role-scope

jiasli · jiasli · commit 639051b2036d · 2024-12-05T21:28:02.000+08:00
diff --git a/src/azure-cli/azure/cli/command_modules/role/_help.py b/src/azure-cli/azure/cli/command_modules/role/_help.py
@@ -773,10 +773,10 @@
 type: command
 short-summary: Delete role assignments.
 examples:
-  - name: Delete role assignments. (autogenerated)
-    text: |
-        az role assignment delete --assignee 00000000-0000-0000-0000-000000000000 --role "Storage Account Key Operator Service Role"
-    crafted: true
+- name: Delete role assignments by resource ID.
+  text: az role assignment delete --ids /subscriptions/00000000-0000-0000-0000-000000000000/providers/Microsoft.Authorization/roleAssignments/00000000-0000-0000-0000-000000000000
+- name: Delete role assignments that satisfies the query conditions.
+  text: az role assignment delete --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup --assignee 00000000-0000-0000-0000-000000000000 --role Reader
 """
 
 helps['role assignment list'] = """
@@ -791,6 +791,11 @@
     After August 31, 2024, all classic administrators risk losing access to the subscription.
     Delete classic administrators who no longer need access or assign an Azure RBAC role for fine-grained access
     control. Learn more: https://go.microsoft.com/fwlink/?linkid=2238474
+examples:
+- name: List role assignments for a subscription
+  text: az role assignment list --scope /subscriptions/00000000-0000-0000-0000-000000000000
+- name: List role assignments for a resource group
+  text: az role assignment list --scope /subscriptions/00000000-0000-0000-0000-000000000000/resourceGroups/MyResourceGroup
 """
 
 helps['role assignment list-changelogs'] = """
diff --git a/src/azure-cli/azure/cli/command_modules/role/custom.py b/src/azure-cli/azure/cli/command_modules/role/custom.py
@@ -56,6 +56,16 @@
     "Delete classic administrators who no longer need access or assign an Azure RBAC role for fine-grained access "
     "control. Learn more: https://go.microsoft.com/fwlink/?linkid=2238474")
 
+ROLE_ASSIGNMENT_LIST_SCOPE_WARNING = (
+    "--scope argument will become required for listing role assignments "
+    "in the breaking change release of the spring of 2025. "
+    "Please explicitly specify --scope.")
+
+ROLE_ASSIGNMENT_DELETE_SCOPE_WARNING = (
+    "When --ids is not provided, --scope argument will become required for deleting role assignments "
+    "in the breaking change release of the spring of 2025. "
+    "Please explicitly specify --scope.")
+
 logger = get_logger(__name__)
 
 # pylint: disable=too-many-lines, protected-access
@@ -219,6 +229,9 @@ def list_role_assignments(cmd, assignee=None, role=None, resource_group_name=Non
     :param include_groups: include extra assignments to the groups of which the user is a
     member(transitively).
     '''
+    if not scope:
+        logger.warning(ROLE_ASSIGNMENT_LIST_SCOPE_WARNING)
+
     if include_classic_administrators:
         logger.warning(CLASSIC_ADMINISTRATOR_WARNING)
 
@@ -502,6 +515,9 @@ def _get_displayable_name(graph_object):
 
 def delete_role_assignments(cmd, ids=None, assignee=None, role=None, resource_group_name=None,
                             scope=None, include_inherited=False, yes=None):
+    if not ids and not scope:
+        logger.warning(ROLE_ASSIGNMENT_DELETE_SCOPE_WARNING)
+
     factory = _auth_client_factory(cmd.cli_ctx, scope)
     assignments_client = factory.role_assignments
     definitions_client = factory.role_definitions
