A commonly asked question is, "How do we enforce that EvOps offerings in the Marketplace is the only way for certain users to create and/or update resources?". This can be accomplished by creating a custom role, with suitable permissions, that can be assigned to specific users on a selected scope (e.g. subscription).
Custom Role JSON Template
Below Azure Resource Manager Template creates a custom role that limits assigned users to have read permissions on all resources in a subscription, except the EvOps resources necessary to be able to create requests and interact with assigned activities.
To create the custom role, perform a deployment using the template below against the subscription on which you want to enable to role.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"apiProfile": "2018-03-01-hybrid",
"parameters": {},
"variables": {
"roleId": "[guid(subscription().subscriptionId)]"
},
"resources": [
{
"type": "Microsoft.Authorization/roleDefinitions",
"name": "[variables('roleId')]",
"location": "[resourceGroup().location]",
"properties": {
"roleName": "[concat('Requester_',variables('roleId'))]",
"assignableScopes": [
"[subscription().id]",
"[resourceGroup().id]"
],
"description": "Use this role to force users to create a request.",
"permissions": [
{
"actions": [
"*/read",
"Microsoft.Resources/subscriptions/resourceGroups/*",
"Gridpro.EvOps/register/action",
"Gridpro.EvOps/locations/requests/*",
"Gridpro.EvOps/locations/IdentityAssignments/*",
"Gridpro.EvOps/locations/GlobalSettings/action",
"Gridpro.EvOps/proxyextension/restApi/action"
],
"notActions": []
}
]
}
}
],
"outputs": {
}
}
This template could of course be customized for different scenarios. For more information on custom roles see: https://docs.microsoft.com/en-us/azure/role-based-access-control/custom-roles
Comments
0 comments
Article is closed for comments.