Skip to content

Commit 0aac172

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #300579 from jenniferf-skc/AzureABACDeleteRoleAssignment
Adding error message, symptom and solution for deleting a role assign…
2 parents 17ceeaa + f27cf04 commit 0aac172

File tree

1 file changed

+18
-4
lines changed

1 file changed

+18
-4
lines changed

articles/role-based-access-control/conditions-troubleshoot.md

Lines changed: 18 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,14 +1,14 @@
11
---
22
title: Troubleshoot Azure role assignment conditions - Azure ABAC
33
description: Troubleshoot Azure role assignment conditions
4-
author: rolyon
5-
manager: femila
4+
author: jenniferf-skc
5+
manager: pmwongera
66
ms.service: role-based-access-control
77
ms.subservice: conditions
88
ms.topic: troubleshooting
99
ms.custom: devx-track-azurepowershell, devx-track-azurecli
10-
ms.date: 04/15/2024
11-
ms.author: rolyon
10+
ms.date: 05/29/2025
11+
ms.author: jfields
1212
---
1313

1414
# Troubleshoot Azure role assignment conditions
@@ -384,6 +384,20 @@ In Bash, if history expansion is enabled, you might see the message `bash: !: ev
384384

385385
Disable history expansion with the command `set +H`. To re-enable history expansion, use `set -H`.
386386

387+
## Error messages in API
388+
389+
### Symptom - HTTP 403 Forbidden response when deleting a role assignment
390+
391+
Consider a principal that has authorization permissions to modify role assignments and the authorization permissions also include an ABAC condition. If the principal attempts to delete a role assignment that was already deleted or doesn't exist, they receive the `HTTP 403 Forbidden` response instead of the expected `HTTP 204 No Content` response.
392+
393+
**Cause**
394+
395+
When a principal has permissions that include an ABAC condition, the system attempts to read the attribute during condition evaluation. If the attribute does not exist, this can result in an unexpected response instead of the expected outcome.
396+
397+
**Solution**
398+
399+
When handling responses for authorization permissions that also include a condition, you should also handle the `403 Forbidden` response. The `403 Forbidden` response can potentially indicate insufficient permissions, that the role assignment was already deleted, or that the role assignment doesn't exist.
400+
387401
## Next steps
388402

389403
- [Azure role assignment condition format and syntax](conditions-format.md)

0 commit comments

Comments
 (0)