Merge pull request #293351 from wtnlee/customrole

Customrole

Author: denrea

articles/virtual-wan/roles-permissions.md

@@ -29,36 +29,39 @@ For more information, see [Steps to create a custom role](../role-based-access-c
 To ensure proper functionality, check your custom role permissions to confirm user service principals, and managed identities interacting with Virtual WAN have the necessary permissions.
 To add any missing permissions listed here, see [Update a custom role](../role-based-access-control/custom-roles-portal.md#update-a-custom-role).
 
-The following custom roles are a few example roles you can create in your tenant if you don't want to leverage more generic built-in roles such as Network Contributor or Contributor. 
+The following custom roles are a few example roles you can create in your tenant if you don't want to leverage more generic built-in roles such as Network Contributor or Contributor. You can download and save the sample roles as JSON files and upload the JSON file to Azure portal when creating custom roles in your tenant. Ensure the assignable scopes for the custom roles are set properly for your networking resource subscription(s).
 
 ### Virtual WAN Administrator
 
 The Virtual WAN Administrator role has the ability to perform all operations related to the Virtual Hub, including managing connections to Virtual WAN and configuring routing.
 
 ```
 {
-  "Name": "Virtual WAN Administrator",
-  "IsCustom": true,
-  "Description": "Can perform all operations related to the Virtual WAN, including managing connections to Virtual WAN and configuring routing in each hub.",
-  "Actions": [
-    "Microsoft.Network/virtualWans/*",
-    "Microsoft.Network/virtualHubs/*",
-    "Microsoft.Network/azureFirewalls/read",
-    "Microsoft.Network/networkVirtualAppliances/*/read",
-    "Microsoft.Network/securityPartnerProviders/*/read",
-    "Microsoft.Network/expressRouteGateways/*",
-    "Microsoft.Network/vpnGateways/*",
-    "Microsoft.Network/p2sVpnGateways/*",
-    "Microsoft.Network/virtualNetworks/peer/action"
-
-  ],
-  "NotActions": [],
-  "DataActions": [],
-  "NotDataActions": [],
-  "AssignableScopes": [
-    "/subscriptions/{subscriptionId1}",
-    "/subscriptions/{subscriptionId2}"
-  ]
+    "properties": {
+        "roleName": "Virtual WAN Administrator",
+        "description": "Can perform all operations related to the Virtual WAN, including managing connections to Virtual WAN and configuring routing in each hub.",
+        "assignableScopes": [
+            "/subscriptions/<>"
+        ],
+        "permissions": [
+            {
+                "actions": [
+                    "Microsoft.Network/virtualWans/*",
+                    "Microsoft.Network/virtualHubs/*",
+                    "Microsoft.Network/azureFirewalls/read",
+                    "Microsoft.Network/networkVirtualAppliances/*/read",
+                    "Microsoft.Network/securityPartnerProviders/*/read",
+                    "Microsoft.Network/expressRouteGateways/*",
+                    "Microsoft.Network/vpnGateways/*",
+                    "Microsoft.Network/p2sVpnGateways/*",
+                    "Microsoft.Network/virtualNetworks/peer/action"
+                ],
+                "notActions": [],
+                "dataActions": [],
+                "notDataActions": []
+            }
+        ]
+    }
 }
 ```
 
@@ -68,37 +71,45 @@ The Virtual WAN reader role has the ability to view and monitor all Virtual WAN-
 
 ```
 {
-  "Name": "Virtual WAN Reader",
-  "IsCustom": true,
-  "Description": "Can read and monitor all Virtual WAN resources, but cannot modify Virtual WAN resources.",
-  "Actions": [
-    "Microsoft.Network/virtualWans/*/read",
-    "Microsoft.Network/virtualHubs/*/read",
-    "Microsoft.Network/expressRouteGateways/*/read",
-    "Microsoft.Network/vpnGateways/*/read",
-    "Microsoft.Network/p2sVpnGateways/*/read"
-    "Microsoft.Network/networkVirtualAppliances/*/read
-  ],
-  "NotActions": [],
-  "DataActions": [],
-  "NotDataActions": [],
-  "AssignableScopes": [
-    "/subscriptions/{subscriptionId1}",
-    "/subscriptions/{subscriptionId2}"
-  ]
+    "properties": {
+        "roleName": "Virtual WAN reader",
+        "description": "Can perform all operations related to the Virtual WAN, including managing connections to Virtual WAN and configuring routing in each hub.",
+        "assignableScopes": [
+            "/subscriptions/<>"
+        ],
+        "permissions": [
+            {
+                "actions": [
+                    "Microsoft.Network/virtualWans/*",
+                    "Microsoft.Network/virtualHubs/*",
+                    "Microsoft.Network/azureFirewalls/read",
+                    "Microsoft.Network/networkVirtualAppliances/*/read",
+                    "Microsoft.Network/securityPartnerProviders/*/read",
+                    "Microsoft.Network/expressRouteGateways/*",
+                    "Microsoft.Network/vpnGateways/*",
+                    "Microsoft.Network/p2sVpnGateways/*",
+                    "Microsoft.Network/virtualNetworks/peer/action"
+                ],
+                "notActions": [],
+                "dataActions": [],
+                "notDataActions": []
+            }
+        ]
+    }
 }
 ```
+
 ## Required Permissions
 
