Create Custom RBAC Role in Azure - AZ-100 Exam Study Guide
Question
HOTSPOT -
You have an Azure subscription named Subscription1 that has a subscription ID of c276fc76-9cd4-44c9-99a7-4fd71546436e.
You need to create a custom RBAC role named CR1 that meets the following requirements:
-> Can be assigned only to the resource groups in Subscription1
-> Prevents the management of the access permissions for the resource groups
-> Allows the viewing, creating, modifying, and deleting of resources within the resource groups
What should you specify in the assignable scopes and the permission elements of the definition of CR1? To answer, select the appropriate options in the answer area.
NOTE: Each correct selection is worth one point.
Hot Area:
Explanations
Explanation
https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftresourcesTo create a custom RBAC role in Azure that meets the requirements mentioned in the question, you need to specify the assignable scopes and permission elements in the definition of the role.
The assignable scopes determine the scope at which the role can be assigned. In this case, the role should be assigned only to the resource groups in Subscription1. Therefore, the assignable scope should be set to the ID of Subscription1.
The permission elements specify the actions that can be performed by the role. The role should allow viewing, creating, modifying, and deleting of resources within the resource groups, but prevent management of access permissions for the resource groups.
To achieve this, the permission elements of the role definition should include the following actions:
- Microsoft.Resources/subscriptions/resourceGroups/read
- Microsoft.Resources/subscriptions/resourceGroups/write
- Microsoft.Resources/subscriptions/resourceGroups/delete
- Microsoft.Resources/subscriptions/resourceGroups/deployments/*
- Microsoft.Resources/subscriptions/resourceGroups/moveResources
- Microsoft.Resources/subscriptions/resourceGroups/readManagementGroupsHierarchy
- Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources
- Microsoft.Authorization/*/read
Note that the permission elements should include all the actions required to perform the necessary operations, but should not include any unnecessary actions that may give additional permissions to the role.
The following is an example JSON definition of the custom RBAC role named CR1 that meets the requirements mentioned in the question:
json{ "Name": "CR1", "Description": "Custom role that allows viewing, creating, modifying, and deleting of resources within the resource groups, but prevents management of access permissions for the resource groups.", "AssignableScopes": ["/subscriptions/c276fc76-9cd4-44c9-99a7-4fd71546436e"], "Actions": [ "Microsoft.Resources/subscriptions/resourceGroups/read", "Microsoft.Resources/subscriptions/resourceGroups/write", "Microsoft.Resources/subscriptions/resourceGroups/delete", "Microsoft.Resources/subscriptions/resourceGroups/deployments/*", "Microsoft.Resources/subscriptions/resourceGroups/moveResources", "Microsoft.Resources/subscriptions/resourceGroups/readManagementGroupsHierarchy", "Microsoft.Resources/subscriptions/resourceGroups/validateMoveResources", "Microsoft.Authorization/*/read" ], "NotActions": [ "Microsoft.Authorization/*/write", "Microsoft.Authorization/*/delete" ] } In summary, to create the custom RBAC role named CR1 that meets the requirements mentioned in the question, you should specify the assignable scopes as the ID of Subscription1 and the permission elements should include the necessary actions to view, create, modify, and delete resources within the resource groups, but prevent management of access permissions for the resource groups.
