Merge pull request #272195 from rolyon/rolyon-rbac-constrained-delegation-edit-conditions

[Azure ABAC] Edit conditions for delegate role assignment management

Author: v-dirichards

articles/role-based-access-control/conditions-authorization-actions-attributes.md

@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: conceptual
-ms.date: 01/30/2024
+ms.date: 04/15/2024
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to
 ---
@@ -55,7 +55,7 @@ This section lists the authorization attributes you can use in your condition ex
 > | **Attribute** | `Microsoft.Authorization/roleAssignments:RoleDefinitionId` |
 > | **Attribute source** | Request<br/>Resource |
 > | **Attribute type** | GUID |
-> | **Operators** | [GuidEquals](conditions-format.md#guid-comparison-operators)<br/>[GuidNotEquals](conditions-format.md#guid-comparison-operators)<br/>[ForAnyOfAnyValues:GuidEquals](conditions-format.md#foranyofanyvalues)<br/>[ForAnyOfAnyValues:GuidNotEquals](conditions-format.md#foranyofanyvalues) |
+> | **Operators** | [GuidEquals](conditions-format.md#guid-comparison-operators)<br/>[GuidNotEquals](conditions-format.md#guid-comparison-operators)<br/>[ForAnyOfAnyValues:GuidEquals](conditions-format.md#foranyofanyvalues)<br/>[ForAnyOfAllValues:GuidNotEquals](conditions-format.md#foranyofallvalues) |
 > | **Examples** | `@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals {b24988ac-6180-42a0-ab88-20f7382dd24c, acdd72a7-3385-48ef-bd42-f606fba81ae7}`<br/>[Example: Constrain roles](delegate-role-assignments-examples.md#example-constrain-roles) |
 
 ### Principal ID
@@ -68,7 +68,7 @@ This section lists the authorization attributes you can use in your condition ex
 > | **Attribute** | `Microsoft.Authorization/roleAssignments:PrincipalId` |
 > | **Attribute source** | Request<br/>Resource |
 > | **Attribute type** | GUID |
-> | **Operators** | [GuidEquals](conditions-format.md#guid-comparison-operators)<br/>[GuidNotEquals](conditions-format.md#guid-comparison-operators)<br/>[ForAnyOfAnyValues:GuidEquals](conditions-format.md#foranyofanyvalues)<br/>[ForAnyOfAnyValues:GuidNotEquals](conditions-format.md#foranyofanyvalues) |
+> | **Operators** | [GuidEquals](conditions-format.md#guid-comparison-operators)<br/>[GuidNotEquals](conditions-format.md#guid-comparison-operators)<br/>[ForAnyOfAnyValues:GuidEquals](conditions-format.md#foranyofanyvalues)<br/>[ForAnyOfAllValues:GuidNotEquals](conditions-format.md#foranyofallvalues) |
 > | **Examples** | `@Request[Microsoft.Authorization/roleAssignments:PrincipalId] ForAnyOfAnyValues:GuidEquals {28c35fea-2099-4cf5-8ad9-473547bc9423, 86951b8b-723a-407b-a74a-1bca3f0c95d0}`<br/>[Example: Constrain roles and specific groups](delegate-role-assignments-examples.md#example-constrain-roles-and-specific-groups) |
 
 ### Principal type
@@ -82,7 +82,7 @@ This section lists the authorization attributes you can use in your condition ex
 > | **Attribute source** | Request<br/>Resource |
 > | **Attribute type** | STRING |
 > | **Values** | User<br/>ServicePrincipal<br/>Group |
-> | **Operators** | [StringEqualsIgnoreCase](conditions-format.md#stringequals)<br/>[StringNotEqualsIgnoreCase](conditions-format.md#stringnotequals)<br/>[ForAnyOfAnyValues:StringEqualsIgnoreCase](conditions-format.md#foranyofanyvalues)<br/>[ForAnyOfAnyValues:StringNotEqualsIgnoreCase](conditions-format.md#foranyofanyvalues) |
+> | **Operators** | [StringEqualsIgnoreCase](conditions-format.md#stringequals)<br/>[StringNotEqualsIgnoreCase](conditions-format.md#stringnotequals)<br/>[ForAnyOfAnyValues:StringEqualsIgnoreCase](conditions-format.md#foranyofanyvalues)<br/>[ForAnyOfAllValues:StringNotEqualsIgnoreCase](conditions-format.md#foranyofallvalues) |
 > | **Examples** | `@Request[Microsoft.Authorization/roleAssignments:PrincipalType] ForAnyOfAnyValues:StringEqualsIgnoreCase {'User', 'Group'}`<br/>[Example: Constrain roles and principal types](delegate-role-assignments-examples.md#example-constrain-roles-and-principal-types) |
 
 ## Next steps

articles/role-based-access-control/conditions-role-assignments-portal.md

@@ -150,7 +150,7 @@ Once you have the Add role assignment condition page open, you can review the ba
 
     If you don't see the View/Edit link, be sure you're looking at the same scope as the role assignment.
 
