You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/azure-resource-manager/bicep/deployment-stacks.md
+20Lines changed: 20 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -42,6 +42,16 @@ Deployment stacks provide the following benefits:
42
42
-[What-if](./deploy-what-if.md) isn't available in the preview.
43
43
- A management group-scoped stack is restricted from deploying to another management group. It can only deploy to the management group of the stack itself or to a child subscription.
44
44
45
+
## Built-in roles
46
+
47
+
> [!WARNING]
48
+
> Enforcement of the RBAC permission [Microsoft.Resources/deploymentStacks/manageDenySetting/action](/azure/role-based-access-control/permissions/management-and-governance) is rolling out across regions, including Government Clouds.
49
+
50
+
There are two built-in roles for deployment stack:
51
+
52
+
-**Azure Deployment Stack Contributor**: Allows users to manage deployment stacks, but cannot create or delete deny assignments within the deployment stacks.
53
+
-**Azure Deployment Stack Owner**: Allows users to manage deployment stacks, including those with deny assignments.
54
+
45
55
## Create deployment stacks
46
56
47
57
A deployment stack resource can be created at resource group, subscription, or management group scope. The template passed into a deployment stack defines the resources to be created or updated at the target scope specified for the template deployment.
@@ -592,6 +602,16 @@ To delete a managed resource, remove the resource definition from the underlying
592
602
593
603
## Protect managed resources against deletion
594
604
605
+
When creating a deployment stack, it's possible to assign a specific type of permissions to the managed resources, which prevents their deletion by unauthorized security principals. These settings are referred to as deny settings. You want to store the stack at a parent scope.
606
+
607
+
> [!NOTE]
608
+
> The latest release requires specific permissions at the stack scope in order to:
609
+
>
610
+
> - Create or update a deployment stack and set the deny setting to a value other than "None".
611
+
> - Update or delete a deployment stack with an existing deny setting of something other than "None"
612
+
>
613
+
> Use the [built-in roles](#built-in-roles) to grant the permissions.
614
+
595
615
# [PowerShell](#tab/azure-powershell)
596
616
597
617
The Azure PowerShell includes these parameters to customize the deny assignment:
0 commit comments