[Az.Resources] Support AtScope for Get-AzRoleAssignment. (#27113)

* support atscope for get-roleassignment

* Update Changelog

* Switch Parameter

* description

* description

* rename test case

* rename test case

* minor fix

* Update src/Resources/Resources/ChangeLog.md

Co-authored-by: Yeming Liu <[email protected]>

---------

Co-authored-by: Yeming Liu <[email protected]>
Co-authored-by: Yabo Hu <[email protected]>

Author: 3 people

src/Resources/Resources.Test/ScenarioTests/RoleAssignmentTests.cs

@@ -140,6 +140,13 @@ public void RaGetByScope()
             TestRunner.RunTestScript("Test-RaGetByScope");
         }
 
+        [Fact]
+        [Trait(Category.AcceptanceType, Category.CheckIn)]
+        public void RaGetWithAtScope()
+        {
+            TestRunner.RunTestScript("Test-RaGetWithAtScope");
+        }
+
         [Fact]
         [Trait(Category.AcceptanceType, Category.LiveOnly)]
         public void RaGetOnlyByRoleDefinitionName()

src/Resources/Resources.Test/ScenarioTests/RoleAssignmentTests.ps1

@@ -551,6 +551,31 @@ function Test-RaGetByScope
     VerifyRoleAssignmentDeleted $newAssignment1
 }
 
+<#
+.SYNOPSIS
+Tests verifies get of RoleAssignment With AtScope
+#>
+function Test-RaGetWithAtScope
+{
+    # Setup
+    $subscription = $(Get-AzContext).Subscription
+    $resourceGroups = Get-AzResourceGroup | Select-Object -Last 9 -Wait
+    $scope1 = '/subscriptions/'+ $subscription[0].Id
+    $scope2 = '/subscriptions/'+ $subscription[0].Id +'/resourceGroups/' + $resourceGroups[0].ResourceGroupName
+    
+    $ras_scope_list = @()
+    $ras_atscope_list = @()
+    
+    $ras_scope = Get-AzRoleAssignment -Scope $scope1
+    $ras_scope | Select-Object -ExpandProperty Scope -Unique | ForEach-Object { $ras_scope_list += $_ }
+
+    $ras_atscope = Get-AzRoleAssignment -Scope $scope1 -AtScope
+    $ras_atscope | Select-Object -ExpandProperty Scope -Unique | ForEach-Object { $ras_atscope_list += $_ }
+
+    Assert-True { $ras_scope_list -contains $scope2 }
+    Assert-False { $ras_Atscope_list -contains $scope2 }
+}
+
 <#
 .SYNOPSIS
 Tests verifies get of RoleAssignment using only the role definition name

src/Resources/Resources.Test/SessionRecords/Microsoft.Azure.Commands.Resources.Test.ScenarioTests.RoleAssignmentTests/RaGetWithAtScope.json

@@ -19,6 +19,7 @@
 -->
 
 ## Upcoming Release
+* Supported getting role assignments at the exact scope via `-AtScope` for `Get-AzRoleAssignment`. 
 
 ## Version 7.8.1
 * Updated to use bicep parameter --documentation-uri instead of the deprecated --documentationUri

src/Resources/Resources/ChangeLog.md

@@ -192,7 +192,7 @@ public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions
             // https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-rest
             // https://learn.microsoft.com/en-us/azure/role-based-access-control/elevate-access-global-admin#elevate-access-for-a-global-administrator-1
             // scope is path variable in REST API. When scope is '/', query '$filter=atScope()' is required, or else it will throw BadRequest.
-            Boolean isRootScope = "/".Equals(options.Scope);
+            Boolean needsAtScope = "/".Equals(options.Scope) || options.AtScope;
             Boolean needsFilterPrincipalId = false;
             if (options.ADObjectFilter?.HasFilter ?? false)
             {
@@ -215,7 +215,7 @@ public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions
                     }
 
                     principalId = adObject.Id.ToString();
-                    if (isRootScope)
+                    if (needsAtScope)
                     {
                         odataQuery = new ODataQuery<RoleAssignmentFilter>(f => (f.AtScope() && f.AssignedTo(principalId)));
                     }
@@ -227,7 +227,7 @@ public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions
                 else
                 {
                     principalId = string.IsNullOrEmpty(options.ADObjectFilter.Id) ? adObject.Id.ToString() : options.ADObjectFilter.Id;
-                    if (isRootScope)
+                    if (needsAtScope)
                     {
                         /* $filter = principalId + eq + '{objectId}' Lists role assignments for a specified user, group, or service principal.
                          * If you use atScope() and principalId+eq + '{objectId}' together, it will throw exception because the API doesn't allow it.
@@ -243,7 +243,7 @@ public List<PSRoleAssignment> FilterRoleAssignments(FilterRoleAssignmentsOptions
                     }
                 }
             }
-            else if (isRootScope)
+            else if (needsAtScope)
             {
                 odataQuery = new ODataQuery<RoleAssignmentFilter>(f => f.AtScope());
             }