-    ![Role assignment list with View/Edit link for condition.](./media/conditions-role-assignments-portal/condition-role-assignments-list-edit.png)
+    ![Role assignment list with View/Edit link for condition.](./media/shared/condition-role-assignments-list-edit.png)
 
     The Add role assignment condition page appears.
 

articles/role-based-access-control/conditions-role-assignments-powershell.md

@@ -7,7 +7,7 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: how-to
 ms.custom: devx-track-azurepowershell
-ms.date: 10/24/2022
+ms.date: 04/15/2024
 ms.author: rolyon
 ---
 
@@ -162,6 +162,37 @@ ConditionVersion   : 2.0
 Condition          : ((!(ActionMatches{'Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read'})) OR (@Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container' OR @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:name] StringEquals 'blobs-example-container2'))
 ```
 
+### Edit conditions in multiple role assignments
+
+If you need to make the same update to multiple role assignments, you can use a loop. The following commands perform the following task:
+
+- Finds role assignments in a subscription with `<find-condition-string-1>` or `<find-condition-string-2>` strings in the condition.
+
+    ```azurepowershell
+    $tenantId = "<your-tenant-id>"
+    $subscriptionId = "<your-subscription-id>";
+    $scope = "/subscriptions/$subscriptionId"
+    $findConditionString1 = "<find-condition-string-1>"
+    $findConditionString2 = "<find-condition-string-2>"
+    Connect-AzAccount -TenantId $tenantId -SubscriptionId $subscriptionId
+    $roleAssignments = Get-AzRoleAssignment -Scope $scope
+    $foundRoleAssignments = $roleAssignments | Where-Object { ($_.Condition -Match $findConditionString1) -Or ($_.Condition -Match $findConditionString2) }
+    ```
+
+The following commands perform the following tasks:
+
+- In the condition of the found role assignments, replaces `<condition-string>` with `<replace-condition-string>`.
+- Updates the role assignments with the changes.
+
+    ```azurepowershell
+    $conditionString = "<condition-string>"
+    $conditionStringReplacement = "<condition-string-replacement>"
+    $updatedRoleAssignments = $foundRoleAssignments | ForEach-Object { $_.Condition = $_.Condition -replace $conditionString, $conditionStringReplacement; $_ }
+    $updatedRoleAssignments | ForEach-Object { Set-AzRoleAssignment -InputObject $_ -PassThru }
+    ```
+
+If strings include special characters, such as square brackets ([ ]), you'll need to escape these characters with a backslash (\\).
+
 ## List a condition
 
 To list a role assignment condition, use [Get-AzRoleAssignment](/powershell/module/az.resources/get-azroleassignment). For more information, see [List Azure role assignments using Azure PowerShell](role-assignments-list-powershell.md).

articles/role-based-access-control/conditions-troubleshoot.md

@@ -7,7 +7,7 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: troubleshooting
 ms.custom: devx-track-azurepowershell, devx-track-azurecli
-ms.date: 02/27/2024
+ms.date: 04/15/2024
 ms.author: rolyon
 ---
 
@@ -65,6 +65,35 @@ Fix any [condition format or syntax](conditions-format.md) issues. Alternatively
 
 ## Issues in the visual editor
 
+### Symptom - Condition editor appears when editing a condition
+
+You created a condition using a template described in [Delegate Azure role assignment management to others with conditions](./delegate-role-assignments-portal.md). When you try to edit the condition, you see the advanced condition editor.
+
+:::image type="content" source="./media/conditions-troubleshoot/condition-editor.png" alt-text="Screenshot of condition editor that shows options to edit a condition." lightbox="./media/conditions-troubleshoot/condition-editor.png":::
+
+When you previously edited the condition, you edited using the condition template.
+
+:::image type="content" source="./media/shared/condition-templates-edit.png" alt-text="Screenshot of condition templates with matching template enabled." lightbox="./media/shared/condition-templates-edit.png":::
+
+**Cause**
+
+The condition doesn't match the pattern for the template.
+
+**Solution 1**
+
+Edit the condition to match one of the following template patterns.
+
+| Template | Condition |
+| --- | --- |
+| Constrain roles | [Example: Constrain roles](delegate-role-assignments-examples.md#example-constrain-roles) |
+| Constrain roles and principal types | [Example: Constrain roles and principal types](delegate-role-assignments-examples.md#example-constrain-roles-and-principal-types) |
+| Constrain roles and principals | [Example: Constrain roles and specific groups](delegate-role-assignments-examples.md#example-constrain-roles-and-specific-groups) |
+| Allow all except specific roles | [Example: Allow most roles, but don't allow others to assign roles](delegate-role-assignments-examples.md#example-allow-most-roles-but-dont-allow-others-to-assign-roles) |
+
+**Solution 2**
+
+Delete the condition and recreate it using the steps at [Delegate Azure role assignment management to others with conditions](./delegate-role-assignments-portal.md).
+
 ### Symptom - Principal does not appear in Attribute source
 
 When you try to add a role assignment with a condition, **Principal** doesn't appear in the **Attribute source** list.

articles/role-based-access-control/delegate-role-assignments-examples.md