 Creating or updating Virtual WAN resources requires you to have the proper permission(s) to create that Virtual WAN resource type. In some scenarios, having permissions to create or update that resource type is sufficient. However, in many scenarios, updating a Virtual WAN resource that has a **reference** to another Azure resource requires you to have permissions over both the created resource **and** any referenced resources.
 
 ### Error Message
 
-A user or service principal must have sufficient permissions to execute an operation on a Virtual WAN resource. If the user does not have sufficient permissions to perform the operation, the operation will fail with an error message similar to the one below.
+A user or service principal must have sufficient permissions to execute an operation on a Virtual WAN resource. If the user doesn't have sufficient permissions to perform the operation, the operation will fail with an error message similar to the one below.
 
 |Error Code| Message|
 |--|--|
-|LinkedAccessCheckFailed| The client with object id 'xxx' does not have authorization to perform action 'xxx' over scope 'zzz resource' or the scope is invalid. For details on the required permissions, please visit 'zzz'. If access was recently granted, please refresh your credentials.|
+|LinkedAccessCheckFailed| The client with object id 'xxx' does not have authorization to perform action 'xxx' over scope 'zzz resource' or the scope is invalid. For details on the required permissions, please visit 'zzz.' If access was recently granted, please refresh your credentials.|
 
 > [!NOTE]
 > A user or service principal may be missing multiple permissions needed to manage a Virtual WAN resource. The returned error message only references one missing permission. As a result, you may see a different  missing permission after you update the permissions assigned to your service principal or user.  
@@ -107,7 +118,7 @@ To fix this error, grant the user or service principal that is managing your Vir
 
 ### Example 1
 
-When a connection is created between a Virtual WAN hub and a spoke Virtual Network, Virtual WAN's control plane creates a Virutal Network peering between the Virtual WAN hub and your spoke Virtual Network. You can also specify the Virtual WAN route tables to which the Virtual Network connection is associating to or propagating to.
+When a connection is created between a Virtual WAN hub and a spoke Virtual Network, Virtual WAN's control plane creates a Virtual Network peering between the Virtual WAN hub and your spoke Virtual Network. You can also specify the Virtual WAN route tables to which the Virtual Network connection is associating to or propagating to.
 
 Therefore, to create a Virtual Network connection to the Virtual WAN hub, you must have the following permissions:
 
@@ -123,17 +134,17 @@ If you want to associate an inbound or out-bound route map is associated with th
 
 To create or modify routing intent, a routing intent resource is created with a reference to the next hop resources specified in the routing intent's routing policy. This means that to create or modify routing intent, you need permissions over any referenced Azure Firewall or Network Virtual Appliance resource(s).
 
-If the next hop for a hub's private routing intent policy is a Network Virtual Appliance  and the next hop for a hub's internet policy is an Azure Firewall, creating or updating a routing intent resource requires the following permisisons.
+If the next hop for a hub's private routing intent policy is a Network Virtual Appliance  and the next hop for a hub's internet policy is an Azure Firewall, creating or updating a routing intent resource requires the following permissions.
 
 * Create routing intent resource. (Microsoft.Network/virtualhubs/routingIntents/write)
 * Reference (read) the Network Virtual Appliance resource (Microsoft.Network/networkVirtualAppliances/read)
 * Reference (read) the Azure Firewall resource (Microsoft.Network/azureFirewalls)
 
-In this example, you do **not** need permissions to read Microsoft.Network/securityPartnerProviders resources because the routing intent configured does not reference a third-party security provider resource.
+In this example, you do **not** need permissions to read Microsoft.Network/securityPartnerProviders resources because the routing intent configured doesn't reference a third-party security provider resource.
 
 ## Additional permissions required due to referenced resources
 
-The following section describes the set of possible permisisons that are needed to create or modify Virtual WAN resources.
+The following section describes the set of possible permissions that are needed to create or modify Virtual WAN resources.
 
 Depending on your Virtual WAN configuration, the user or service principal that is managing your Virtual WAN deployments may need all, a subset or none of the below permissions over referenced resources.