Role1 Azure Role Definition - AZ-300 Exam | Microsoft Azure Architect Technologies

Role1 Azure Role Definition

Question

You create the following Azure role definition.

{

"Name": "Role1",

"Id": "80808080-8080-8080-8080-808080808080",

IsCustom : false,

"Description": "",

"Actions" : [

"Microsoft.Storage/*/read",

"Microsoft.Network/*/read",

"Microsoft.Compute/*/read",

"Microsoft.Compute/virtualMachines/start/action",

"Microsoft.Compute/virtualMachines/restart/action",

"Microsoft.Authorization/*/read"],

"NotActions": [],

"DataActions": [],

"NotDataActions": [],

"AssignableScopes": []

}

You need to create Role1 by using the role definition.

Which two values should you modify before you create Role1? Each correct answer presents part of solution.

NOTE: Each correct selection is worth one point.

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E.

AD

Part of example:

"IsCustom": true,

"AssignableScopes": [

"/subscriptions/{subscriptionId1}",

"/subscriptions/{subscriptionId2}",

"/subscriptions/{subscriptionId3}"

The following shows what a custom role looks like as displayed in JSON format. This custom role can be used for monitoring and restarting virtual machines.

{

"Name": "Virtual Machine Operator",

"Id": "88888888-8888-8888-8888-888888888888",

"IsCustom": true,

"Description": "Can monitor and restart virtual machines.",

"Actions": [

"Microsoft.Storage/*/read",

"Microsoft.Network/*/read",

"Microsoft.Compute/*/read",

"Microsoft.Compute/virtualMachines/start/action",

"Microsoft.Compute/virtualMachines/restart/action",

"Microsoft.Authorization/*/read",

"Microsoft.ResourceHealth/availabilityStatuses/read",

"Microsoft.Resources/subscriptions/resourceGroups/read",

"Microsoft.Insights/alertRules/*",

"Microsoft.Insights/diagnosticSettings/*",

"Microsoft.Support/*"

],

"NotActions": [],

"DataActions": [],

"NotDataActions": [],

"AssignableScopes": [

"/subscriptions/{subscriptionId1}",

"/subscriptions/{subscriptionId2}",

"/subscriptions/{subscriptionId3}"

]

}

https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles

To create a custom role in Azure, you need to provide a role definition that specifies the permissions that the role has. The role definition includes various settings that determine the scope of the role, the actions that it can perform, and the resources that it can access.

In this scenario, the role definition includes the following settings:

  • "Name": Specifies the name of the role as "Role1".
  • "Id": Specifies a unique identifier for the role.
  • "IsCustom": Specifies whether the role is a custom role or a built-in role. The value is set to false, which means that it is a built-in role.
  • "Description": Provides a description of the role.
  • "Actions": Specifies the actions that the role can perform. The actions are defined using Azure Resource Manager (ARM) resource provider namespaces and action names. In this case, the role can read resources from the Microsoft.Storage, Microsoft.Network, Microsoft.Compute resource provider namespaces, and can start or restart virtual machines.
  • "NotActions": Specifies any actions that the role cannot perform. In this case, there are no restrictions on the actions that the role can perform.
  • "DataActions": Specifies any data actions that the role can perform. Data actions are operations that modify data resources. In this case, there are no data actions specified.
  • "NotDataActions": Specifies any data actions that the role cannot perform. In this case, there are no restrictions on data actions.
  • "AssignableScopes": Specifies the scopes where the role can be assigned. In this case, there are no scopes specified.

To create Role1 using this role definition, you need to modify the "Id" and "AssignableScopes" settings.

  • "Id": The role definition specifies a unique identifier for the role. You need to replace the value of the "Id" setting with a new unique identifier that identifies the custom role that you want to create.
  • "AssignableScopes": The role definition specifies an empty list for the "AssignableScopes" setting. You need to specify one or more scopes where the role can be assigned. Scopes can be Azure subscriptions, resource groups, or individual resources. By specifying scopes, you limit the scope of the role and prevent unauthorized access to resources.

Therefore, the correct answers are A. IsCustom and D. AssignableScopes. You need to modify the "IsCustom" setting to true if you want to create a custom role. However, in this scenario, the role definition already specifies that the role is not custom, so you don't need to modify this setting. The "DataActions" and "Description" settings are optional and don't need to be modified in this scenario.