@@ -7,7 +7,7 @@ ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: conceptual
 ms.custom: devx-track-azurepowershell
-ms.date: 01/30/2024
+ms.date: 04/15/2024
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to learn about the conditions so that I write more complex conditions.
 ---
@@ -694,7 +694,13 @@ You must add this condition to any role assignments for the delegate that includ
 
 # [Template](#tab/template)
 
-None
+Here are the settings to add this condition using the Azure portal and a condition template.
+
+> [!div class="mx-tableFixed"]
+> | Condition | Setting |
+> | --- | --- |
+> | Template | Allow all except specific roles |
+> | Exclude roles | [Owner](built-in-roles.md#owner)<br/>[Role Based Access Control Administrator](built-in-roles.md#role-based-access-control-administrator)<br/>[User Access Administrator](built-in-roles.md#user-access-administrator) |
 
 # [Condition editor](#tab/condition-editor)
 

articles/role-based-access-control/delegate-role-assignments-portal.md

@@ -6,7 +6,7 @@ manager: amycolannino
 ms.service: role-based-access-control
 ms.subservice: conditions
 ms.topic: how-to
-ms.date: 01/30/2024
+ms.date: 04/15/2024
 ms.author: rolyon
 #Customer intent: As a dev, devops, or it admin, I want to delegate Azure role assignment management to other users who are closer to the decision, but want to limit the scope of the role assignments.
 ---
@@ -73,6 +73,7 @@ There are two ways that you can add a condition. You can use a condition templat
     | Constrain roles | Allow user to only assign roles you select |
     | Constrain roles and principal types | Allow user to only assign roles you select<br/>Allow user to only assign these roles to principal types you select (users, groups, or service principals) |
     | Constrain roles and principals | Allow user to only assign roles you select<br/>Allow user to only assign these roles to principals you select |
+    | Allow all except specific roles | Allow user to assign all roles except the roles you select |
 
 1. In the configure pane, add the required configurations.
 
@@ -135,7 +136,7 @@ If the condition templates don't work for your scenario or if you want more cont
 
     | Attribute | Common operator |
     | --- | --- |
-    | **Role definition ID** | [ForAnyOfAnyValues:GuidEquals](conditions-format.md#foranyofanyvalues) |
+    | **Role definition ID** | [ForAnyOfAnyValues:GuidEquals](conditions-format.md#foranyofanyvalues)<br/>[ForAnyOfAllValues:GuidNotEquals](conditions-format.md#foranyofallvalues) |
     | **Principal ID** | [ForAnyOfAnyValues:GuidEquals](conditions-format.md#foranyofanyvalues) |
     | **Principal type** | [ForAnyOfAnyValues:StringEqualsIgnoreCase](conditions-format.md#foranyofanyvalues) |
 
@@ -176,6 +177,38 @@ If the condition templates don't work for your scenario or if you want more cont
 
     If the delegate attempts to assign a role that is outside the conditions using an API, the role assignment fails with an error. For more information, see [Symptom - Unable to assign a role](./troubleshooting.md#symptom---unable-to-assign-a-role).
 
+## Edit a condition
+
+There are two ways that you can edit a condition. You can use the condition template or you can use the condition editor.
+
+1. In the Azure portal, open **Access control (IAM)** page for the role assignment that has a condition that you want to view, edit, or delete.
+
+1. Select the **Role assignments** tab and find the role assignment.
+
+1. In the **Condition** column, select **View/Edit**.
+
+    If you don't see the **View/Edit** link, be sure you're looking at the same scope as the role assignment.
+
+    :::image type="content" source="./media/shared/condition-role-assignments-list-edit.png" alt-text="Screenshot of role assignment list with View/Edit link for condition." lightbox="./media/shared/condition-role-assignments-list-edit.png":::
+
+    The **Add role assignment condition** page appears. This page will look different depending on whether the condition matches an existing template.
+
+1. If the condition matches an existing template, select **Configure** to edit the condition.
+    
+    :::image type="content" source="./media/shared/condition-templates-edit.png" alt-text="Screenshot of condition templates with matching template enabled." lightbox="./media/shared/condition-templates-edit.png":::
+
+1. If the condition doesn't match an existing template, use the advanced condition editor to edit the condition.
+
+    For example, to edit a condition, scroll down to the build expression section and update the attributes, operator, or values.
+
+    :::image type="content" source="./media/delegate-role-assignments-portal/condition-editor-build-expression.png" alt-text="Screenshot of condition editor that shows options to edit build expression." lightbox="./media/delegate-role-assignments-portal/condition-editor-build-expression.png":::
+
+    To edit the condition directly, select the **Code** editor type and then edit the code for the condition.
+
+    :::image type="content" source="./media/delegate-role-assignments-portal/condition-editor-code.png" alt-text="Screenshot of condition editor that shows Code editor type." lightbox="./media/delegate-role-assignments-portal/condition-editor-code.png":::
+
+1. When finished, click **Save** to update the condition. 
+
 ## Next steps
 
 - [Delegate Azure access management to others](delegate-role-assignments-overview.md)