Hello,
We would like to request a new feature/possible workaround for the following scenario:
If we have multi-subscriptions under a single tenant. All 2000+ subscriptions whose IAM is inherited with the Management AD group that is created on Azure Active Directory. How to restrict all and allow only one group from this Management AD group from getting access to a one subscription which has sensitive data. How to deny users from seeing specific resources using deny assignment?
However, from the discussions that we had between Azure Blueprint and RBAC team over support ticket, we confirmed that this is unsupported scenario for the following reasons:
++ From the Blueprint perspective, there is no place to modify / customize "DataActions". And the only way is to add delete/read only locks as recommended here https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking
++ although https://docs.microsoft.com/en-us/azure/role-based-access-control/deny-assignments mentions deny assignment, the assignment can only be deployment in Azure Blueprint or Azure Managed Apps. As blueprint only supports builtin role, we are not able to create custom role and leverage blueprint to do the assignment. Unfortunately.
++ from the RBAC role perspective, it cannot meet your requirement. In the meantime, Although RBAC role has "NotAction" or "NotDataActions" , these kind of the "Not" specifies the control plane actions that are subtracted or excluded from the allowed Actions that have a wildcard (*). It means you need to put the relevant permissions (such as *) in the custom role itself first. It doesn't subtract or exclude permission across roles. Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments. This is why RBAC role cannot meet the customer requirement.
any help please? as rebuild/redo the design architecture is not an option at all...
Hello,
We would like to request a new feature/possible workaround for the following scenario:
If we have multi-subscriptions under a single tenant. All 2000+ subscriptions whose IAM is inherited with the Management AD group that is created on Azure Active Directory. How to restrict all and allow only one group from this Management AD group from getting access to a one subscription which has sensitive data. How to deny users from seeing specific resources using deny assignment?
However, from the discussions that we had between Azure Blueprint and RBAC team over support ticket, we confirmed that this is unsupported scenario for the following reasons:
++ From the Blueprint perspective, there is no place to modify / customize "DataActions". And the only way is to add delete/read only locks as recommended here https://docs.microsoft.com/en-us/azure/governance/blueprints/concepts/resource-locking
++ although https://docs.microsoft.com/en-us/azure/role-based-access-control/deny-assignments mentions deny assignment, the assignment can only be deployment in Azure Blueprint or Azure Managed Apps. As blueprint only supports builtin role, we are not able to create custom role and leverage blueprint to do the assignment. Unfortunately.
++ from the RBAC role perspective, it cannot meet your requirement. In the meantime, Although RBAC role has "NotAction" or "NotDataActions" , these kind of the "Not" specifies the control plane actions that are subtracted or excluded from the allowed Actions that have a wildcard (*). It means you need to put the relevant permissions (such as *) in the custom role itself first. It doesn't subtract or exclude permission across roles. Azure RBAC is an additive model, so your effective permissions are the sum of your role assignments. This is why RBAC role cannot meet the customer requirement.
any help please? as rebuild/redo the design architecture is not an option at all...