You are setting up a machine learning environment in Azure.
In order to properly control the access of the users to the resources in your workspace, you have created a custom role:
# define custom role { "Name": "CustomRole1", "IsCustom": true, "Description": "My Custom ML Role", "Actions": ["*"], "NotActions": [ "Microsoft.MachineLearningServices/workspaces/*/delete", "Microsoft.MachineLearningServices/workspaces/write", "Microsoft.MachineLearningServices/workspaces/computes/*/write", "Microsoft.MachineLearningServices/workspaces/computes/*/delete", "Microsoft.Authorization/*/write" ], "AssignableScopes": ["/subscriptions/<subscription_id>/resourceGroups/MyRg/providers/Microsoft.MachineLearningServices/workspaces/MyWsp" ] } With any other privileges granted, users assigned to this role...
Click on the arrows to vote for the correct answer
A. B. C. D.Correct Answer: A.
Option A is CORRECT because anything except what is explicitly denied by “NotActions” is allowed for the assignees of the role.
Option B is incorrect because deleting compute resources is explicitly denied.
Option C is incorrect because modifying role assignments are explicitly denied by the role definition.
Option D is incorrect because deleting the workspace is explicitly denied by the role definition.
Reference:
The custom role defined in the given code allows users assigned to this role to perform all actions except the ones specified in the "NotActions" property.
The "Actions" property specifies that users assigned to this role can perform any action on the specified resources. This means that they can submit any type of model runs, create new resources, modify existing resources, and perform any other action that is allowed for the specified resources.
The "NotActions" property lists the actions that are explicitly denied for users assigned to this role. In this case, users assigned to this role are not allowed to delete the workspace or any compute resources associated with it. Additionally, they are not allowed to modify the workspace, such as adding or removing users, as this action falls under the Microsoft.Authorization resource provider.
Therefore, options A and D can be eliminated. Users assigned to this custom role cannot delete the workspace, which eliminates option D. Users assigned to this custom role have full permissions to run any type of model, which eliminates option A.
The "AssignableScopes" property specifies the scope of the role, which limits the resources that users assigned to this role can access. In this case, the scope is limited to the specified workspace, which means that users assigned to this role can only access resources within the specified workspace.
Finally, option C is also incorrect as users assigned to this role cannot modify role assignments or any other resource within the Microsoft.Authorization resource provider.
Therefore, the correct answer is B. Users assigned to this role can delete a compute resource.