Definition, such as /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.

NOTE:

The value for scope is automatically included in this list if no other values supplied.

A permissions block as the following properties:

Associating resources with a
Role Definition
Resources do not "belong" to a
Role Definition
Rather, one or more Security Groups are associated to a resource.
Create
Role Definition
via Terraform:
The following HCL manages a custom Role Definition, used to assign Roles to Users/Principals
Syntax:

data "azurerm_subscription" "primary" {
}

resource "azurerm_role_definition" "example" {
 name        = "my-custom-role"
 scope       = data.azurerm_subscription.primary.id
 description = "This is a custom role created via Terraform"

 permissions {
   actions     = ["*"]
   not_actions = []
 }

 assignable_scopes = [
   data.azurerm_subscription.primary.id, # /subscriptions/00000000-0000-0000-0000-000000000000
 ]
}

Create
Role Definition
via CLI:
Parametres:

az role definition create --role-definition

Example:

az role definition create --role-definition '{
   "Name": "Contoso On-call",
   "Description": "Perform VM actions and read storage and network information.",
   "Actions": [
       "Microsoft.Compute/*/read",
       "Microsoft.Compute/virtualMachines/start/action",
       "Microsoft.Compute/virtualMachines/restart/action",
       "Microsoft.Network/*/read",
       "Microsoft.Storage/*/read",
       "Microsoft.Authorization/*/read",
       "Microsoft.Resources/subscriptions/resourceGroups/read",
       "Microsoft.Resources/subscriptions/resourceGroups/resources/read",
       "Microsoft.Insights/alertRules/*",
       "Microsoft.Support/*"
   ],
   "DataActions": [
       "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/*"
   ],
   "NotDataActions": [
       "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write"
   ],
   "AssignableScopes": ["/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]
}'

Best Practices for
Role Definition

Categorized by Availability, Security & Compliance and Cost

No items found.
Explore all the rules our platform covers
Related blog posts
We haven't write about
Role Definition
yet.
View all blog posts ->
More from
Microsoft Azure
AKS
Containers
Active Directory
Identity
App-Service Plan
App Services
Blob Storage
Storage
Bot
AI & Machine Learning
CDN Profile
App Services
Cache for Redis
Databases
Cosmos DB
Databases
Data Lake Storage
Storage
Disk Storage
Storage
Domain Service
Identity
Files
Storage
Firewall
Networking
Firewall Policy
Networking
Firewall Policy Rule Collection Group
Networking
Front Door
Networking
Function App
Compute
Group
Identity
Image
Compute
Network Interface
Networking
Network Security Group
Networking
PostgreSQL
Databases
Queue Storage
Storage
Resource Group
Management & Governance
Role Definition
Identity
Route Table
Networking
SQL Database
Databases
SQL Server
Databases
Snapshot
Compute
Storage Account
Storage
Subnet
Networking
User
Identity
Virtual Machine
Compute
Virtual Network
Networking