src/Resources/Resources/Models.Authorization/AuthorizationClient.cs

@@ -58,6 +58,8 @@ public string Scope
 
         public ADObjectFilterOptions ADObjectFilter { get; set; }
 
+        public bool AtScope { get; set; }
+
         public bool ExpandPrincipalGroups { get; set; }
 
         public bool IncludeClassicAdministrators { get; set; }

src/Resources/Resources/Models.Authorization/FilterRoleAssignmentsOptions.cs

@@ -178,6 +178,18 @@ public class GetAzureRoleAssignmentCommand : ResourcesBaseCmdlet
         [ScopeCompleter]
         public string Scope { get; set; }
 
+        [Parameter(Mandatory = false, ValueFromPipelineByPropertyName = true, ParameterSetName = ParameterSet.Scope,
+            HelpMessage = "If specified, lists role assignments for only the specified scope, not including the role assignments at subscopes.")]
+        [Parameter(Mandatory = false, ValueFromPipelineByPropertyName = true, ParameterSetName = ParameterSet.ScopeWithObjectId,
+            HelpMessage = "If specified, lists role assignments for only the specified scope, not including the role assignments at subscopes.")]
+        [Parameter(Mandatory = false, ValueFromPipelineByPropertyName = true, ParameterSetName = ParameterSet.ScopeWithSignInName,
+            HelpMessage = "If specified, lists role assignments for only the specified scope, not including the role assignments at subscopes.")]
+        [Parameter(Mandatory = false, ValueFromPipelineByPropertyName = true, ParameterSetName = ParameterSet.ScopeWithSPN,
+            HelpMessage = "If specified, lists role assignments for only the specified scope, not including the role assignments at subscopes.")]
+        [Parameter(Mandatory = false, ValueFromPipelineByPropertyName = true, ParameterSetName = ParameterSet.RoleIdWithScopeAndObjectId,
+            HelpMessage = "If specified, lists role assignments for only the specified scope, not including the role assignments at subscopes.")]
+        public SwitchParameter AtScope { get; set; }
+
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet.ObjectId,
             HelpMessage = "If specified, returns role assignments directly assigned to the principal as well as assignments to the principal's groups (transitive). Supported only for User Principals.")]
         [Parameter(Mandatory = false, ParameterSetName = ParameterSet.SignInName,
@@ -245,8 +257,9 @@ public override void ExecuteCmdlet()
                     ResourceType = ResourceType,
                     Subscription = DefaultProfile.DefaultContext.Subscription?.Id?.ToString()
                 },
-                ExpandPrincipalGroups = ExpandPrincipalGroups.IsPresent,
-                IncludeClassicAdministrators = IncludeClassicAdministrators.IsPresent,
+                AtScope = AtScope,
+                ExpandPrincipalGroups = ExpandPrincipalGroups,
+                IncludeClassicAdministrators = IncludeClassicAdministrators,
             };
 
             if (options.Scope == null && options.ResourceIdentifier.Subscription == null)

