Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack Hub | Custom Roles: Features and Assignments

Custom Roles: Features and Assignments

Prev Question Next Question

Question

Custom roles can be assigned to the groups, users, and service principals at management group (in preview only), subscriptions and resource group scopes.

Which of the following statement(s) is/are true about the custom roles? (Select 3 Options)

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B. C. D. E. F.

Correct Answers: B, C and E

There are some limits for the custom roles as given below:

Each directory can have up to 5000 custom roles. Azure Germany and Azure China 21Vianet can have up to 2000 custom roles for each directory. ). You cannot use wildcards (*) in AssignableScopes. This wildcard restriction helps ensure a user can't You cannot set AssignableScopes to the root scope (* potentially obtain access to a scope by updating the role definition. You can only define one management group in AssignableScopes of a custom role. Adding a management group to AssignableScopes is currently in preview. You can have only one wildcard in an action string Custom roles with DataActions cannot be assigned at the management group scope. Azure Resource Manager doesn't validate the management group's existence in the role definition's assignable scope.

Option A is incorrect.

It is not possible to set AssignableScopes to the root scope ("/").

Option B is correct.

It is true that with custom roles, you can't set AssignableScopes to the root scope ("/").

Option C is correct.

Only 1 wildcard can be added in an action string.

Option D is incorrect.There is a limit to add only one wildcard in an action string.

Option E is correct.

You can't assign custom roles with DataActions at the management group scope.

Option F is incorrect.

It is not possible to assign custom roles with DataActions at the management group scope.

To know more about custom role limits, please visit the below-given limits:

Custom roles in Azure allow administrators to create roles with specific permissions that are not available in built-in roles. These custom roles can be assigned to groups, users, and service principals at various scopes, including management group, subscription, and resource group.

The "AssignableScopes" property determines the scope at which the custom role can be assigned. It specifies the scope or scopes where the role is available to be assigned. Option A is true - you can set AssignableScopes to the root scope ("/"). This means that the custom role can be assigned to any resource in the Azure hierarchy.

Option B is incorrect. You can set AssignableScopes to the root scope ("/"). This is useful if you want to create a role that applies to all resources in an Azure environment.

Option C is incorrect. You can add any number of wildcards in an action string. Action strings define the operations that the custom role can perform. Wildcards can be used in action strings to specify multiple operations with similar names. For example, you can use the wildcard "" to specify all actions that start with a certain word, such as "Microsoft.Compute/". This would give the custom role permission to perform any operation that starts with "Microsoft.Compute/".

Option D is true. You can add any number of wildcards in an action string. This provides flexibility when defining custom roles.

Option E is incorrect. You can assign custom roles with DataActions at the management group scope. DataActions allow the custom role to perform actions on data resources, such as databases and storage accounts.

Option F is true. You can assign custom roles with DataActions at the management group scope. This allows administrators to create custom roles with specific permissions for managing data resources at the management group level.

Prev Question Next Question