src/Resources/Resources/RoleAssignments/GetAzureRoleAssignmentCommand.cs

@@ -29,123 +29,123 @@ Please notice that this cmdlet will mark `ObjectType` as `Unknown` in output if
 ```
 Get-AzRoleAssignment [-RoleDefinitionName <String>] [-IncludeClassicAdministrators]
  [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ObjectIdParameterSet
 ```
 Get-AzRoleAssignment -ObjectId <String> [-RoleDefinitionName <String>] [-ExpandPrincipalGroups]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ResourceGroupWithObjectIdParameterSet
 ```
 Get-AzRoleAssignment -ObjectId <String> -ResourceGroupName <String> [-RoleDefinitionName <String>]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ResourceWithObjectIdParameterSet
 ```
 Get-AzRoleAssignment -ObjectId <String> -ResourceGroupName <String> -ResourceName <String>
  -ResourceType <String> [-ParentResource <String>] [-RoleDefinitionName <String>]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ScopeWithObjectIdParameterSet
 ```
-Get-AzRoleAssignment -ObjectId <String> [-RoleDefinitionName <String>] -Scope <String>
+Get-AzRoleAssignment -ObjectId <String> [-RoleDefinitionName <String>] -Scope <String> [-AtScope]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### RoleIdWithScopeAndObjectIdParameterSet
 ```
-Get-AzRoleAssignment [-ObjectId <String>] -RoleDefinitionId <Guid> [-Scope <String>]
+Get-AzRoleAssignment [-ObjectId <String>] -RoleDefinitionId <Guid> [-Scope <String>] [-AtScope]
  [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ResourceGroupWithSignInNameParameterSet
 ```
 Get-AzRoleAssignment -SignInName <String> -ResourceGroupName <String> [-RoleDefinitionName <String>]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ResourceWithSignInNameParameterSet
 ```
 Get-AzRoleAssignment -SignInName <String> -ResourceGroupName <String> -ResourceName <String>
  -ResourceType <String> [-ParentResource <String>] [-RoleDefinitionName <String>]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ScopeWithSignInNameParameterSet
 ```
-Get-AzRoleAssignment -SignInName <String> [-RoleDefinitionName <String>] -Scope <String>
+Get-AzRoleAssignment -SignInName <String> [-RoleDefinitionName <String>] -Scope <String> [-AtScope]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### SignInNameParameterSet
 ```
 Get-AzRoleAssignment -SignInName <String> [-RoleDefinitionName <String>] [-ExpandPrincipalGroups]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ResourceGroupWithSPNParameterSet
 ```
 Get-AzRoleAssignment -ServicePrincipalName <String> -ResourceGroupName <String> [-RoleDefinitionName <String>]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ResourceWithSPNParameterSet
 ```
 Get-AzRoleAssignment -ServicePrincipalName <String> -ResourceGroupName <String> -ResourceName <String>
  -ResourceType <String> [-ParentResource <String>] [-RoleDefinitionName <String>]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ScopeWithSPNParameterSet
 ```
-Get-AzRoleAssignment -ServicePrincipalName <String> [-RoleDefinitionName <String>] -Scope <String>
+Get-AzRoleAssignment -ServicePrincipalName <String> [-RoleDefinitionName <String>] -Scope <String> [-AtScope]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### SPNParameterSet
 ```
 Get-AzRoleAssignment -ServicePrincipalName <String> [-RoleDefinitionName <String>]
  [-IncludeClassicAdministrators] [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ResourceGroupParameterSet
 ```
 Get-AzRoleAssignment -ResourceGroupName <String> [-RoleDefinitionName <String>] [-IncludeClassicAdministrators]
  [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ResourceParameterSet
 ```
 Get-AzRoleAssignment -ResourceGroupName <String> -ResourceName <String> -ResourceType <String>
  [-ParentResource <String>] [-RoleDefinitionName <String>] [-IncludeClassicAdministrators]
  [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ### ScopeParameterSet
 ```
-Get-AzRoleAssignment [-RoleDefinitionName <String>] -Scope <String> [-IncludeClassicAdministrators]
+Get-AzRoleAssignment [-RoleDefinitionName <String>] -Scope <String> [-AtScope] [-IncludeClassicAdministrators]
  [-SkipClientSideScopeValidation] [-DefaultProfile <IAzureContextContainer>]
- [<CommonParameters>]
+ [-ProgressAction <ActionPreference>] [<CommonParameters>]
 ```
 
 ## DESCRIPTION
@@ -213,6 +213,21 @@ Gets role assignments for the specified Service Principal using Get-AzAdServiceP
 
 ## PARAMETERS
 
+### -AtScope
+If specified, lists role assignments for only the specified scope, not including the role assignments at subscopes.
+
+```yaml
+Type: System.Management.Automation.SwitchParameter
+Parameter Sets: ScopeWithObjectIdParameterSet, RoleIdWithScopeAndObjectIdParameterSet, ScopeWithSignInNameParameterSet, ScopeWithSPNParameterSet, ScopeParameterSet
+Aliases:
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: True (ByPropertyName)
+Accept wildcard characters: False
+```
+
 ### -DefaultProfile
 The credentials, account, tenant, and subscription used for communication with azure
 
@@ -303,6 +318,21 @@ Accept pipeline input: True (ByPropertyName)
 Accept wildcard characters: False
 ```
 
+### -ProgressAction
+{{ Fill ProgressAction Description }}
+
+```yaml
+Type: System.Management.Automation.ActionPreference
+Parameter Sets: (All)
+Aliases: proga
+
+Required: False
+Position: Named
+Default value: None
+Accept pipeline input: False
+Accept wildcard characters: False
+```
+
 ### -ResourceGroupName
 The resource group name.
 Lists role assignments that are effective at the specified resource group.